Overview

overview

10

Static

static

3

9409521653...ce.exe

windows7-x64

10

9409521653...ce.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    e1a72f7e4426c8d5e849459fa7c7e476.bin

  • Size

    35.4MB

  • Sample

    240630-ep8hvatelh

  • MD5

    4a0c55d6223fc7fdd5d5ca9b3b9ca103

  • SHA1

    60fe7f01ce9da9f0f1a302c1b68398172fae9b0f

  • SHA256

    74da0ec13e96351e76edd4d76a7d15e11d4435c366c994db740dc2875c9f4816

  • SHA512

    e05a80027c362d7fa91bd5d05c7fe8dbb91d4e346637b41eabd80abfc444de6434834429c8070a56360489a943516606585bf59ff5f09c00ac13daf45114e0b5

  • SSDEEP

    786432:0+LXSUL1227MI11Z7FFhGQBfdfADE4kcEOHjFGDQEXMhPKJ8oK:RLCUL1jRFfAmt7sCMhPs8

Score
10/10
asyncratquasarxwormdefaultoffice04slaveexecutionratspywaretrojan

Malware Config

Extracted

Family

quasar

Version

3.1.5

Botnet

Slave

C2

stop-largely.gl.at.ply.gg:27116

Mutex

$Sxr-kl1r656AGsPQksTmi8

Attributes
  • encryption_key

    ql4fQ8TV9ZFP9vRX2myA

  • install_name

    $sxr~Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    $77STARTUP~MSF

  • subdirectory

    $sxr~SubDir

Extracted

Family

xworm

C2

best-bird.gl.at.ply.gg:27196

super-nearest.gl.at.ply.gg:17835

wiz.bounceme.net:6000
aes.plain

Extracted

Family

asyncrat

Botnet

Default

C2

finally-grande.gl.at.ply.gg:25844

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

history-foo.gl.at.ply.gg:42349

Mutex

2beddbf7-c691-4058-94c7-f54389b4a581

Attributes
  • encryption_key

    CBFC5D217E55BEBDCD3A6EFA924299F76BC328D9

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Update

  • subdirectory

    SubDir

Targets

    • Target

      9409521653887ec13272edd26f3768efb6f176b49b15a058dfcf69b9172faece.exe

    • Size

      39.9MB

    • MD5

      e1a72f7e4426c8d5e849459fa7c7e476

    • SHA1

      e1101a053ebe7cf5dc44f4f4ea787be113cae10f

    • SHA256

      9409521653887ec13272edd26f3768efb6f176b49b15a058dfcf69b9172faece

    • SHA512

      0a2830e2f9e1872a98996f4221f1e81a33e8927e087397e7b3342fe79333974d030d8ff4176746c9cfd78eeb382d46a88023709c2e003b6a1ba00d883ee4426f

    • SSDEEP

      786432:sxGPxJDr/A/brZCaMhEDL/BpYE0dkt3ZL3PDnsilllqs7GIKScPml8tBW:oGJJDrYPZCaEWLxVfDnplllpzMW

    Score
    10/10
    asyncratquasarxwormdefaultoffice04slaveexecutionratspywaretrojan

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • Detect Xworm Payload

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

      trojanspywarequasar

    • Quasar payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Async RAT payload

      rat

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks