General

  • Target

    Uni.bat

  • Size

    515KB

  • Sample

    240514-3lx5pseb2v

  • MD5

    4c2a3be3d5c9464eb441677e41f44fd8

  • SHA1

    c826034a0882d21a39056d745e88622ee9698343

  • SHA256

    45e68be3e89afc1bec174219bccc5a9388efda16b46c69304dfcd87c0d9657f7

  • SHA512

    ccf12f0e439393f4fef5531ef89a62411feeaed9d7f0751e9e4c5fb366d1cd0059a11e0a12002b851ff138701f69d65ce7ad69f1bcb6e3944481311311c8f27c

  • SSDEEP

    12288:OOCZeIh9XQFAbCbtqTUGLYPSow/QWEO2b:4zh9+3tZGEw/b2b

Malware Config

Extracted

Family

quasar

Version

3.1.5

Botnet

SLAVE

C2

review-tops.gl.at.ply.gg:48212

Mutex

$Sxr-IGnkORFTlshRl7BdTw

Attributes
  • encryption_key

    YDmRBA8wExjQkYgGrHhN

  • install_name

    $sxr-powershell.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Discord

  • subdirectory

    $77

Targets

    • Target

      Uni.bat

    • Size

      515KB

    • MD5

      4c2a3be3d5c9464eb441677e41f44fd8

    • SHA1

      c826034a0882d21a39056d745e88622ee9698343

    • SHA256

      45e68be3e89afc1bec174219bccc5a9388efda16b46c69304dfcd87c0d9657f7

    • SHA512

      ccf12f0e439393f4fef5531ef89a62411feeaed9d7f0751e9e4c5fb366d1cd0059a11e0a12002b851ff138701f69d65ce7ad69f1bcb6e3944481311311c8f27c

    • SSDEEP

      12288:OOCZeIh9XQFAbCbtqTUGLYPSow/QWEO2b:4zh9+3tZGEw/b2b

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Quasar payload

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Downloads MZ/PE file

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Persistence

Scheduled Task/Job

1
T1053

Privilege Escalation

Scheduled Task/Job

1
T1053

Defense Evasion

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Modify Registry

1
T1112

Discovery

Query Registry

6
T1012

System Information Discovery

6
T1082

Peripheral Device Discovery

1
T1120

Command and Control

Web Service

1
T1102

Tasks