General
-
Target
rename me.bat
-
Size
514KB
-
Sample
240428-tpzm9sbg3x
-
MD5
414264bb47935bed191128cf44f3a2cd
-
SHA1
df49e4f8bc8d388c9b9398f29b0de0e72e79b130
-
SHA256
a59ef50cd65d900c84024d9da88c4c93c9ae7fba7e2429c41d45081d381ad8ef
-
SHA512
c15ca12cd576157369574c3a51ece0879ccee3b57614af91d6e99af21e8fdeb46d1680e2692a38d4da6b4ebb63f9e17341d0cc6ac616e6c2ebd36e698e588e66
-
SSDEEP
12288:40xb2yL+sSyycyuVWTuM+EiWCCPt2EIKgEtoOT9ah:46bTLrSyycy9uM+EipCfhgTOTAh
Static task
static1
Behavioral task
behavioral1
Sample
rename me.bat
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
rename me.bat
Resource
win10v2004-20240426-en
Malware Config
Extracted
quasar
3.1.5
SeroXen
147.185.221.19:33587
$Sxr-2rfrZTKITtK0P0zGYG
-
encryption_key
Yr0YpBPNd3kXsl43jZMx
-
install_name
$sxr-sdinwn.exe
-
log_directory
$sxr
-
reconnect_delay
3000
-
startup_key
$sxr-metsha
-
subdirectory
sxr
Targets
-
-
Target
rename me.bat
-
Size
514KB
-
MD5
414264bb47935bed191128cf44f3a2cd
-
SHA1
df49e4f8bc8d388c9b9398f29b0de0e72e79b130
-
SHA256
a59ef50cd65d900c84024d9da88c4c93c9ae7fba7e2429c41d45081d381ad8ef
-
SHA512
c15ca12cd576157369574c3a51ece0879ccee3b57614af91d6e99af21e8fdeb46d1680e2692a38d4da6b4ebb63f9e17341d0cc6ac616e6c2ebd36e698e588e66
-
SSDEEP
12288:40xb2yL+sSyycyuVWTuM+EiWCCPt2EIKgEtoOT9ah:46bTLrSyycy9uM+EipCfhgTOTAh
-
Quasar payload
-
Blocklisted process makes network request
-
Drops file in Drivers directory
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-