General

  • Target

    sxr-Uni.bat

  • Size

    1004KB

  • Sample

    240521-zd1dbahe76

  • MD5

    87135909ef2fbb7168cd05d0e39fa129

  • SHA1

    1c2a864813a5cf5fb12a3e92f80c8ea90b5d7799

  • SHA256

    38050d3e9a2d09088d05a9a586ad93d139c84439ae995d42cbbaed70fdd77ea7

  • SHA512

    93475323429a7084902ba12d8ae8ba006de046dfcce62d7acd219f4ec856e561b3f1b036661a52de1950359a61dc1dd8fc52c8b3ea8e1756be04ae0a071ac547

  • SSDEEP

    24576:Aj9+DnG6YVMFMTnd9x6osRvWc2mjJRiW7+wjHRjX:NGppndjT6dxjX

Malware Config

Extracted

Family

quasar

Attributes
  • reconnect_delay

    3000

Extracted

Family

quasar

Version

3.1.5

Botnet

SeroXen

C2

uk2.localto.net:3362

Mutex

$Sxr-CHcUwDREE2aL5huOTd

Attributes
  • encryption_key

    8v1KwkaFypjEiZ1Virk0

  • install_name

    Client.exe

  • log_directory

    $sxr-cmd

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Targets

    • Target

      sxr-Uni.bat

    • Size

      1004KB

    • MD5

      87135909ef2fbb7168cd05d0e39fa129

    • SHA1

      1c2a864813a5cf5fb12a3e92f80c8ea90b5d7799

    • SHA256

      38050d3e9a2d09088d05a9a586ad93d139c84439ae995d42cbbaed70fdd77ea7

    • SHA512

      93475323429a7084902ba12d8ae8ba006de046dfcce62d7acd219f4ec856e561b3f1b036661a52de1950359a61dc1dd8fc52c8b3ea8e1756be04ae0a071ac547

    • SSDEEP

      24576:Aj9+DnG6YVMFMTnd9x6osRvWc2mjJRiW7+wjHRjX:NGppndjT6dxjX

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Quasar payload

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks