Skip to main content

Quantloader serving NetWire RAT

Follow the C2i tracker for block-lists. 

Here’s a look at what good old Quant is serving at this time:

Most of the modus operandi is same old — firewall rules, new processes etc.
There isn’t much effort to hide:

Haven’t looked at it much since I published this on MalwareBytes blog but here are a few things its still doing:
“cmd /c echo Y|CACLS \”c:\\users\\rem\\appdata\\roaming\\92804119\\dwm.exe\” /P \”REM:R\””
Some good old registry tampering:
“HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run [7]”

Trick to write into the registry:
0061FE34 0040C8C8 “regini C:\\Users\\REM\\AppData\\Local\\Temp\\per”
It is using this file that’s created ‘per’ to write the contents into the registry.
0060FE34  |0040B388; |CommandLine = "regini C:\Users\REM\AppData\Local\Temp\per"
In order to write it, it used regini.exe with the above commandline. ‘Per’ is just a txt file.

And after the registry entry has been written, it deletes ‘per’.
0060FECC  [0040265E  ^&@   ; /RETURN from KERNEL32.DeleteFileA to fad.0040265E
0060FED0  /00408170  p@   ; \Name = "C:\Users\REM\AppData\Local\Temp\per"
And here’s the call for the final executable:
0061FED0 00408B90 “"
The executable is not there anymore at the time of this publication but all my OSINT resources point to it being:
NetWire RAT


Popular posts from this blog

Major update: Emotet C2i Apr 2019

Emotet has updated the C2 comms in the latest release, going for URIs instead of IPs (root). Here’s a complete list of the current campaign: Emotet C2i:

Grinju Downloader: Anti-analysis (on steroids) | Part 2

  This malware takes anti-analysis and stealth techniques to a new level We took a look at this malware in the Part 1 of this publication. Now let’s carry on with the analysis and dig deeper into the various anti-analysis and stealth-exec features of this malware in Part2. Malpedia Inventory: Secondary Macro Code First of all, here’s the entire code that is dumped in the sheet once all the macro functions have been completed. Take a look at these lines and try to figure out what they are meant to do. Then we’ll take a look at the most important of these briefly before moving on to the next section. =CLOSE(FALSE) =FORMULA(LEN(APP.MAXIMIZE())+-459,Sheet1!R18690C129) =FORMULA(LEN(GET.WINDOW(7))+-131,Sheet1!R18691C129) =FORMULA(LEN(GET.WINDOW(20))+-893,Sheet1!R18692C129) =FORMULA(LEN(GET.WINDOW(23)=3)+433,Sheet1!R18693C129) =FORMULA(LEN(GET.WORKSPACE(31))+864,Sheet1!R18694C129) =FORMULA(LEN(GET.WORKSPACE(13)>770)+707,Sheet1!R18

Emotet C2 Network IOC August 2018 Week 4 Campaign

Article by  Vishal Thakur IP Port COUNTRY REGION CITY TIME ZONE United States Texas Dallas CST United States New Jersey EST United States South Carolina Tamassee EST Canada Ontario Ottawa EST 443 United States Georgia Moultrie EST 443 United States Virginia Ashburn EST United Arab Emirates Dubai GMT+4 United States Oklahoma Oklahoma City CST 443 United States Massachusetts Cambridge EST 443 Korea, Republic Of Seoul GMT+9 443 Russian Federation Moscow GMT+3 8090 Canada Ontario Ottawa EST 8090 United States New Jersey Bedminster EST United States Florida Brandon EST 443 China Guangzhou GMT+8 443 United States Missouri Springfield CST 7080 United States Delaware Seaford EST United States District Of Columbia Washingt