Overview

overview

10

Static

static

1

ph-built.bat

windows10-2004-x64

10

Resubmissions

Sharing

Copy URL
Twitter E-mail

General

  • Target

    ph-built.bat

  • Size

    1.8MB

  • Sample

    240516-1zrhzaag4z

  • MD5

    0cfde5f3d067a40a7b71b31908b2481e

  • SHA1

    07cbe278c23aa952df7e6586c4a2d96f7f9790c0

  • SHA256

    4176439841661918bf89362d649b1752957aa03f73791d13190281dd438c45a0

  • SHA512

    c3e965700aceb9098d80194ceeef894205152991b202964b3b4f4fbb3c5c7d18a2b2b09cf73ab0e5c5572fdc65f83371f87b1b91a9f89cc0399c9437244599fe

  • SSDEEP

    24576:2U0bAC3jL1tQiWuxBJ+F6mUgR5RgcnABDjn2ayKHvXfhu47LFsF4bno4+m3ypip2:mf5WWJcxguAFKaE4li4RXsD

Score
10/10
quasarphantomexecutionspywaretrojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Phantom

C2

even-lemon.gl.at.ply.gg:33587

Mutex

db128a32-6a0f-4592-bc4d-39d508fbe456

Attributes
  • encryption_key

    04017BC2FE671A38FED74363CF7D888C6B8DA217

  • install_name

    $phantom-powershell.exe

  • log_directory

    PHANTOM

  • reconnect_delay

    3000

  • startup_key

    $phantom-powershell

  • subdirectory

    $phantom-phantom2

Targets

    • Target

      ph-built.bat

    • Size

      1.8MB

    • MD5

      0cfde5f3d067a40a7b71b31908b2481e

    • SHA1

      07cbe278c23aa952df7e6586c4a2d96f7f9790c0

    • SHA256

      4176439841661918bf89362d649b1752957aa03f73791d13190281dd438c45a0

    • SHA512

      c3e965700aceb9098d80194ceeef894205152991b202964b3b4f4fbb3c5c7d18a2b2b09cf73ab0e5c5572fdc65f83371f87b1b91a9f89cc0399c9437244599fe

    • SSDEEP

      24576:2U0bAC3jL1tQiWuxBJ+F6mUgR5RgcnABDjn2ayKHvXfhu47LFsF4bno4+m3ypip2:mf5WWJcxguAFKaE4li4RXsD

    Score
    10/10
    quasarphantomexecutionspywaretrojan

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

      trojanspywarequasar

    • Quasar payload

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    behavioral1

MITRE ATT&CK Enterprise v15

Tasks