General
-
Target
rename me.bat
-
Size
328KB
-
Sample
240428-tn6eesbg2t
-
MD5
aeb5d5210a55384c6019bc889ab2712a
-
SHA1
524094d4dc90b48c110e24b26aa6cebbf15937cf
-
SHA256
3f077245d055648ee67c8597d813805f43a1a750abf17b6597ec49e6e61bba1e
-
SHA512
2e71352ad66c150a217784f0eeec50d001eef3fa60be33dd98bec3503dc0356b8e6b6df4042e1bddfb4933b25ba5c9a4202450eb6604ae00bb48a1495f54910f
-
SSDEEP
6144:v49D8DR1G9Pj1pP+irNTVDxmev+lcvhEvLpPxJMRLRsvjoOo50AqPJNIA3OiL5O9:v49DuPGtjP+irnDIev+lcv2pxLjoOoOq
Static task
static1
Behavioral task
behavioral1
Sample
rename me.bat
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
rename me.bat
Resource
win10v2004-20240426-en
Malware Config
Extracted
quasar
3.1.5
SeroXen
147.185.221.19:33587
$Sxr-2rfrZTKITtK0P0zGYG
-
encryption_key
Yr0YpBPNd3kXsl43jZMx
-
install_name
$sxr-sdinwn.exe
-
log_directory
$sxr
-
reconnect_delay
3000
-
startup_key
$sxr-metsha
-
subdirectory
sxr
Targets
-
-
Target
rename me.bat
-
Size
328KB
-
MD5
aeb5d5210a55384c6019bc889ab2712a
-
SHA1
524094d4dc90b48c110e24b26aa6cebbf15937cf
-
SHA256
3f077245d055648ee67c8597d813805f43a1a750abf17b6597ec49e6e61bba1e
-
SHA512
2e71352ad66c150a217784f0eeec50d001eef3fa60be33dd98bec3503dc0356b8e6b6df4042e1bddfb4933b25ba5c9a4202450eb6604ae00bb48a1495f54910f
-
SSDEEP
6144:v49D8DR1G9Pj1pP+irNTVDxmev+lcvhEvLpPxJMRLRsvjoOo50AqPJNIA3OiL5O9:v49DuPGtjP+irnDIev+lcv2pxLjoOoOq
-
Quasar payload
-
Blocklisted process makes network request
-
Drops file in Drivers directory
-
Executes dropped EXE
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-