General

  • Target

    Shadow-Stealer.bat

  • Size

    12.5MB

  • Sample

    241227-hp4rfaspft

  • MD5

    cf5b412ffc3ce43cd7ddce602fc67f56

  • SHA1

    221dfcd0868158f676c472d8a5bcf9647f0c7d51

  • SHA256

    84ba648cfdd5c2ae8d3292fcc1702e385a1a26e915bd7275b5fde776212f2724

  • SHA512

    695489d3b02863c382dc4b044bd80825b3f46eadfe4647619a0036da7ab3405b7925e89a457b19ee57995a59dcf8d5f9df237cd4d5d59a6cee3914aeaee2a8ef

  • SSDEEP

    49152:mmlB6XvIxKx/znMtw4e/x4dA+ilmm5C5rsw1y1lkGxJW5RXLnfaWixbVoZmb0nYk:b

Malware Config

Extracted

Family

quasar

Version

1.0.0.0

Botnet

v2.2.6 | Tinsler

C2

throbbing-mountain-09011.pktriot.net:22112

167.71.56.116:22112

throbbing-mountain-09011.pktriot.net:5050

Mutex

cf16a257-7d89-4296-8384-8fca3dbb568f

Attributes
  • encryption_key

    045F98A287DD47B8B5C074D234995A2C5A913042

  • install_name

    .exe

  • log_directory

    $sxr-Logs

  • reconnect_delay

    1000

Targets

    • Target

      Shadow-Stealer.bat

    • Size

      12.5MB

    • MD5

      cf5b412ffc3ce43cd7ddce602fc67f56

    • SHA1

      221dfcd0868158f676c472d8a5bcf9647f0c7d51

    • SHA256

      84ba648cfdd5c2ae8d3292fcc1702e385a1a26e915bd7275b5fde776212f2724

    • SHA512

      695489d3b02863c382dc4b044bd80825b3f46eadfe4647619a0036da7ab3405b7925e89a457b19ee57995a59dcf8d5f9df237cd4d5d59a6cee3914aeaee2a8ef

    • SSDEEP

      49152:mmlB6XvIxKx/znMtw4e/x4dA+ilmm5C5rsw1y1lkGxJW5RXLnfaWixbVoZmb0nYk:b

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Quasar family

    • Quasar payload

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Hide Artifacts: Hidden Window

      Windows that would typically be displayed when an application carries out an operation can be hidden.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks