General
-
Target
Shadow-Stealer.bat
-
Size
12.5MB
-
Sample
241227-hp4rfaspft
-
MD5
cf5b412ffc3ce43cd7ddce602fc67f56
-
SHA1
221dfcd0868158f676c472d8a5bcf9647f0c7d51
-
SHA256
84ba648cfdd5c2ae8d3292fcc1702e385a1a26e915bd7275b5fde776212f2724
-
SHA512
695489d3b02863c382dc4b044bd80825b3f46eadfe4647619a0036da7ab3405b7925e89a457b19ee57995a59dcf8d5f9df237cd4d5d59a6cee3914aeaee2a8ef
-
SSDEEP
49152:mmlB6XvIxKx/znMtw4e/x4dA+ilmm5C5rsw1y1lkGxJW5RXLnfaWixbVoZmb0nYk:b
Static task
static1
Behavioral task
behavioral1
Sample
Shadow-Stealer.bat
Resource
win10v2004-20241007-en
Malware Config
Extracted
quasar
1.0.0.0
v2.2.6 | Tinsler
throbbing-mountain-09011.pktriot.net:22112
167.71.56.116:22112
throbbing-mountain-09011.pktriot.net:5050
cf16a257-7d89-4296-8384-8fca3dbb568f
-
encryption_key
045F98A287DD47B8B5C074D234995A2C5A913042
-
install_name
.exe
-
log_directory
$sxr-Logs
-
reconnect_delay
1000
Targets
-
-
Target
Shadow-Stealer.bat
-
Size
12.5MB
-
MD5
cf5b412ffc3ce43cd7ddce602fc67f56
-
SHA1
221dfcd0868158f676c472d8a5bcf9647f0c7d51
-
SHA256
84ba648cfdd5c2ae8d3292fcc1702e385a1a26e915bd7275b5fde776212f2724
-
SHA512
695489d3b02863c382dc4b044bd80825b3f46eadfe4647619a0036da7ab3405b7925e89a457b19ee57995a59dcf8d5f9df237cd4d5d59a6cee3914aeaee2a8ef
-
SSDEEP
49152:mmlB6XvIxKx/znMtw4e/x4dA+ilmm5C5rsw1y1lkGxJW5RXLnfaWixbVoZmb0nYk:b
-
Quasar family
-
Quasar payload
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Hide Artifacts: Hidden Window
Windows that would typically be displayed when an application carries out an operation can be hidden.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Defense Evasion
Hide Artifacts
2Hidden Files and Directories
1Hidden Window
1