General

  • Target

    lnk.bat

  • Size

    3.4MB

  • Sample

    240821-ssftwszanm

  • MD5

    e0b49da0d96e8c5214e9276be383177c

  • SHA1

    acc2c37d489134c2186e95efaf7d3ea768a226f5

  • SHA256

    081da7f15e7bd101ab50628a23ffa3f8464db8c6f858f5d40faa890166554e39

  • SHA512

    b34944610642622ed45b1b09b4281e6d4b2f160c3b988aec2c254e2860cc1e5e40d6430057ea61fa323c8d99a32caeab50404c1d10baeb9a3b4bd12e6c068cee

  • SSDEEP

    49152:iPZ9h8UbMrOvMl2axWm2aPRlAYydkm6uOwIM0A8Dqpb:C

Malware Config

Extracted

Family

quasar

Attributes
  • encryption_key

    853F98C0E8F31E6FF0C780CC65F601689B6EF3FD

  • reconnect_delay

    3000

Targets

    • Target

      lnk.bat

    • Size

      3.4MB

    • MD5

      e0b49da0d96e8c5214e9276be383177c

    • SHA1

      acc2c37d489134c2186e95efaf7d3ea768a226f5

    • SHA256

      081da7f15e7bd101ab50628a23ffa3f8464db8c6f858f5d40faa890166554e39

    • SHA512

      b34944610642622ed45b1b09b4281e6d4b2f160c3b988aec2c254e2860cc1e5e40d6430057ea61fa323c8d99a32caeab50404c1d10baeb9a3b4bd12e6c068cee

    • SSDEEP

      49152:iPZ9h8UbMrOvMl2axWm2aPRlAYydkm6uOwIM0A8Dqpb:C

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Quasar payload

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Indicator Removal: Clear Windows Event Logs

      Clear Windows Event Logs to hide the activity of an intrusion.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks