Overview

overview

10

Static

static

1

rename me.bat

windows10-1703-x64

10

rename me.bat

windows10-2004-x64

10

rename me.bat

windows11-21h2-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    rename me.bat

  • Size

    514KB

  • Sample

    240428-tpzm9sbg3x

  • MD5

    414264bb47935bed191128cf44f3a2cd

  • SHA1

    df49e4f8bc8d388c9b9398f29b0de0e72e79b130

  • SHA256

    a59ef50cd65d900c84024d9da88c4c93c9ae7fba7e2429c41d45081d381ad8ef

  • SHA512

    c15ca12cd576157369574c3a51ece0879ccee3b57614af91d6e99af21e8fdeb46d1680e2692a38d4da6b4ebb63f9e17341d0cc6ac616e6c2ebd36e698e588e66

  • SSDEEP

    12288:40xb2yL+sSyycyuVWTuM+EiWCCPt2EIKgEtoOT9ah:46bTLrSyycy9uM+EipCfhgTOTAh

Score
10/10
quasarseroxenspywaretrojan

Malware Config

Extracted

Family

quasar

Version

3.1.5

Botnet

SeroXen

C2

147.185.221.19:33587

Mutex

$Sxr-2rfrZTKITtK0P0zGYG

Attributes
  • encryption_key

    Yr0YpBPNd3kXsl43jZMx

  • install_name

    $sxr-sdinwn.exe

  • log_directory

    $sxr

  • reconnect_delay

    3000

  • startup_key

    $sxr-metsha

  • subdirectory

    sxr

Targets

    • Target

      rename me.bat

    • Size

      514KB

    • MD5

      414264bb47935bed191128cf44f3a2cd

    • SHA1

      df49e4f8bc8d388c9b9398f29b0de0e72e79b130

    • SHA256

      a59ef50cd65d900c84024d9da88c4c93c9ae7fba7e2429c41d45081d381ad8ef

    • SHA512

      c15ca12cd576157369574c3a51ece0879ccee3b57614af91d6e99af21e8fdeb46d1680e2692a38d4da6b4ebb63f9e17341d0cc6ac616e6c2ebd36e698e588e66

    • SSDEEP

      12288:40xb2yL+sSyycyuVWTuM+EiWCCPt2EIKgEtoOT9ah:46bTLrSyycy9uM+EipCfhgTOTAh

    Score
    10/10
    quasarseroxenspywaretrojan

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

      trojanspywarequasar

    • Quasar payload

    • Blocklisted process makes network request

    • Drops file in Drivers directory

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2behavioral3

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1
T1053

Command and Scripting Interpreter

1
T1059

Persistence

Scheduled Task/Job

1
T1053

Privilege Escalation

Scheduled Task/Job

1
T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

3
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks