Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    Client-built (2).bat

  • Size

    1.6MB

  • Sample

    240511-a75gpaed59

  • MD5

    da7beeb28254ec3bb319060398c5818a

  • SHA1

    99378e5615053698c3adcd02732389dc71d2b2eb

  • SHA256

    d515f6ca3e692713a94fe4066bbba25b4d6157af0606ca17bde5c0d4f3a6e02b

  • SHA512

    7d6322396e8ecbe5e3303dd96cc1a396037d2f7d47b50714725b1138f4fc650b0ccfa1a43dd233703a860c1109a21eba527a1714319f4a08bf1a23d4b9c4a0b2

  • SSDEEP

    24576:W0aS2MAjGvh1FiDkgGi2P6xE/NPe+JXe5PRnr1uyQAI9elDqYemJe+RTeteMuSdb:NaeAjWFb/gEYtX0FmhRpTj0

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

SeroXen

C2

127.0.0.1:65362

common-congratulations.gl.at.ply.gg:65362

Mutex

fc4e70a0-8aae-4cde-9ee1-344a509436e2

Attributes
  • encryption_key

    CBC19B9A3E9EB4E5A14FBE92CED9111175A659E7

  • install_name

    $77-$77-powershell.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    $77-$77-powershell.exe

  • subdirectory

    SubDir

Targets

    • Target

      Client-built (2).bat

    • Size

      1.6MB

    • MD5

      da7beeb28254ec3bb319060398c5818a

    • SHA1

      99378e5615053698c3adcd02732389dc71d2b2eb

    • SHA256

      d515f6ca3e692713a94fe4066bbba25b4d6157af0606ca17bde5c0d4f3a6e02b

    • SHA512

      7d6322396e8ecbe5e3303dd96cc1a396037d2f7d47b50714725b1138f4fc650b0ccfa1a43dd233703a860c1109a21eba527a1714319f4a08bf1a23d4b9c4a0b2

    • SSDEEP

      24576:W0aS2MAjGvh1FiDkgGi2P6xE/NPe+JXe5PRnr1uyQAI9elDqYemJe+RTeteMuSdb:NaeAjWFb/gEYtX0FmhRpTj0

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Quasar payload

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Legitimate hosting services abused for malware hosting/C2

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks