Overview

overview

10

Static

static

1

Uni.bat

windows10-1703-x64

10

Uni.bat

windows10-2004-x64

10

Uni.bat

windows11-21h2-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Uni.bat

  • Size

    12.6MB

  • Sample

    240525-ttpzmaac9v

  • MD5

    898f49c739026123b6a3811fa31abe70

  • SHA1

    31ff6036b40d70d21cb1c4c0163cba0d4c720551

  • SHA256

    78b0a14a882dec287c0dc5a294ad02a4a5aaa0d130839d49f282c7d61069471f

  • SHA512

    a9aa2bf15db84361f315156ee6386cac49c14c2449a72e2f50b2e0b8d100781019c246c03a38a37d5dfc71a7c1c5451457faba074d1a875cab615ecb8d3e453d

  • SSDEEP

    49152:sW7ldCjqzV0qZpSjVbHDGYxqXTQPJee/X5nerh1gnfFijx6ygGSPlPNEIKlfuK1u:i

Score
10/10
quasarv2.2.5 | seroxenspywaretrojan

Malware Config

Extracted

Family

quasar

Version

1.0.0.0

Botnet

v2.2.5 | SeroXen

C2

kimsoylak.ddns.net:4782

Mutex

2cc9d61f-950d-4f23-b7d5-45d9dda2f256

Attributes
  • encryption_key

    F467D794B2E1081B6AD1EAD5813AFA74F053248D

  • install_name

    .exe

  • log_directory

    $sxr-Logs

  • reconnect_delay

    1

Targets

    • Target

      Uni.bat

    • Size

      12.6MB

    • MD5

      898f49c739026123b6a3811fa31abe70

    • SHA1

      31ff6036b40d70d21cb1c4c0163cba0d4c720551

    • SHA256

      78b0a14a882dec287c0dc5a294ad02a4a5aaa0d130839d49f282c7d61069471f

    • SHA512

      a9aa2bf15db84361f315156ee6386cac49c14c2449a72e2f50b2e0b8d100781019c246c03a38a37d5dfc71a7c1c5451457faba074d1a875cab615ecb8d3e453d

    • SSDEEP

      49152:sW7ldCjqzV0qZpSjVbHDGYxqXTQPJee/X5nerh1gnfFijx6ygGSPlPNEIKlfuK1u:i

    Score
    10/10
    quasarv2.2.5 | seroxenspywaretrojan

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

      trojanspywarequasar

    • Quasar payload

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1behavioral2behavioral3

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

1
T1564

Hidden Files and Directories

1
T1564.001

Credential Access

Discovery

Query Registry

5
T1012

System Information Discovery

5
T1082

Remote System Discovery

1
T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks