Resubmissions

10-05-2024 16:59

240510-vhw48sba59 10

08-05-2024 18:24

240508-w2gz4aha3z 10

08-05-2024 17:08

240508-vnlkpagh86 10

General

  • Target

    Uni.bat

  • Size

    301KB

  • Sample

    240508-vnlkpagh86

  • MD5

    1f089d9bb03dad6a421dc626a1a1388d

  • SHA1

    44b708c87c743b09c3380427aa0c64e196438d76

  • SHA256

    d1c5a6ee28141a729b788a725748d718c2cf26d6cf66c19a524072eeb03cf334

  • SHA512

    fd6c6e5588e588e482a15bfe7a5f4608fe85452916b812319336bf422b07a3f76ef7415b64d99bc7f624e57aa362c388576db529e064a3dfbbc4ec01aebec324

  • SSDEEP

    6144:UDAQODtb/MLJcwze2hz1uQ1VEqPfvBaidW+wYHlad/vb7V1:UDROhbMNcE7hv1VLZtMTK+/jJ1

Malware Config

Extracted

Family

quasar

Version

3.1.5

Botnet

SLAVE

C2

even-lemon.gl.at.ply.gg:33587

Mutex

$Sxr-dOMA5C0pQTTpKjVsCp

Attributes
  • encryption_key

    UBXs44u6E81wxBGZxQHk

  • install_name

    $sxr-powershell.exe

  • log_directory

    $SXR-KEYLOGS

  • reconnect_delay

    3000

  • startup_key

    $sxr-powershell

  • subdirectory

    $sxr-seroxen2

Targets

    • Target

      Uni.bat

    • Size

      301KB

    • MD5

      1f089d9bb03dad6a421dc626a1a1388d

    • SHA1

      44b708c87c743b09c3380427aa0c64e196438d76

    • SHA256

      d1c5a6ee28141a729b788a725748d718c2cf26d6cf66c19a524072eeb03cf334

    • SHA512

      fd6c6e5588e588e482a15bfe7a5f4608fe85452916b812319336bf422b07a3f76ef7415b64d99bc7f624e57aa362c388576db529e064a3dfbbc4ec01aebec324

    • SSDEEP

      6144:UDAQODtb/MLJcwze2hz1uQ1VEqPfvBaidW+wYHlad/vb7V1:UDROhbMNcE7hv1VLZtMTK+/jJ1

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Quasar payload

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Downloads MZ/PE file

    • Sets service image path in registry

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Executes dropped EXE

    • Loads dropped DLL

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Execution

Scheduled Task/Job

1
T1053

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Scheduled Task/Job

1
T1053

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Defense Evasion

Modify Registry

2
T1112

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Discovery

Query Registry

6
T1012

System Information Discovery

6
T1082

Peripheral Device Discovery

2
T1120

Command and Control

Web Service

1
T1102

Tasks