Overview

overview

10

Static

static

1

srxchost.bat

windows10-1703-x64

10

srxchost.bat

windows7-x64

8

srxchost.bat

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    srxchost.bat

  • Size

    513KB

  • Sample

    240606-pcckraeh67

  • MD5

    e43692fcd393276b26aa7acb8b82b201

  • SHA1

    b9bab6dfd7f592350b8f737bf8b80f0834e1e75d

  • SHA256

    ed5c3877ddaab5b23fdd42addd28fcf9237e0e229de0dcf66b541f0edfbf7586

  • SHA512

    7113b118aeb5c298e2ea3c67fe6ea4278a368d049cc4eb0ee9e434848cfc2e121988d1ed1b5bb5db3f60f790d13f8ecfb46738fbd27ccd18d2c7c7e0cbe0e878

  • SSDEEP

    12288:cttsUZ2U00BrdEGDAtteOXYG4G/3oIPfi/EkchXo4eDCmX1nsemd:chZGceGSYG48YCi/SDkCZ

Score
10/10
quasarseroxen | v3.1.5 |executionspywaretrojan

Malware Config

Extracted

Family

quasar

Version

3.1.5

Botnet

SeroXen | v3.1.5 |

C2

dating-mpegs.gl.at.ply.gg:6566

Mutex

$Sxr-jy6vh8CtEJL5ceZuIb

Attributes
  • encryption_key

    RtxBjTfEK9dH2O6DfNVH

  • install_name

    $sxr-powershell.exe

  • log_directory

    $sxr-Logs

  • reconnect_delay

    3000

  • startup_key

    Powershell

  • subdirectory

    $sxr-seroxen2

Targets

    • Target

      srxchost.bat

    • Size

      513KB

    • MD5

      e43692fcd393276b26aa7acb8b82b201

    • SHA1

      b9bab6dfd7f592350b8f737bf8b80f0834e1e75d

    • SHA256

      ed5c3877ddaab5b23fdd42addd28fcf9237e0e229de0dcf66b541f0edfbf7586

    • SHA512

      7113b118aeb5c298e2ea3c67fe6ea4278a368d049cc4eb0ee9e434848cfc2e121988d1ed1b5bb5db3f60f790d13f8ecfb46738fbd27ccd18d2c7c7e0cbe0e878

    • SSDEEP

      12288:cttsUZ2U00BrdEGDAtteOXYG4G/3oIPfi/EkchXo4eDCmX1nsemd:chZGceGSYG48YCi/SDkCZ

    Score
    10/10
    quasarseroxen | v3.1.5 |executionspywaretrojan

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

      trojanspywarequasar

    • Quasar payload

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    behavioral1behavioral2behavioral3

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Persistence

Scheduled Task/Job

1
T1053

Privilege Escalation

Scheduled Task/Job

1
T1053

Defense Evasion

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks