General
-
Target
Uni.bat
-
Size
670KB
-
Sample
240508-vtaelshb45
-
MD5
6a80458e28d1386f08bbd333e223ec19
-
SHA1
77ab8b6fa59cc618bf4a5e7f52ffcd8f5c9656a8
-
SHA256
8711245a4e790f4e757f4657e0edd3ff36cd767293e60b56d8e8501bca9c8a3d
-
SHA512
e6db2882538d6b563aaeb8df1831ea8c90dd37242fe686e9ab0b80f9c397bdfdf3596b28b036ac9308c456257e7a3cc607657c4e98853647e85d23f8b1588d81
-
SSDEEP
12288:3X+4dH3qy2pEKjy2YkbOtscQeH8XDYTDL832UtYnUg3:H+4dH3enjy2ZbOzTceUq
Malware Config
Extracted
quasar
3.1.5
SLAVE
even-lemon.gl.at.ply.gg:33587
$Sxr-dOMA5C0pQTTpKjVsCp
-
encryption_key
UBXs44u6E81wxBGZxQHk
-
install_name
$sxr-powershell.exe
-
log_directory
$SXR-KEYLOGS
-
reconnect_delay
3000
-
startup_key
$sxr-powershell
-
subdirectory
$sxr-seroxen2
Targets
-
-
Target
Uni.bat
-
Size
670KB
-
MD5
6a80458e28d1386f08bbd333e223ec19
-
SHA1
77ab8b6fa59cc618bf4a5e7f52ffcd8f5c9656a8
-
SHA256
8711245a4e790f4e757f4657e0edd3ff36cd767293e60b56d8e8501bca9c8a3d
-
SHA512
e6db2882538d6b563aaeb8df1831ea8c90dd37242fe686e9ab0b80f9c397bdfdf3596b28b036ac9308c456257e7a3cc607657c4e98853647e85d23f8b1588d81
-
SSDEEP
12288:3X+4dH3qy2pEKjy2YkbOtscQeH8XDYTDL832UtYnUg3:H+4dH3enjy2ZbOzTceUq
Score10/10-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar payload
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Downloads MZ/PE file
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE
-
Loads dropped DLL
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-