General
-
Target
Uni.bat
-
Size
13.7MB
-
Sample
241124-l2cp9s1jek
-
MD5
577c262de7ca8fdfef3b12e8dd170ca5
-
SHA1
dd35b98c86bd9ac07ee362aeb99a83714511bd6d
-
SHA256
5b50f8552e84e864a072b85c24a5aa8ceae9caf1f0ffec251e2240b43a26df2a
-
SHA512
83c1033a62520ce5b32eadf68bfe48421986e5a15eedeb9dcfdf8ba1d1bb99ca863e5313ed6a3fd3a9fb433869e64094388376d6a141016bfd6035d9367ce2ab
-
SSDEEP
49152:fYSZV75wgeIWwiXe0+DRcnymKneX5wmiiU5Xnh22OhqkNu7KTnyl3547ih563zBg:d
Malware Config
Extracted
quasar
1.4.0
v15.5.4 | SeroXen
86.20.153.176:1007
1e6be32f-7de8-4e84-abb4-edd31f5c9694
-
encryption_key
2C1A5E068ECB45220CA56F443A8C0F56408DD384
-
install_name
.exe
-
log_directory
$sxr-Logs
-
reconnect_delay
5
-
startup_key
$sxr-seroxen
Targets
-
-
Target
Uni.bat
-
Size
13.7MB
-
MD5
577c262de7ca8fdfef3b12e8dd170ca5
-
SHA1
dd35b98c86bd9ac07ee362aeb99a83714511bd6d
-
SHA256
5b50f8552e84e864a072b85c24a5aa8ceae9caf1f0ffec251e2240b43a26df2a
-
SHA512
83c1033a62520ce5b32eadf68bfe48421986e5a15eedeb9dcfdf8ba1d1bb99ca863e5313ed6a3fd3a9fb433869e64094388376d6a141016bfd6035d9367ce2ab
-
SSDEEP
49152:fYSZV75wgeIWwiXe0+DRcnymKneX5wmiiU5Xnh22OhqkNu7KTnyl3547ih563zBg:d
Score10/10-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar family
-
Quasar payload
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Loads dropped DLL
-
Hide Artifacts: Hidden Window
Windows that would typically be displayed when an application carries out an operation can be hidden.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Defense Evasion
Hide Artifacts
2Hidden Files and Directories
1Hidden Window
1