General
-
Target
Uni.bat
-
Size
409KB
-
Sample
240507-vn9braaa93
-
MD5
a6f2057e7c185d3404726718fb28af53
-
SHA1
0b0ceb814eb8122eb673abe592c1e8ff47cc927b
-
SHA256
9abd02733e85421317dc523abfa12bd4e20c36f480948c078fe623b67d20de92
-
SHA512
863358b9948a58c71c21f2dceac042fec57ba73e16ea6d18703415c9b2147bbb193368ebcae6498bf7cbaf0737ade7517fa8a65194048e62d35b85be634fa287
-
SSDEEP
12288:bpyJcC+fb1lvbcLmmJQT3P4CRd/cTB0KQ:1wd+fYfQ7wCfF
Malware Config
Extracted
quasar
3.1.5
SLAVE
even-lemon.gl.at.ply.gg:33587
$Sxr-IGnkORFTlshRl7BdTw
-
encryption_key
qHr8UzWIhPL7H0benjKW
-
install_name
$sxr-powershell.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Discord
-
subdirectory
$77
Targets
-
-
Target
Uni.bat
-
Size
409KB
-
MD5
a6f2057e7c185d3404726718fb28af53
-
SHA1
0b0ceb814eb8122eb673abe592c1e8ff47cc927b
-
SHA256
9abd02733e85421317dc523abfa12bd4e20c36f480948c078fe623b67d20de92
-
SHA512
863358b9948a58c71c21f2dceac042fec57ba73e16ea6d18703415c9b2147bbb193368ebcae6498bf7cbaf0737ade7517fa8a65194048e62d35b85be634fa287
-
SSDEEP
12288:bpyJcC+fb1lvbcLmmJQT3P4CRd/cTB0KQ:1wd+fYfQ7wCfF
-
Quasar payload
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-