Overview

overview

10

Static

static

1

$sxr-Uni.bat

windows10-1703-x64

10

$sxr-Uni.bat

windows10-2004-x64

10

$sxr-Uni.bat

windows11-21h2-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    $sxr-Uni.bat

  • Size

    723KB

  • Sample

    240602-rz1l7seg9t

  • MD5

    beb1362e7de769ce5332ea614d48b508

  • SHA1

    3b8db446968c37b66df57c21868331ae2a63d716

  • SHA256

    3785896edb293ff81a5d511d761602739e712118aaf8e5e78986e389eb8cbd25

  • SHA512

    8a52b4e50d49498288da73fe2b0ea12d67a0fadda4697b6adb6151cd65c33fddf3d4829d3fdda1dea56b65c7f5b7abe0bd20452ba40f7d3f2fcd4b8d69bc6830

  • SSDEEP

    12288:e8vdejMeNYAAibWDLHPZyYNnOXydab+vGrtdF6YZ4J4H1EmpyL1IuHpk8:eAdeVwDLvDNOXyd0xdz4J4H1E9L1I0

Score
10/10
quasarseroxen | v3.1.5 |executionspywaretrojan

Malware Config

Extracted

Family

quasar

Version

3.1.5

Botnet

SeroXen | v3.1.5 |

C2

runderscore00-61208.portmap.host:61208

Mutex

$Sxr-jy6vh8CtEJL5ceZuIb

Attributes
  • encryption_key

    Q6KDujSVF3q2D64a3maQ

  • install_name

    $sxr-powershell.exe

  • log_directory

    $sxr-Logs

  • reconnect_delay

    3000

  • startup_key

    Powershell

  • subdirectory

    $sxr-seroxen2

Targets

    • Target

      $sxr-Uni.bat

    • Size

      723KB

    • MD5

      beb1362e7de769ce5332ea614d48b508

    • SHA1

      3b8db446968c37b66df57c21868331ae2a63d716

    • SHA256

      3785896edb293ff81a5d511d761602739e712118aaf8e5e78986e389eb8cbd25

    • SHA512

      8a52b4e50d49498288da73fe2b0ea12d67a0fadda4697b6adb6151cd65c33fddf3d4829d3fdda1dea56b65c7f5b7abe0bd20452ba40f7d3f2fcd4b8d69bc6830

    • SSDEEP

      12288:e8vdejMeNYAAibWDLHPZyYNnOXydab+vGrtdF6YZ4J4H1EmpyL1IuHpk8:eAdeVwDLvDNOXyd0xdz4J4H1E9L1I0

    Score
    10/10
    quasarseroxen | v3.1.5 |executionspywaretrojan

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

      trojanspywarequasar

    • Quasar payload

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1behavioral2behavioral3

MITRE ATT&CK Enterprise v15

Tasks