General

  • Target

    Uni.bat

  • Size

    513KB

  • Sample

    240514-y9ntqafa2x

  • MD5

    2f2f86a8f6be8fa6b37bd49bcd660a75

  • SHA1

    f7006941a8cbf7a663e9fa379f75ccd5afedd730

  • SHA256

    3798ed2ce7d93b63c0e5670d610809c6b73ddf556968b58446ae8b62c027354c

  • SHA512

    5f253dd977ff725bab54ddd45bcdbd213587b55a376446a9db2c68bc097e97ad7a61019156449f65e329b9b51f8de3dfa077aa093787fc037d1c5c92252334fb

  • SSDEEP

    12288:CnVOnWW4/Qczes8bGOvfKS2k3+0RVNN0VVjKgGt:CnVOno/QcN8bG4fKHkBRVn4KR

Malware Config

Extracted

Family

quasar

Version

3.1.5

Botnet

SLAVE

C2

even-lemon.gl.at.ply.gg:33587

Mutex

$Sxr-AidubAN29rBfWYM23w

Attributes
  • encryption_key

    GNF1G2eu7MrbS69M7a4f

  • install_name

    Client.exe

  • log_directory

    $SXR-LOGS

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Targets

    • Target

      Uni.bat

    • Size

      513KB

    • MD5

      2f2f86a8f6be8fa6b37bd49bcd660a75

    • SHA1

      f7006941a8cbf7a663e9fa379f75ccd5afedd730

    • SHA256

      3798ed2ce7d93b63c0e5670d610809c6b73ddf556968b58446ae8b62c027354c

    • SHA512

      5f253dd977ff725bab54ddd45bcdbd213587b55a376446a9db2c68bc097e97ad7a61019156449f65e329b9b51f8de3dfa077aa093787fc037d1c5c92252334fb

    • SSDEEP

      12288:CnVOnWW4/Qczes8bGOvfKS2k3+0RVNN0VVjKgGt:CnVOno/QcN8bG4fKHkBRVn4KR

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Quasar payload

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Downloads MZ/PE file

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Discovery

Query Registry

5
T1012

System Information Discovery

6
T1082

Peripheral Device Discovery

1
T1120

Remote System Discovery

1
T1018

Command and Control

Web Service

1
T1102

Tasks