Overview

overview

10

Static

static

10

fc21892aeb...36.exe

windows10-2004-x64

10

fc21892aeb...36.exe

windows11-21h2-x64

10

Sharing

Copy URL Twitter E-mail

General

  • Target

    f74eafefa6ec7e1e110e4a2dd78054e9.bin

  • Size

    1.2MB

  • Sample

    250511-ccb8rsvqy6

  • MD5

    66857d56e0ec7639ed855584cf1746b5

  • SHA1

    168c6a88a6d2802ff6d3de5ca702dd19a1e37ee5

  • SHA256

    94f07091019bd2d1e3c1b86deefeb28c9a2c91cea8a8070974c04459ce4ea9d1

  • SHA512

    e9d1280914427c66821c1d680a215975dc9d1759136523c2ae488524cd03891af2d068caebbe5d325ce464a758acc33912d44fa7c5bd286e2975b9ef8fc619f0

  • SSDEEP

    24576:SzK7FUYU4/hCBAYAH+rxZqNooQieX8XIDyTvrJYyeYh6MbLHVrFAwwa:lz/UAH+KQipXGIFYFYhQwwa

Score
10/10
asyncratlummanjratquasarvidar158fdd2a4f5abb978509580715e5353fdefaulthackedoffice04credential_accesscryptonediscoverypackerratspywarestealertrojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

213.209.150.210:8883

Mutex

5ae9d9d1-c102-422b-846d-85bceea00d83

Attributes
  • encryption_key

    5BCC3F93A18E5423C76CAF27F43E3B9CD95C7C28

  • install_name

    Client.exe

  • key_salt

    bfeb1e56fbcd973bb219022430a57843003d5644d21e62b9d4f180e7e6c33941

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Upo

  • subdirectory

    SubDir

Extracted

Family

vidar

Version

13.6

Botnet

158fdd2a4f5abb978509580715e5353f

C2

https://t.me/m00f3r

https://steamcommunity.com/profiles/76561199851454339
Attributes
  • user_agent

    Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Chrome/132.0.0.0 Safari/537.36 OPR/117.0.0.0

Extracted

Family

njrat

Version

Njrat 0.7 Golden By Hassan Amiri

Botnet

HacKed

C2

213.209.150.210:7773

Mutex

Windows Update

Attributes
  • reg_key

    Windows Update

  • splitter

    |Hassan|

Extracted

Family

lumma

C2

https://araucahkbm.live/baneb

https://flowerexju.bet/lanz

https://zmedtipp.live/mnvzx

https://easterxeen.run/zavc

https://overcovtcg.top/juhd

https://blackswmxc.top/bgry

https://posseswsnc.top/akds

https://1featurlyin.top/pdal

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

C2

213.209.150.210:8882

Mutex

124ijgjsda8d19s

Attributes
  • delay

    1

  • install

    true

  • install_file

    Riot Games.exe

  • install_folder

    %AppData%

aes.plain

Targets

    • Target

      fc21892aeb3c146f92a5721115252b5924c70494ae24460aa1d72c986aee2a36.exe

    • Size

      3.1MB

    • MD5

      f74eafefa6ec7e1e110e4a2dd78054e9

    • SHA1

      749ec2465671de48c0ba76732773a29c1a678d3b

    • SHA256

      fc21892aeb3c146f92a5721115252b5924c70494ae24460aa1d72c986aee2a36

    • SHA512

      8cdd0ed58955d64b0c749062d8f0e5fc0dec4ebed9f734193eb68681d2ab4064d0b753eafec72d91ec1e877eb47bd9e29fa9fe84e1cdae0104c40ef5cbd2b766

    • SSDEEP

      49152:WvFt62XlaSFNWPjljiFa2RoUYIXe8UbR4LoGdXTHHB72eh2NT:Wv362XlaSFNWPjljiFXRoUYIXe8b

    Score
    10/10
    lummanjratquasarvidar158fdd2a4f5abb978509580715e5353fhackedoffice04credential_accesscryptonediscoverypackerspywarestealertrojanasyncratdefaultrat

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • Asyncrat family

      asyncrat

    • Detect Vidar Stealer

      stealer

    • Lumma Stealer, LummaC

      Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

      stealerlumma

    • Lumma family

      lumma

    • Njrat family

      njrat

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

      trojanspywarequasar

    • Quasar family

      quasar

    • Quasar payload

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • Vidar family

      vidar

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • Async RAT payload

      rat

    • CryptOne packer

      Detects CryptOne packer defined in NCC blogpost.

      cryptonepacker

    • Downloads MZ/PE file

    • Uses browser remote debugging

      Can be used control the browser and steal sensitive information such as credentials and session cookies.

      credential_accessstealer

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v16

Tasks

OSZAR »