General
-
Target
Uni.bat
-
Size
15.5MB
-
Sample
250212-fsp2cazlct
-
MD5
9785193adfcf2b7888f90d0fe16e7f46
-
SHA1
cd5120c0662c0572b1973f9fd9f79566ac181935
-
SHA256
5bec7bb0fc081360633e5082b4f0f3eb35d3d875c89f854aa694ab19890e544c
-
SHA512
04c2c70fc2e02f04ae777cef1e85d949b1091f16650e50481e523ecf81e7ca0efc1a5991583e25b0e0657f7264e0264339d49acfe94229d58c636c9ca003e325
-
SSDEEP
49152:eCDQpWIFvGGPXy9Vj9n2Oktv5kdUrmm/359AiKai7JEenmZTzNwzlLLy0HMUpEMC:O
Malware Config
Extracted
quasar
-
reconnect_delay
3000
Targets
-
-
Target
Uni.bat
-
Size
15.5MB
-
MD5
9785193adfcf2b7888f90d0fe16e7f46
-
SHA1
cd5120c0662c0572b1973f9fd9f79566ac181935
-
SHA256
5bec7bb0fc081360633e5082b4f0f3eb35d3d875c89f854aa694ab19890e544c
-
SHA512
04c2c70fc2e02f04ae777cef1e85d949b1091f16650e50481e523ecf81e7ca0efc1a5991583e25b0e0657f7264e0264339d49acfe94229d58c636c9ca003e325
-
SSDEEP
49152:eCDQpWIFvGGPXy9Vj9n2Oktv5kdUrmm/359AiKai7JEenmZTzNwzlLLy0HMUpEMC:O
Score10/10-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar family
-
Quasar payload
-
Seroxen family
-
Seroxen, Ser0xen
Seroxen or SeroXen aka Ser0Xen is a trojan fist disovered in late 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Command and Scripting Interpreter: PowerShell
Run Powershell and hide display window.
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Impair Defenses: Safe Mode Boot
-
Loads dropped DLL
-
Hide Artifacts: Hidden Window
Windows that would typically be displayed when an application carries out an operation can be hidden.
-
Drops file in System32 directory
-
MITRE ATT&CK Enterprise v15
Defense Evasion
Hide Artifacts
1Hidden Window
1Impair Defenses
1Safe Mode Boot
1