General
-
Target
Shadow-Stealer.bat
-
Size
12.5MB
-
Sample
240528-k1tfysee89
-
MD5
cf5b412ffc3ce43cd7ddce602fc67f56
-
SHA1
221dfcd0868158f676c472d8a5bcf9647f0c7d51
-
SHA256
84ba648cfdd5c2ae8d3292fcc1702e385a1a26e915bd7275b5fde776212f2724
-
SHA512
695489d3b02863c382dc4b044bd80825b3f46eadfe4647619a0036da7ab3405b7925e89a457b19ee57995a59dcf8d5f9df237cd4d5d59a6cee3914aeaee2a8ef
-
SSDEEP
49152:mmlB6XvIxKx/znMtw4e/x4dA+ilmm5C5rsw1y1lkGxJW5RXLnfaWixbVoZmb0nYk:b
Static task
static1
Behavioral task
behavioral1
Sample
Shadow-Stealer.bat
Resource
win11-20240508-en
Malware Config
Extracted
quasar
1.0.0.0
v2.2.6 | Tinsler
throbbing-mountain-09011.pktriot.net:22112
167.71.56.116:22112
throbbing-mountain-09011.pktriot.net:5050
cf16a257-7d89-4296-8384-8fca3dbb568f
-
encryption_key
045F98A287DD47B8B5C074D234995A2C5A913042
-
install_name
.exe
-
log_directory
$sxr-Logs
-
reconnect_delay
1000
Targets
-
-
Target
Shadow-Stealer.bat
-
Size
12.5MB
-
MD5
cf5b412ffc3ce43cd7ddce602fc67f56
-
SHA1
221dfcd0868158f676c472d8a5bcf9647f0c7d51
-
SHA256
84ba648cfdd5c2ae8d3292fcc1702e385a1a26e915bd7275b5fde776212f2724
-
SHA512
695489d3b02863c382dc4b044bd80825b3f46eadfe4647619a0036da7ab3405b7925e89a457b19ee57995a59dcf8d5f9df237cd4d5d59a6cee3914aeaee2a8ef
-
SSDEEP
49152:mmlB6XvIxKx/znMtw4e/x4dA+ilmm5C5rsw1y1lkGxJW5RXLnfaWixbVoZmb0nYk:b
Score10/10-
Quasar payload
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Deletes itself
-
Executes dropped EXE
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-