Overview

overview

10

Static

static

1

rename me.bat

windows10-1703-x64

10

rename me.bat

windows10-2004-x64

10

rename me.bat

windows11-21h2-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    rename me.bat

  • Size

    328KB

  • Sample

    240428-tn6eesbg2t

  • MD5

    aeb5d5210a55384c6019bc889ab2712a

  • SHA1

    524094d4dc90b48c110e24b26aa6cebbf15937cf

  • SHA256

    3f077245d055648ee67c8597d813805f43a1a750abf17b6597ec49e6e61bba1e

  • SHA512

    2e71352ad66c150a217784f0eeec50d001eef3fa60be33dd98bec3503dc0356b8e6b6df4042e1bddfb4933b25ba5c9a4202450eb6604ae00bb48a1495f54910f

  • SSDEEP

    6144:v49D8DR1G9Pj1pP+irNTVDxmev+lcvhEvLpPxJMRLRsvjoOo50AqPJNIA3OiL5O9:v49DuPGtjP+irnDIev+lcv2pxLjoOoOq

Score
10/10
quasarseroxenspywaretrojan

Malware Config

Extracted

Family

quasar

Version

3.1.5

Botnet

SeroXen

C2

147.185.221.19:33587

Mutex

$Sxr-2rfrZTKITtK0P0zGYG

Attributes
  • encryption_key

    Yr0YpBPNd3kXsl43jZMx

  • install_name

    $sxr-sdinwn.exe

  • log_directory

    $sxr

  • reconnect_delay

    3000

  • startup_key

    $sxr-metsha

  • subdirectory

    sxr

Targets

    • Target

      rename me.bat

    • Size

      328KB

    • MD5

      aeb5d5210a55384c6019bc889ab2712a

    • SHA1

      524094d4dc90b48c110e24b26aa6cebbf15937cf

    • SHA256

      3f077245d055648ee67c8597d813805f43a1a750abf17b6597ec49e6e61bba1e

    • SHA512

      2e71352ad66c150a217784f0eeec50d001eef3fa60be33dd98bec3503dc0356b8e6b6df4042e1bddfb4933b25ba5c9a4202450eb6604ae00bb48a1495f54910f

    • SSDEEP

      6144:v49D8DR1G9Pj1pP+irNTVDxmev+lcvhEvLpPxJMRLRsvjoOo50AqPJNIA3OiL5O9:v49DuPGtjP+irnDIev+lcv2pxLjoOoOq

    Score
    10/10
    quasarseroxenspywaretrojan

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

      trojanspywarequasar

    • Quasar payload

    • Blocklisted process makes network request

    • Drops file in Drivers directory

    • Executes dropped EXE

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2behavioral3

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1
T1053

Command and Scripting Interpreter

1
T1059

Persistence

Scheduled Task/Job

1
T1053

Privilege Escalation

Scheduled Task/Job

1
T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks