2019/10/10 LewdEK -> Quasar

1. 2019-10-10
2. #LewdEK (CVE-2018-8174) -> #Quasar
3.  
4. [Example Payload]
5. https://app.any.run/tasks/6384e75e-9445-44e2-af29-9e380ccdf87e
6.  
7. [Pastbin]
8. https://pastebin.com/f3xLMSAQ
9.  
10. [Reference]
11. https://twitter.com/tkanalyst/status/1171818815493201925
12.  
13. ================================================================================================================
14. Main object- "PQvYe8Y14Vhc.exe"
15. sha256 268909bc33f0f8c5312b51570016311e3676af651a57de38e42241dcc177b2d6
16. sha1 7029f1565d8cb5334d8d19f9b4e0797611037570
17. md5 314d3c1ebe50ebc5d9809039ae02ba40
18. Dropped executable file
19. sha256 C:\Users\admin\AppData\Local\Temp\_MEI22602\Crypto.Hash._SHA256.pyd 36314665fa2a6effbe7a4280b2d420a438d02c40bd7b6a690a588490a2e8e4d0
20. sha256 C:\Users\admin\AppData\Local\Temp\_MEI22602\_sqlite3.pyd 1e7d4623b0d1953a02c604b782cf3f7d0bd84884e032c863f0d5f488af425dec
21. sha256 C:\Users\admin\AppData\Local\Temp\_MEI22602\Crypto.Random.OSRNG.winrandom.pyd 17fbe1dd26ac0b49b7764d5f667fd12b9929b7fa9fa60395847cf80f653a0fdb
22. sha256 C:\Users\admin\AppData\Local\Temp\_MEI22602\Crypto.Util._counter.pyd 69c2d16001339775dba69bc884ed95602bc126b65bb9dcf96a779790dd41f52c
23. sha256 C:\Users\admin\AppData\Local\Temp\_MEI22602\Crypto.Cipher._AES.pyd 51054f4d28782b6698b1b6510317650e797e11f87fa29fceaf8559b6bcbf4dfe
24. sha256 C:\Users\admin\AppData\Local\Temp\_MEI22602\Crypto.Cipher._DES3.pyd 815430609a61ae49de9150e82e688c4175e296b2274aefa0373fe39bb4948042
25. sha256 C:\Users\admin\AppData\Local\Temp\_MEI22602\_socket.pyd 59ef12178676e336d819f4e4b4d9c689fc51c95cd06ab9c5c1d06774f2657451
26. sha256 C:\Users\admin\AppData\Local\Temp\_MEI22602\bz2.pyd 27b035e9a0b63b1f4891dbae222dabd7a5756bfe1a504d9e9357d2b59b2fe5d9
27. sha256 C:\Users\admin\AppData\Local\Temp\_MEI22602\_ctypes.pyd d44f765d24d572188c3d5ee803cf824b2db1e9bd4e6d1d95062cd6a764202cdd
28. sha256 C:\Users\admin\AppData\Local\Temp\_MEI22602\msvcm90.dll 636e12fea8c47ea528dba48827ac51a2e98b2ef0864854c9375b8170555c0a6e
29. sha256 C:\Users\admin\AppData\Local\Temp\_MEI22602\_ssl.pyd 2a3911be8b1a2689de409188c1c72c3abe5ff0f51128f5d7a22b30e3a957ab97
30. sha256 C:\Users\admin\AppData\Local\Temp\_MEI22602\_hashlib.pyd 878388c1ae7319f7d1a89d2c186c460f41f259055b63cda29f5008f4025f4c5e
31. sha256 C:\Users\admin\AppData\Local\Temp\_MEI22602\pyexpat.pyd 18675152111924780b6c746a78f11936d8ba31f18418b8e255e579d932f2acf6
32. sha256 C:\Users\admin\AppData\Local\Temp\_MEI22602\msvcp90.dll 45cb405589c92bf74c47b7c90e299a5732a99403c51f301a5b60579caf3116e7
33. sha256 C:\Users\admin\AppData\Local\Temp\_MEI22602\msvcr90.dll ae163388201ef2f119e11265586e7da32c6e5b348e0cc32e3f72e21ebfd0843b
34. sha256 C:\Users\admin\AppData\Local\Temp\_MEI22602\select.pyd efca6435f01bc7399ef7907b6aeba9394b2966d46325f2a81f34eaa3c733dc4e
35. sha256 C:\Users\admin\AppData\Local\Temp\_MEI22602\pywintypes27.dll 88d8eb5894c47990b4ff88e94a75f59c498cfd16b0f29894f0947f5ed2a862f3
36. sha256 C:\Users\admin\AppData\Local\Temp\_MEI22602\python27.dll ac02f0ab3707eaf2d6980eeaf73cfd064e77121ce8a78d057be84c3b436746c5
37. sha256 C:\Users\admin\AppData\Local\Temp\_MEI22602\win32pipe.pyd 654308420dd8362408b60e6d602c39101f1db75960112bc23f6298a810a1bf83
38. sha256 C:\Users\admin\AppData\Local\Temp\_MEI22602\win32wnet.pyd e5b51438204d762734625f3e03c571b3b90c2ecdc358af167bdbc6bea8a0d3e3
39. sha256 C:\Users\admin\AppData\Local\Temp\_MEI22602\sqlite3.dll ffefe1cc04f2f0e47e43c8c823447637fab227482ea8b69c8d2b4e6198f00da4
40. sha256 C:\Users\admin\AppData\Local\Temp\_MEI22602\unicodedata.pyd c83effcd8372389c2d3cff38fab5e41d0f7c96d9bb47a6e58de6ed63998ea3cb
41. DNS requests
42. domain 0x0x.co
43. Connections
44. ip 104.217.54.142
45. HTTP/HTTPS requests
46. url http://0x0x.co/ver.php