General
-
Target
i.bat
-
Size
600B
-
Sample
240821-ssftwszank
-
MD5
8ffaa5e752120b5705a135d6bb4d06d2
-
SHA1
e831b70d6b1ea25cd278164bbc4aec537ff783da
-
SHA256
cb73d3b4806e13127f1845d4feb320b566bb8144ab3cce36f8482bb942df35c2
-
SHA512
ee30e3cf536ff80c07add6daf77dec5595eeb455006212c7d299c94026242890cb5a0c420cd628e13566a07eedf024f1717fc9484ced2ee9bb68a1ea1eba7fa8
Static task
static1
Behavioral task
behavioral1
Sample
i.bat
Resource
win7-20240729-en
Malware Config
Extracted
quasar
-
encryption_key
853F98C0E8F31E6FF0C780CC65F601689B6EF3FD
-
reconnect_delay
3000
Targets
-
-
Target
i.bat
-
Size
600B
-
MD5
8ffaa5e752120b5705a135d6bb4d06d2
-
SHA1
e831b70d6b1ea25cd278164bbc4aec537ff783da
-
SHA256
cb73d3b4806e13127f1845d4feb320b566bb8144ab3cce36f8482bb942df35c2
-
SHA512
ee30e3cf536ff80c07add6daf77dec5595eeb455006212c7d299c94026242890cb5a0c420cd628e13566a07eedf024f1717fc9484ced2ee9bb68a1ea1eba7fa8
-
Quasar payload
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Indicator Removal: Clear Windows Event Logs
Clear Windows Event Logs to hide the activity of an intrusion.
-
Drops file in System32 directory
-
Enumerates processes with tasklist
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-