General

  • Target

    i.bat

  • Size

    600B

  • Sample

    240821-ssftwszank

  • MD5

    8ffaa5e752120b5705a135d6bb4d06d2

  • SHA1

    e831b70d6b1ea25cd278164bbc4aec537ff783da

  • SHA256

    cb73d3b4806e13127f1845d4feb320b566bb8144ab3cce36f8482bb942df35c2

  • SHA512

    ee30e3cf536ff80c07add6daf77dec5595eeb455006212c7d299c94026242890cb5a0c420cd628e13566a07eedf024f1717fc9484ced2ee9bb68a1ea1eba7fa8

Malware Config

Extracted

Family

quasar

Attributes
  • encryption_key

    853F98C0E8F31E6FF0C780CC65F601689B6EF3FD

  • reconnect_delay

    3000

Targets

    • Target

      i.bat

    • Size

      600B

    • MD5

      8ffaa5e752120b5705a135d6bb4d06d2

    • SHA1

      e831b70d6b1ea25cd278164bbc4aec537ff783da

    • SHA256

      cb73d3b4806e13127f1845d4feb320b566bb8144ab3cce36f8482bb942df35c2

    • SHA512

      ee30e3cf536ff80c07add6daf77dec5595eeb455006212c7d299c94026242890cb5a0c420cd628e13566a07eedf024f1717fc9484ced2ee9bb68a1ea1eba7fa8

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Quasar payload

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Indicator Removal: Clear Windows Event Logs

      Clear Windows Event Logs to hide the activity of an intrusion.

    • Drops file in System32 directory

    • Enumerates processes with tasklist

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks