blankgrabber | 1cdd2cd88644b2d634ac27b95031bddcbb69479bf6bdd090a2257e40132a69c2 | Triage

Submit
Reports

Overview

overview

Static

static

Driver.dll

windows10-1703-x64

1

SlottedAimV2.exe

windows10-1703-x64

mciavi32.dll

windows10-1703-x64

1

spwizimg.dll

windows10-1703-x64

1

Resubmissions

04-07-2024 22:35

240704-2hv1havgnh 10

04-07-2024 22:32

240704-2gcgrsshnp 10

Sharing

General

Target

SlottedAimV2.rar
Size

7.1MB
Sample

240704-2hv1havgnh
MD5

04b4440a4dd4c687a388d993c0be18b7
SHA1

3f363a3d4c04bde4609168336033bbdcd5555bd5
SHA256

1cdd2cd88644b2d634ac27b95031bddcbb69479bf6bdd090a2257e40132a69c2
SHA512

7f72cef7397380ba583c4034de5f10e42e1d40c268b82f63e3d17e85e2a8c1b498665be6f9235031ed3dc3f8efb2114982ef513bee79b49c743a61f98a384cc8
SSDEEP

98304:LtIGDf639tvIF2/rvPzRrHY5rjoMQeYqolZIed277vRtf323r85zQ65gBB9UBr+U:LJII2rvbZHYibeYqolZIl7vRpn1RoU6S

Score

10^/10

blankgrabber quasar fortnite evasion execution spyware trojan upx

Static task

static1

3 signatures

Behavioral task

behavioral1

Sample

Driver.dll

Resource

win10-20240404-en

windows10-1703-x64

0 signatures

150 seconds

Behavioral task

behavioral2

Sample

SlottedAimV2.exe

Resource

win10-20240404-en

quasar fortnite evasion execution spyware trojan upx

windows10-1703-x64

16 signatures

150 seconds

Behavioral task

behavioral3

Sample

mciavi32.dll

Resource

win10-20240404-en

windows10-1703-x64

0 signatures

150 seconds

Behavioral task

behavioral4

Sample

spwizimg.dll

Resource

win10-20240611-en

windows10-1703-x64

0 signatures

150 seconds

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

FORTNITE

C2

hanekese.ddns.net:1005

Mutex

QSR_MUTEX_uKpgto5HxTzlVefHo9

Attributes

encryption_key
RayN5IunUgPITKqRBUZA
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
mac updater
subdirectory
SubDir

Targets

- Target
  
  Driver.dll
- Size
  
  242KB
- MD5
  
  9a41f2a54a2fa0b81b2511e32e914f2c
- SHA1
  
  3276c4d7be73019a6a7fe8e218a98228ac930ce4
- SHA256
  
  3cc04edaa12d7feed849f1b88e10d49b948b1ef2a62e197ac35d41e5b35dbfcc
- SHA512
  
  8fd80dc238b3d8d75797720dc6117ff41b7064804ee243bc3e5d5c847c20856a22b30d9ed579aa1b565fc57c65bd138d913069a26cb71a93b0134b77df36dc27
- SSDEEP
  
  3072:2QaHp8CKxa1Kd0B7itS5jWqJgvFmtPb9WxBvk4rFTbRL2LP/jWoF3tK8cDL6v51y:2QFPxm5BetSEqJgtibSs4HvD4YQ
Score

1^/10
behavioral1
- Target
  
  SlottedAimV2.exe
- Size
  
  7.0MB
- MD5
  
  decace854bd66eba96581505cbb1f785
- SHA1
  
  dfd6824e2db3a2ebb89208f0e5f69e6cc1661da6
- SHA256
  
  ebbdf48aafe6c046eca7512a4e764629559392147518fdf2917751a891bfcd5d
- SHA512
  
  e55f8afc9a36913aaa24932a94b82100a53accd4f5d8865fc207c9b50c607efa259115d53d5926e0b45c99c0b9dece02996a6b8db5d365af122ccbcdd69823c8
- SSDEEP
  
  196608:WrSUf0qyleOjmFQR4MVGFtwLPCnL2hVcL:PVXKtM5LPCGcL
Score

10^/10

quasar fortnite evasion execution spyware trojan upx
- Deletes Windows Defender Definitions
  Uses mpcmdrun utility to delete all AV definitions.
  evasion
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Executes dropped EXE
- Loads dropped DLL
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral2
- Target
  
  mciavi32.dll
- Size
  
  101KB
- MD5
  
  e9944f49dfaa4d580ddfbd676d61d397
- SHA1
  
  6f9e0bfec72657355ee400c71668779ee41b5ba6
- SHA256
  
  30317e32d7f5e36ad2674353a198f5b2760ff121c40cc0cf11be0cf9729fadb5
- SHA512
  
  fd494ad6aa5520e3e115cc5104882aa9922ecb181e61a03969aad73273ffa6cd8c0269994e0eec8676b41d2a7832db722d51b5e0bce9c7a7ed8d11b5330a289b
- SSDEEP
  
  1536:4bfvWWJHxioRuscmoKKHeH8vQINmgZUg4nP8lNM3t3qs7SO2xjlyGp8w:4rWmsscmoKgDQInYXt3qsHSJyS8w
Score

1^/10
behavioral3
- Target
  
  spwizimg.dll
- Size
  
  5.6MB
- MD5
  
  6259c2ebf8f1b15c4b075e413bf32598
- SHA1
  
  80ef443ed0dc3c93476b7a0edfa0fd76f2baa50a
- SHA256
  
  b206630e0c06b9bea1809d80b9f2601ee417857e7c8a22c1854e30c08ea744e1
- SHA512
  
  ecab9c71e95dcf2463490f34a2a66f5e9353b4be9af888f30b4e93520b4fa5a6a8fac5e69f84efeb88e195758d951cba8e36c9957eef261f4f9fb063bb04e395
- SSDEEP
  
  3072:OtsxIS9L+rz5iG7aB+H+Yge19NT6lBc/0yY+wcE9rCbpxTNX5vNRZWyXzyKblUuB:O6xISpQiG7aBMjNxTNX5vZ
Score

1^/10
behavioral4

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

Credential Access

Discovery

System Information Discovery

Process Discovery

Remote System Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

behavioral2

quasarfortniteevasionexecutionspywaretrojanupx

behavioral3

behavioral4

© 2018-2024

Terms | Privacy