General

  • Target

    Fix.bat

  • Size

    513KB

  • Sample

    240514-1ldd7ahg4x

  • MD5

    a84be587721ab2558489178539f283e6

  • SHA1

    5a48f5c98f7366d13f371965c19c98a5754bd90b

  • SHA256

    32cfb4e83f43787c79ef6a15bef53137a0e9a6d6d558ef1532993fb8369cc8fd

  • SHA512

    c1c4e35246c39f3e710cbd261187c7968d75c65fd1c4b96f6caa6ddec1484ca42f2431f4184ec0061cd7b2e0d3478db993f88a043106f0ce9d7ae859c3f5f931

  • SSDEEP

    12288:PlknMJu9SVaydjmxZ8yeMfd0dwOk6VWX0sQFjh80wszzd0VmONTlomwcuz:q6uidS6MdIdVWksQFjS0bzzOY+oX5z

Malware Config

Extracted

Family

quasar

Version

3.1.5

Botnet

SLAVE

C2

even-lemon.gl.at.ply.gg:33587

Mutex

$Sxr-AidubAN29rBfWYM23w

Attributes
  • encryption_key

    GNF1G2eu7MrbS69M7a4f

  • install_name

    Client.exe

  • log_directory

    $SXR-LOGS

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Targets

    • Target

      Fix.bat

    • Size

      513KB

    • MD5

      a84be587721ab2558489178539f283e6

    • SHA1

      5a48f5c98f7366d13f371965c19c98a5754bd90b

    • SHA256

      32cfb4e83f43787c79ef6a15bef53137a0e9a6d6d558ef1532993fb8369cc8fd

    • SHA512

      c1c4e35246c39f3e710cbd261187c7968d75c65fd1c4b96f6caa6ddec1484ca42f2431f4184ec0061cd7b2e0d3478db993f88a043106f0ce9d7ae859c3f5f931

    • SSDEEP

      12288:PlknMJu9SVaydjmxZ8yeMfd0dwOk6VWX0sQFjh80wszzd0VmONTlomwcuz:q6uidS6MdIdVWksQFjS0bzzOY+oX5z

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Quasar payload

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Downloads MZ/PE file

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Discovery

Query Registry

4
T1012

System Information Discovery

5
T1082

Peripheral Device Discovery

1
T1120

Remote System Discovery

1
T1018

Command and Control

Web Service

1
T1102

Tasks