General

  • Target

    Uni.bat

  • Size

    15.5MB

  • Sample

    240626-aseygstajg

  • MD5

    23c907a663bc5c30e89aa5c412b0b6a2

  • SHA1

    9a23b5ac7ff316fd750a89f5838ba59554cc5d61

  • SHA256

    77eea1fee29eaea3be683181b75c7ec61bd2d18cfa4e124bcf2c20cdba8d7728

  • SHA512

    9c2b7c7ecff1c30759975c6fed9b07dae2d1e943237f9770d2cad5edbff77abdbfb050fc0a445f4098e5381370f8491d914a21ccfa2151cc6ae441ddbbedb9d8

  • SSDEEP

    49152:Yju6olBs/O7mrdEf362SZzFdBIfHsE/LKy/n+d9gy12/KRsZgMj8idHJMW3merdt:3

Malware Config

Extracted

Family

quasar

Attributes
  • reconnect_delay

    3000

Targets

    • Target

      Uni.bat

    • Size

      15.5MB

    • MD5

      23c907a663bc5c30e89aa5c412b0b6a2

    • SHA1

      9a23b5ac7ff316fd750a89f5838ba59554cc5d61

    • SHA256

      77eea1fee29eaea3be683181b75c7ec61bd2d18cfa4e124bcf2c20cdba8d7728

    • SHA512

      9c2b7c7ecff1c30759975c6fed9b07dae2d1e943237f9770d2cad5edbff77abdbfb050fc0a445f4098e5381370f8491d914a21ccfa2151cc6ae441ddbbedb9d8

    • SSDEEP

      49152:Yju6olBs/O7mrdEf362SZzFdBIfHsE/LKy/n+d9gy12/KRsZgMj8idHJMW3merdt:3

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Quasar payload

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Impair Defenses: Safe Mode Boot

    • Hide Artifacts: Hidden Window

      Windows that would typically be displayed when an application carries out an operation can be hidden.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks