General

  • Target

    Unitiy.bat

  • Size

    328KB

  • Sample

    240510-hnpacscd33

  • MD5

    0ee7c57f11c57b122e268d622f5dacf7

  • SHA1

    c8b8f2d4c5c2af87fce179b8149269a0a1f5d2f8

  • SHA256

    5923602664aeb453ef6ec843060247a9385fc30f4c5b6e800f4c7c2fc6d4981a

  • SHA512

    11ce15fb526918986493f94003f209da35fe3fff3204fce9b78aa726dfa1d78351fb83f3d21e42bb91409b51db44f7f27c4b8743ae05179dcd204ebb32597496

  • SSDEEP

    6144:gmnSwi3zx5ZsDcPzqu65BeZ0qGs0ZODo9/vZdgK1uXVI:gm6zx5qYPzqd5hC0ZzuXVI

Malware Config

Extracted

Family

quasar

Version

3.1.5

Botnet

Slave

C2

looking-memphis.gl.at.ply.gg:45119

Mutex

$Sxr-3vDee7FzoJnhqjuE3n

Attributes
  • encryption_key

    bjv1MgUogo1kl6Tra7jd

  • install_name

    $srr-powershell.exe

  • log_directory

    Logs

  • reconnect_delay

    1000

  • startup_key

    $srr-powershell

  • subdirectory

    Windows

Targets

    • Target

      Unitiy.bat

    • Size

      328KB

    • MD5

      0ee7c57f11c57b122e268d622f5dacf7

    • SHA1

      c8b8f2d4c5c2af87fce179b8149269a0a1f5d2f8

    • SHA256

      5923602664aeb453ef6ec843060247a9385fc30f4c5b6e800f4c7c2fc6d4981a

    • SHA512

      11ce15fb526918986493f94003f209da35fe3fff3204fce9b78aa726dfa1d78351fb83f3d21e42bb91409b51db44f7f27c4b8743ae05179dcd204ebb32597496

    • SSDEEP

      6144:gmnSwi3zx5ZsDcPzqu65BeZ0qGs0ZODo9/vZdgK1uXVI:gm6zx5qYPzqd5hC0ZzuXVI

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Quasar payload

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Downloads MZ/PE file

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Defense Evasion

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Modify Registry

1
T1112

Discovery

Query Registry

4
T1012

System Information Discovery

5
T1082

Peripheral Device Discovery

1
T1120

Command and Control

Web Service

1
T1102

Tasks