General

  • Target

    Fixer-obf (1).bat

  • Size

    24KB

  • Sample

    240512-w9w4zsde75

  • MD5

    03361badff8e7ecad39acd34f5f14749

  • SHA1

    c023fd9bd854f59f527141824e8fa6a311a57858

  • SHA256

    3026eb3fcde09d0d4e0695b3f74cb420b1e9d64b30c1ced3ed6a20f085a34d51

  • SHA512

    796e7466d4af6e2d52bc265b6a9d0881989cebd52ff6c6bae8d3817db61f50dc26e5982a6eb5fe16bf4e7d5cf3aa09a5a33e35c51c94a58d32438684fb88f979

  • SSDEEP

    384:UOpRAoUR7FKSVwpehr0kqTdyUO0OPniIjSFI:zpRrURhKKEehr0kqTIUO0OPnih+

Malware Config

Extracted

Family

quasar

Version

3.1.5

Botnet

RPad

C2

even-lemon.gl.at.ply.gg:33587

Mutex

$Sxr-okPqrmZ8kNVUcS4Rp0

Attributes
  • encryption_key

    XmcBnPuLlN1e8SHIRR1z

  • install_name

    $sxr-powershell.exe

  • log_directory

    $SXR-LOGS

  • reconnect_delay

    3000

  • startup_key

    $sxr-powershell

  • subdirectory

    $sxr-seroxen2

Targets

    • Target

      Fixer-obf (1).bat

    • Size

      24KB

    • MD5

      03361badff8e7ecad39acd34f5f14749

    • SHA1

      c023fd9bd854f59f527141824e8fa6a311a57858

    • SHA256

      3026eb3fcde09d0d4e0695b3f74cb420b1e9d64b30c1ced3ed6a20f085a34d51

    • SHA512

      796e7466d4af6e2d52bc265b6a9d0881989cebd52ff6c6bae8d3817db61f50dc26e5982a6eb5fe16bf4e7d5cf3aa09a5a33e35c51c94a58d32438684fb88f979

    • SSDEEP

      384:UOpRAoUR7FKSVwpehr0kqTdyUO0OPniIjSFI:zpRrURhKKEehr0kqTIUO0OPnih+

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Quasar payload

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Downloads MZ/PE file

    • Sets service image path in registry

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies file permissions

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks