General
-
Target
Cleaner.bat
-
Size
15.5MB
-
Sample
250206-mgz6haskdx
-
MD5
48801e3774deebf8666d6df1b37757e3
-
SHA1
1a68988bdad3a3bf789a20075ed05a59f3813e5b
-
SHA256
f6d5e88fd7b0c59e3b98adaa661590c94945883d5bfba56d11746605141da395
-
SHA512
e4b37d2a211b945da7dc4cd3d88e6240bde3114507c74aecaccef02e636b96f3866e660b5b11313930cd1e931e8f517d003a50961bf7adf91af1c25be56da938
-
SSDEEP
49152:Kx/LBdXSxlnIlRqh3wA19LrN1d2UlYQ7QR3CU5Vwt+Ik/3kwfDgevpMajDX26/dM:n
Malware Config
Extracted
quasar
1.0.0.0
v15.6.2 | NYD
84.54.50.240:55555
7d19b1ad-b659-4439-bfc4-e8268b4274eb
-
encryption_key
551A9E2D7270F1F7932B712564A6AFB45DC86B4C
-
install_name
.exe
-
log_directory
$sxr-Logs
-
reconnect_delay
3000
-
startup_key
$sxr-seroxen
Targets
-
-
Target
Cleaner.bat
-
Size
15.5MB
-
MD5
48801e3774deebf8666d6df1b37757e3
-
SHA1
1a68988bdad3a3bf789a20075ed05a59f3813e5b
-
SHA256
f6d5e88fd7b0c59e3b98adaa661590c94945883d5bfba56d11746605141da395
-
SHA512
e4b37d2a211b945da7dc4cd3d88e6240bde3114507c74aecaccef02e636b96f3866e660b5b11313930cd1e931e8f517d003a50961bf7adf91af1c25be56da938
-
SSDEEP
49152:Kx/LBdXSxlnIlRqh3wA19LrN1d2UlYQ7QR3CU5Vwt+Ik/3kwfDgevpMajDX26/dM:n
Score10/10-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar family
-
Quasar payload
-
Seroxen family
-
Seroxen, Ser0xen
Seroxen or SeroXen aka Ser0Xen is a trojan fist disovered in late 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Loads dropped DLL
-
Hide Artifacts: Hidden Window
Windows that would typically be displayed when an application carries out an operation can be hidden.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Defense Evasion
Hide Artifacts
2Hidden Files and Directories
1Hidden Window
1