General
-
Target
$sxr-Uni.bat
-
Size
723KB
-
Sample
240602-rz1l7seg9t
-
MD5
beb1362e7de769ce5332ea614d48b508
-
SHA1
3b8db446968c37b66df57c21868331ae2a63d716
-
SHA256
3785896edb293ff81a5d511d761602739e712118aaf8e5e78986e389eb8cbd25
-
SHA512
8a52b4e50d49498288da73fe2b0ea12d67a0fadda4697b6adb6151cd65c33fddf3d4829d3fdda1dea56b65c7f5b7abe0bd20452ba40f7d3f2fcd4b8d69bc6830
-
SSDEEP
12288:e8vdejMeNYAAibWDLHPZyYNnOXydab+vGrtdF6YZ4J4H1EmpyL1IuHpk8:eAdeVwDLvDNOXyd0xdz4J4H1E9L1I0
Static task
static1
Behavioral task
behavioral1
Sample
$sxr-Uni.bat
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
$sxr-Uni.bat
Resource
win10v2004-20240426-en
Behavioral task
behavioral3
Sample
$sxr-Uni.bat
Resource
win11-20240508-en
Malware Config
Extracted
quasar
3.1.5
SeroXen | v3.1.5 |
runderscore00-61208.portmap.host:61208
$Sxr-jy6vh8CtEJL5ceZuIb
-
encryption_key
Q6KDujSVF3q2D64a3maQ
-
install_name
$sxr-powershell.exe
-
log_directory
$sxr-Logs
-
reconnect_delay
3000
-
startup_key
Powershell
-
subdirectory
$sxr-seroxen2
Targets
-
-
Target
$sxr-Uni.bat
-
Size
723KB
-
MD5
beb1362e7de769ce5332ea614d48b508
-
SHA1
3b8db446968c37b66df57c21868331ae2a63d716
-
SHA256
3785896edb293ff81a5d511d761602739e712118aaf8e5e78986e389eb8cbd25
-
SHA512
8a52b4e50d49498288da73fe2b0ea12d67a0fadda4697b6adb6151cd65c33fddf3d4829d3fdda1dea56b65c7f5b7abe0bd20452ba40f7d3f2fcd4b8d69bc6830
-
SSDEEP
12288:e8vdejMeNYAAibWDLHPZyYNnOXydab+vGrtdF6YZ4J4H1EmpyL1IuHpk8:eAdeVwDLvDNOXyd0xdz4J4H1E9L1I0
Score10/10-
Quasar payload
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-