General
-
Target
srxchost.bat
-
Size
513KB
-
Sample
240606-pcckraeh67
-
MD5
e43692fcd393276b26aa7acb8b82b201
-
SHA1
b9bab6dfd7f592350b8f737bf8b80f0834e1e75d
-
SHA256
ed5c3877ddaab5b23fdd42addd28fcf9237e0e229de0dcf66b541f0edfbf7586
-
SHA512
7113b118aeb5c298e2ea3c67fe6ea4278a368d049cc4eb0ee9e434848cfc2e121988d1ed1b5bb5db3f60f790d13f8ecfb46738fbd27ccd18d2c7c7e0cbe0e878
-
SSDEEP
12288:cttsUZ2U00BrdEGDAtteOXYG4G/3oIPfi/EkchXo4eDCmX1nsemd:chZGceGSYG48YCi/SDkCZ
Static task
static1
Behavioral task
behavioral1
Sample
srxchost.bat
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
srxchost.bat
Resource
win7-20240220-en
Behavioral task
behavioral3
Sample
srxchost.bat
Resource
win10v2004-20240226-en
Malware Config
Extracted
quasar
3.1.5
SeroXen | v3.1.5 |
dating-mpegs.gl.at.ply.gg:6566
$Sxr-jy6vh8CtEJL5ceZuIb
-
encryption_key
RtxBjTfEK9dH2O6DfNVH
-
install_name
$sxr-powershell.exe
-
log_directory
$sxr-Logs
-
reconnect_delay
3000
-
startup_key
Powershell
-
subdirectory
$sxr-seroxen2
Targets
-
-
Target
srxchost.bat
-
Size
513KB
-
MD5
e43692fcd393276b26aa7acb8b82b201
-
SHA1
b9bab6dfd7f592350b8f737bf8b80f0834e1e75d
-
SHA256
ed5c3877ddaab5b23fdd42addd28fcf9237e0e229de0dcf66b541f0edfbf7586
-
SHA512
7113b118aeb5c298e2ea3c67fe6ea4278a368d049cc4eb0ee9e434848cfc2e121988d1ed1b5bb5db3f60f790d13f8ecfb46738fbd27ccd18d2c7c7e0cbe0e878
-
SSDEEP
12288:cttsUZ2U00BrdEGDAtteOXYG4G/3oIPfi/EkchXo4eDCmX1nsemd:chZGceGSYG48YCi/SDkCZ
Score10/10-
Quasar payload
-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-