Overview

overview

10

Static

static

1

XenisHub.bat

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    XenisHub.bat

  • Size

    1.7MB

  • Sample

    240520-mttt9agg3w

  • MD5

    a86b86c2e7182356c6149674ddc26848

  • SHA1

    322292824444ca6a442f881498baac17506eea34

  • SHA256

    918a07427a6aa97d1f0480a654547fcaf7185228c6bc41d88b19dd740cf4d036

  • SHA512

    2111dd5b4b2ab69980ec8b8a851c2ca29aa97a14585535ff2af1b70432f741126578db5f6c50f8cd3623a7f6a27a8fb4ef8275a536b67415abba24dec7f5e3a9

  • SSDEEP

    24576:2b0CZMqoDtzIt2Ipwh+o4w8VV3fgRihOuReKlOX1+ZfHR9QaAHfimfoK6+nZq:2PcY2lMtYXQZg2

Score
10/10
quasarslavecollectionexecutionspywaretrojan

Malware Config

Extracted

Family

quasar

Version

1.0.0

Botnet

SLAVE

C2

193.34.77.188:6969

Mutex

709ae576-840d-4df5-9c14-3fb7e062cf25

Attributes
  • encryption_key

    8B3D2D2549599D0ED109F63D47FFC788BAA34A06

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Ruthless Client Startup

  • subdirectory

    SubDir

Targets

    • Target

      XenisHub.bat

    • Size

      1.7MB

    • MD5

      a86b86c2e7182356c6149674ddc26848

    • SHA1

      322292824444ca6a442f881498baac17506eea34

    • SHA256

      918a07427a6aa97d1f0480a654547fcaf7185228c6bc41d88b19dd740cf4d036

    • SHA512

      2111dd5b4b2ab69980ec8b8a851c2ca29aa97a14585535ff2af1b70432f741126578db5f6c50f8cd3623a7f6a27a8fb4ef8275a536b67415abba24dec7f5e3a9

    • SSDEEP

      24576:2b0CZMqoDtzIt2Ipwh+o4w8VV3fgRihOuReKlOX1+ZfHR9QaAHfimfoK6+nZq:2PcY2lMtYXQZg2

    Score
    10/10
    quasarslavecollectionexecutionspywaretrojan

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

      trojanspywarequasar

    • Quasar payload

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Accesses Microsoft Outlook profiles

      collection

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1

MITRE ATT&CK Enterprise v15

Tasks