Overview

overview

10

Static

static

10

Driver.dll

windows10-2004-x64

1

FNknoxV1.exe

windows7-x64

7

FNknoxV1.exe

windows10-2004-x64

10

���UV 6.pyc

windows7-x64

���UV 6.pyc

windows10-2004-x64

mciavi32.dll

windows10-2004-x64

1

spwizimg.dll

windows10-2004-x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    FNknoxV1 (1).rar

  • Size

    7.1MB

  • Sample

    240627-z8n9ja1gmf

  • MD5

    54ee74680681d2af21e9fb0bd1cef8e3

  • SHA1

    d44b497e033bb3e0b6eea587e9857d6096741a97

  • SHA256

    bccfea0aa1f93962c5e794076f9a1da37fa67114cf88809a3f65f6ae8bb44655

  • SHA512

    32bf6d6aed84dfb68ef6b798394cb455e13d493ca716a419cc9099601e5a374a6ddd9f7a9b7f0f66ebf4e1f5cbe4fd3b4cec4324f52f23d3a0f031fb595e1021

  • SSDEEP

    196608:P0ppKTn4gYSk0FqNfrRFmgbmY7Qw93lXo/8X4M3St19:P0pwUTSk0FqNftFP97193FVXJ619

Score
10/10
blankgrabberquasaraimbotexecutionpersistenceprivilege_escalationspywarestealertrojanupx

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

AIMBOT

C2

hanekez.ddns.net:1005

Mutex

QSR_MUTEX_cFkbY7JfacEJJSBZBJ

Attributes
  • encryption_key

    Zu6989wNCzakRG4JG624

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Targets

    • Target

      Driver.dll

    • Size

      242KB

    • MD5

      9a41f2a54a2fa0b81b2511e32e914f2c

    • SHA1

      3276c4d7be73019a6a7fe8e218a98228ac930ce4

    • SHA256

      3cc04edaa12d7feed849f1b88e10d49b948b1ef2a62e197ac35d41e5b35dbfcc

    • SHA512

      8fd80dc238b3d8d75797720dc6117ff41b7064804ee243bc3e5d5c847c20856a22b30d9ed579aa1b565fc57c65bd138d913069a26cb71a93b0134b77df36dc27

    • SSDEEP

      3072:2QaHp8CKxa1Kd0B7itS5jWqJgvFmtPb9WxBvk4rFTbRL2LP/jWoF3tK8cDL6v51y:2QFPxm5BetSEqJgtibSs4HvD4YQ

    Score
    1/10
    behavioral1

    • Target

      FNknoxV1.exe

    • Size

      7.0MB

    • MD5

      127d96c8d795e8420ee8e1e178b6dfe9

    • SHA1

      e8db8d8577ac74a60de1afb5350b63fa8e49d045

    • SHA256

      2ecbcb10d1027d3c8b3288d6d73010163631e3f578fe0d3ab996400dd9474e06

    • SHA512

      f98eb6fdb763b0ab062a4a3f1d2a17fade1fd8e937bbd34f2c3fed8bd50de1dae57f75c0c67b533b09d6e86cf35fcc0bf8a6755103f0a76dcc7ea63f315acbe1

    • SSDEEP

      98304:OwzdbM+Q2y+aq0AANDhjOjFgFQlwq4Mjk+dBZtu9xTtwz/aer6/BbiEJ1nL2hBnP:OGf0AKpOjmFQR4MVGFtwLPsnL2hV/H

    Score
    10/10
    upxquasaraimbotexecutionpersistenceprivilege_escalationspywarestealertrojan

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

      trojanspywarequasar

    • Quasar payload

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral2behavioral3

    • Target

      ���UV 6.pyc

    • Size

      1KB

    • MD5

      2d8979c8b326bdc63867f079fc7b0f57

    • SHA1

      46b8c08b633be55b42bcd91e8ae5bf898e0a8054

    • SHA256

      b0941402101d5edc5da650f5706b52cb4becb5e2d942fd970041692f1eddcebe

    • SHA512

      23f9f920bd10cd4981e0956d4ba3eb66842656b3437d250c96773f5a3c7ac081f2db50f0b9602b57755e80a37281243a02e7c3511418df9e64fb6e34ddeb86b5

    Score
    1/10
    behavioral4behavioral5

    • Target

      mciavi32.dll

    • Size

      101KB

    • MD5

      e9944f49dfaa4d580ddfbd676d61d397

    • SHA1

      6f9e0bfec72657355ee400c71668779ee41b5ba6

    • SHA256

      30317e32d7f5e36ad2674353a198f5b2760ff121c40cc0cf11be0cf9729fadb5

    • SHA512

      fd494ad6aa5520e3e115cc5104882aa9922ecb181e61a03969aad73273ffa6cd8c0269994e0eec8676b41d2a7832db722d51b5e0bce9c7a7ed8d11b5330a289b

    • SSDEEP

      1536:4bfvWWJHxioRuscmoKKHeH8vQINmgZUg4nP8lNM3t3qs7SO2xjlyGp8w:4rWmsscmoKgDQInYXt3qsHSJyS8w

    Score
    1/10
    behavioral6

    • Target

      spwizimg.dll

    • Size

      5.6MB

    • MD5

      6259c2ebf8f1b15c4b075e413bf32598

    • SHA1

      80ef443ed0dc3c93476b7a0edfa0fd76f2baa50a

    • SHA256

      b206630e0c06b9bea1809d80b9f2601ee417857e7c8a22c1854e30c08ea744e1

    • SHA512

      ecab9c71e95dcf2463490f34a2a66f5e9353b4be9af888f30b4e93520b4fa5a6a8fac5e69f84efeb88e195758d951cba8e36c9957eef261f4f9fb063bb04e395

    • SSDEEP

      3072:OtsxIS9L+rz5iG7aB+H+Yge19NT6lBc/0yY+wcE9rCbpxTNX5vNRZWyXzyKblUuB:O6xISpQiG7aBMjNxTNX5vZ

    Score
    1/10
    behavioral7

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Persistence

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Privilege Escalation

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Defense Evasion

Credential Access

Unsecured Credentials

2
T1552

Credentials In Files

2
T1552.001

Discovery

System Information Discovery

3
T1082

Process Discovery

1
T1057

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks