Extracted

• • Target

    hi.bat

  • Size

    7.2MB

  • MD5

    2c3d8aae15c19f224cb8258dc002fb53

  • SHA1

    5797ad1149d6be6cbbb76df18abfa32e28cbc6a0

  • SHA256

    c96f6d22a11588fb645f45821a151ee6cce413cfc3b80a62f3717cc2ba809247

  • SHA512

    65e76fffd292b0cc442af65082fd5c7e2685c6bc9cbaa0597972598063e07a5ec2b8cf581d6d479e8266cecd984b7209b94f73b295b8f0fd661292583c19e9a7

  • SSDEEP

    49152:i2z4mBDgbmKEf2tj2UFBW14Hkp18YJAUv0ZA8fv3CzY1V6uSonph0DQMq6xKjKvX:d

  Score

  10^/10

  executionquasarbootkitdefense_evasionpersistencespywaretrojan

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar

  • Quasar family

    quasar

  • Quasar payload

  • Suspicious use of NtCreateUserProcessOtherParentProcess

  • Blocklisted process makes network request

  • Command and Scripting Interpreter: PowerShell

    Run Powershell and hide display window.

    execution

  • Sets service image path in registry

    persistence

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE

  • Indicator Removal: Clear Windows Event Logs

    Clear Windows Event Logs to hide the activity of an intrusion.

    defense_evasion

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  • Writes to the Master Boot Record (MBR)

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence

  • Drops file in System32 directory

  • Suspicious use of SetThreadContext

  behavioral1behavioral2