Overview

overview

10

Static

static

1

Loader.bat

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Loader.bat

  • Size

    10.4MB

  • Sample

    240627-c3lvwsyarg

  • MD5

    4d8cc625098e8ffe5f8b5dbb3d45a3ee

  • SHA1

    898d35c63b91f89d9ce399f17f400c979dd2b630

  • SHA256

    3598244124cef26a1f17756cf140762178778257d0eed874873e7370c7f2524c

  • SHA512

    0e408ec2698c5d6f05910fb5d61eacea5d88b24b7e0b4d150ac94e1b948fb2d0cd86bba92ba33d755e03ee85aaf072de7950a25cd9dc9b09bc6d168cd16d3c35

  • SSDEEP

    49152:wVQDxc8uKGY1o5cnrdMEQ5A38d3tCYrTYWo9aftHuCimrCtSqE2Nb8qIM7+xORLS:Hy

Score
10/10
quasaroffice04executionspywaretrojanupx

Malware Config

Extracted

Family

quasar

Attributes
  • reconnect_delay

    3000

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

history-foo.gl.at.ply.gg:42349

Mutex

2beddbf7-c691-4058-94c7-f54389b4a581

Attributes
  • encryption_key

    CBFC5D217E55BEBDCD3A6EFA924299F76BC328D9

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Update

  • subdirectory

    SubDir

Targets

    • Target

      Loader.bat

    • Size

      10.4MB

    • MD5

      4d8cc625098e8ffe5f8b5dbb3d45a3ee

    • SHA1

      898d35c63b91f89d9ce399f17f400c979dd2b630

    • SHA256

      3598244124cef26a1f17756cf140762178778257d0eed874873e7370c7f2524c

    • SHA512

      0e408ec2698c5d6f05910fb5d61eacea5d88b24b7e0b4d150ac94e1b948fb2d0cd86bba92ba33d755e03ee85aaf072de7950a25cd9dc9b09bc6d168cd16d3c35

    • SSDEEP

      49152:wVQDxc8uKGY1o5cnrdMEQ5A38d3tCYrTYWo9aftHuCimrCtSqE2Nb8qIM7+xORLS:Hy

    Score
    10/10
    quasaroffice04executionspywaretrojanupx

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

      trojanspywarequasar

    • Quasar payload

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral1

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

3
T1082

Process Discovery

1
T1057

Remote System Discovery

1
T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks