General
-
Target
Uni.bat
-
Size
303KB
-
Sample
240508-vm1cfsgh72
-
MD5
12721198b3fa1b9839df22c9297e663f
-
SHA1
2f8d976de00df2fdfda36441d019545659686d88
-
SHA256
0ad330a4fbc8885fcfe1f2eebf36a408738672b98a03baff58ffc475d314f31f
-
SHA512
613d63deead400ba450577335589d14f428ed59a7910f8d28f869117abed912cfaeac32a50ed5a7d518a884623eb88b23dc3784dd42062a40597b62f9fb3bdbd
-
SSDEEP
6144:ErUy5osDY/LW3as3lsvN1yq9OJO7UBlaOjQS7GVhwl:25op6jlsv6JO7UBAOjOhg
Static task
static1
Behavioral task
behavioral1
Sample
Uni.bat
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
Uni.bat
Resource
win7-20240419-en
Behavioral task
behavioral3
Sample
Uni.bat
Resource
win10v2004-20240508-en
Malware Config
Extracted
quasar
3.1.5
SLAVE
even-lemon.gl.at.ply.gg:33587
$Sxr-dOMA5C0pQTTpKjVsCp
-
encryption_key
UBXs44u6E81wxBGZxQHk
-
install_name
$sxr-powershell.exe
-
log_directory
$SXR-KEYLOGS
-
reconnect_delay
3000
-
startup_key
$sxr-powershell
-
subdirectory
$sxr-seroxen2
Targets
-
-
Target
Uni.bat
-
Size
303KB
-
MD5
12721198b3fa1b9839df22c9297e663f
-
SHA1
2f8d976de00df2fdfda36441d019545659686d88
-
SHA256
0ad330a4fbc8885fcfe1f2eebf36a408738672b98a03baff58ffc475d314f31f
-
SHA512
613d63deead400ba450577335589d14f428ed59a7910f8d28f869117abed912cfaeac32a50ed5a7d518a884623eb88b23dc3784dd42062a40597b62f9fb3bdbd
-
SSDEEP
6144:ErUy5osDY/LW3as3lsvN1yq9OJO7UBlaOjQS7GVhwl:25op6jlsv6JO7UBAOjOhg
-
Quasar payload
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Downloads MZ/PE file
-
Deletes itself
-
Executes dropped EXE
-
Loads dropped DLL
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-