Resubmissions

19/08/2024, 21:04

240819-zwppjazcmj 10

09/06/2024, 03:00

240609-dhlj3add52 8

General

  • Target

    Aurora.Crypter.bat

  • Size

    15.5MB

  • Sample

    240819-zwppjazcmj

  • MD5

    83651c557776cf794556dff0b374c1d7

  • SHA1

    34931e55ff8bfa85a721086910624e72f9a957fb

  • SHA256

    f83073b5c7d316632b77808423a07425fc4a9314526ebc55174cee134be2cbf0

  • SHA512

    ccba336b8abfa555b5f9c8a49ccce18ac072e86ee010f5c6618c9692a07d4f81444bcfe363b9ae13102e0d1c6e7ee9dc9af0e86ee20aab6ed5ca61ad8bf3ac9d

  • SSDEEP

    49152:ddCxJ8qpgn1Bcsk0dWCUmQuR0CciSk13blWnft0nnrxvYKyyVjqo8Gf7T1/+f83b:R

Malware Config

Extracted

Family

quasar

Attributes
  • reconnect_delay

    1000

Targets

    • Target

      Aurora.Crypter.bat

    • Size

      15.5MB

    • MD5

      83651c557776cf794556dff0b374c1d7

    • SHA1

      34931e55ff8bfa85a721086910624e72f9a957fb

    • SHA256

      f83073b5c7d316632b77808423a07425fc4a9314526ebc55174cee134be2cbf0

    • SHA512

      ccba336b8abfa555b5f9c8a49ccce18ac072e86ee010f5c6618c9692a07d4f81444bcfe363b9ae13102e0d1c6e7ee9dc9af0e86ee20aab6ed5ca61ad8bf3ac9d

    • SSDEEP

      49152:ddCxJ8qpgn1Bcsk0dWCUmQuR0CciSk13blWnft0nnrxvYKyyVjqo8Gf7T1/+f83b:R

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Quasar payload

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Impair Defenses: Safe Mode Boot

    • Indicator Removal: Clear Windows Event Logs

      Clear Windows Event Logs to hide the activity of an intrusion.

    • Hide Artifacts: Hidden Window

      Windows that would typically be displayed when an application carries out an operation can be hidden.

MITRE ATT&CK Enterprise v15

Tasks