Overview

overview

10

Static

static

3

xRAT v2.0/...lt.exe

windows7-x64

7

xRAT v2.0/...lt.exe

windows10-2004-x64

10

xRAT v2.0/...il.dll

windows7-x64

1

xRAT v2.0/...il.dll

windows10-2004-x64

1

xRAT v2.0/...at.dll

windows7-x64

1

xRAT v2.0/...at.dll

windows10-2004-x64

1

xRAT v2.0/...ib.dll

windows7-x64

1

xRAT v2.0/...ib.dll

windows10-2004-x64

1

xRAT v2.0/client.exe

windows7-x64

6

xRAT v2.0/client.exe

windows10-2004-x64

10

xRAT v2.0/xRAT 2.exe

windows7-x64

1

xRAT v2.0/xRAT 2.exe

windows10-2004-x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    9a29bddf402b54b0f23fed218dbc1b13186db7688930ec8dcf627aae635ccf79.zip

  • Size

    2.5MB

  • Sample

    240705-b1fena1hjb

  • MD5

    f183214bb2f9050151f856f4fa7744d5

  • SHA1

    46eab90d3e271f2a550bee3b4dadcd5323ebbd78

  • SHA256

    9a29bddf402b54b0f23fed218dbc1b13186db7688930ec8dcf627aae635ccf79

  • SHA512

    06ec143d1cb184f07947af54143d1b59b3da2aa5c8541fa07453efca71092bbfa0cb16e41c06544146ff99ee04c971238a9813ff79d7cec66963ce47bc65d8f9

  • SSDEEP

    49152:stMhgHaLtLCJuimQOAXe8+QTe0pAlsY456tOmCRiHNiLg84QbLZgLCRSAeGVlPpv:IMhgHaxuJTmQ5X+QS0p/Yt1tJ8ZBvS3u

Score
10/10
quasarpersistencespywaretrojan

Malware Config

Targets

    • Target

      xRAT v2.0/Client-built.exe

    • Size

      294KB

    • MD5

      04c30859516960ad61fcda864c16ea84

    • SHA1

      c5893f23d34826eb061cbff517843793f13b0e6a

    • SHA256

      e4fcf1f6b71043e7c7c32f6954a0a1972696fa1bb9b6543ead14e85626890a11

    • SHA512

      ef58cd9756f6d89b9752a6a233e388bfca9d1cb707af641ef95f04181b142e260c4c5c8e034270de35cd88cf569d81cebbcdc5af3749840436d006859cc6230c

    • SSDEEP

      3072:7o7lYJHuSHgB24g54PzOOqJYGk6/uGDB0C6Z3pMJCv5Aa5OZw1Rvbq/ZU1os8rG1:U7lRw4vB890C6ZwLORvbq/uv8M

    Score
    10/10
    persistencequasarspywaretrojan

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

      trojanspywarequasar

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2

    • Target

      xRAT v2.0/Mono.Cecil.dll

    • Size

      275KB

    • MD5

      2f1d2b580f22c8b14426cc793cafa143

    • SHA1

      3debfcafb6d1f94f999e02f18785ea9b13978767

    • SHA256

      c1c9504393fb9ae1e5130a70afed53f26a26f23bcbd655c3d79bc0fb846d2b2d

    • SHA512

      807789490cbde1ec11a473525de3d953d95e3889ec112dd2f0a4fc2aae504a2afa4ed66b6f4ce6b956e3ddd392ac8289621fa42d1b4cb9818896780b42c1c03a

    • SSDEEP

      6144:GXFrvb8HhISlKKvK0EihcEgMdWJ2I6jSAOHvSIT4KdFvkPzg:RBdK5JlDvSIM

    Score
    1/10
    behavioral3behavioral4

    • Target

      xRAT v2.0/Mono.Nat.dll

    • Size

      46KB

    • MD5

      07104f5e5709661e722a76a1aa9b4ec2

    • SHA1

      7c65c0ede3e9a7916b7a53f39f5c8bddb2971247

    • SHA256

      cda6e89b45af038619b2cb0eff185d842e7401805c527866bc00f4286a7b0124

    • SHA512

      79d6c028d48008814863b1a7b321a61ce5568afa30e372230a82808e19c5dab8d3a4a34ec6d8a122ddfbbbf384d2c62fe4c516f1fd7e8561ac8acbcac39ec446

    • SSDEEP

      768:Uxe95m8J7r4A46Zj/Q5ttlyJRubO5CFR:U47r4KlQ5tyJUakT

    Score
    1/10
    behavioral5behavioral6

    • Target

      xRAT v2.0/Vestris.ResourceLib.dll

    • Size

      76KB

    • MD5

      4c2fc3ae1f21d55a82464f03de977899

    • SHA1

      0399fd6265cb54369043080ebf4d013574f9f208

    • SHA256

      13e08cc54e2238592424b2d337333631f5b7dd804c682b8781be08de53d7889a

    • SHA512

      4abcb8b26b7d6636d3d9858b39f2d4171b1baba05f476f4c8f9c9ab0fb2b8da2d3fc5fe685c2873af98fe63d3e68c78b91f42ff7ea8a8a37a34276132904d348

    • SSDEEP

      1536:Ix0R789PUoXYIt1Og7O1pKYoRvWkAaClFYgGKeK92NXABHg:i0R789PU1IT7O1pwuugFVG/K92V

    Score
    1/10
    behavioral7behavioral8

    • Target

      xRAT v2.0/client.bin

    • Size

      271KB

    • MD5

      9d697a19004e86acede9ee1bef4ff664

    • SHA1

      6193e527615492a1525f10172fefd69460170484

    • SHA256

      ac1fa54c26a22f25b1d78ab15315f48339eca43645162de8ad9c77d83a7c7f0a

    • SHA512

      25f26e09f50425c762e370bd7873d782aea7cd0328b30b0ed29e09692b5b380fdee1934d43c68848cace432dd9615791225f2531b3bb274c49d4cb692e50689d

    • SSDEEP

      3072:tDcnJEoBClZIwxVHOK7Vef43d73l1dRHHg2IgJnNDcBkbzsJmrh/SC1uq0RN8kfn:tDcXWZPXQf4th1LguJzbz048

    Score
    10/10
    quasarspywaretrojan

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

      trojanspywarequasar

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral10behavioral9

    • Target

      xRAT v2.0/xRAT 2.exe

    • Size

      1.1MB

    • MD5

      fec8c33eda89a51808b52c3df2cb19d6

    • SHA1

      1a845c5fe91346d2c217a683c1479885643efecc

    • SHA256

      a71d5cbad432ffbddff485ec8fcfb60f5eecac7e59aaf6d4d1e92052e2a3c40b

    • SHA512

      4f8d9398acc5775ee451da3e0399d05510167de2618dd3e36be84295e9f5997cb2c48a9cc02377ceef8e38a00c69b5084731842ee3c2eb897881771363a926e7

    • SSDEEP

      12288:eqE7W86cb4W0XnzSrm2zd/ejGZFooreUQSrl/L:ekaDNBz

    Score
    1/10
    behavioral11behavioral12

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks