Overview

overview

10

Static

static

1

Uni.bat

windows10-1703-x64

10

Uni.bat

windows10-2004-x64

10

Uni.bat

windows11-21h2-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Uni.bat

  • Size

    272KB

  • Sample

    240612-wfhdqstfjh

  • MD5

    329572afb540453454c308ad833fb18d

  • SHA1

    40a3918710ce684e3f1ee3b8185bb2711c24d0c5

  • SHA256

    8c11bf6c6613e02ba059ce545de03e575c022e13d4ec6fa4a61212c22d6d36a6

  • SHA512

    88a33ef1e925179518bbfc99ffb4a526a95d533430aeaeee5f87036a7162d2108e4685966be53df922241ebbee24f3b0a61381a47b0f9f146f43ffa00d9350ac

  • SSDEEP

    6144:wHEnX3bfXFDNDPZ+oo3NF9POEOVMr4jqK:w6DBNF+p3PCnuK

Score
10/10
quasarslaveexecutionspywaretrojan

Malware Config

Extracted

Family

quasar

Version

3.0.1

Botnet

Slave

C2

runderscore00-37568.portmap.host:37568

Mutex

QSR_MUTEX_1ujjwOVNfEnJdJ6fzt

Attributes
  • encryption_key

    BaV1r1Ry830cRsn0PkJ3

  • install_name

    $sxr-powershell.exe

  • log_directory

    $sxr-Logs

  • reconnect_delay

    3000

  • startup_key

    Powershell

  • subdirectory

    $sxr-seroxen2

Targets

    • Target

      Uni.bat

    • Size

      272KB

    • MD5

      329572afb540453454c308ad833fb18d

    • SHA1

      40a3918710ce684e3f1ee3b8185bb2711c24d0c5

    • SHA256

      8c11bf6c6613e02ba059ce545de03e575c022e13d4ec6fa4a61212c22d6d36a6

    • SHA512

      88a33ef1e925179518bbfc99ffb4a526a95d533430aeaeee5f87036a7162d2108e4685966be53df922241ebbee24f3b0a61381a47b0f9f146f43ffa00d9350ac

    • SSDEEP

      6144:wHEnX3bfXFDNDPZ+oo3NF9POEOVMr4jqK:w6DBNF+p3PCnuK

    Score
    10/10
    quasarslaveexecutionspywaretrojan

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

      trojanspywarequasar

    • Quasar payload

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2behavioral3

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks