General
-
Target
4Xc1zTf.bat
-
Size
313B
-
Sample
240702-2l3vhstdja
-
MD5
83b90daf2dc1611ccacd57f90a9e7dcd
-
SHA1
bcc229dcfe50608ada43b87105e423f88deb09f3
-
SHA256
3598bd743d78bb85de33127f0584f9d37d0775fa5166b721b153deeeea0c172b
-
SHA512
1aadf9c3cf7e540e09929bb9b834af192d9edc7196c6e44e4d77f8df2d26404509381306bcbd405d86dd47df403a375220b097aa7fd05162422c1dd594df3778
Static task
static1
Malware Config
Extracted
quasar
-
reconnect_delay
3000
Extracted
xworm
super-nearest.gl.at.ply.gg:17835
best-bird.gl.at.ply.gg:27196
wiz.bounceme.net:6000
Extracted
asyncrat
Default
finally-grande.gl.at.ply.gg:25844
-
delay
1
-
install
false
-
install_folder
%AppData%
Extracted
quasar
3.1.5
Slave
stop-largely.gl.at.ply.gg:27116
$Sxr-kl1r656AGsPQksTmi8
-
encryption_key
CjDCAPF1JiLswgFipef3
-
install_name
$77Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Windows Start-Up Application
-
subdirectory
$77
Targets
-
-
Target
4Xc1zTf.bat
-
Size
313B
-
MD5
83b90daf2dc1611ccacd57f90a9e7dcd
-
SHA1
bcc229dcfe50608ada43b87105e423f88deb09f3
-
SHA256
3598bd743d78bb85de33127f0584f9d37d0775fa5166b721b153deeeea0c172b
-
SHA512
1aadf9c3cf7e540e09929bb9b834af192d9edc7196c6e44e4d77f8df2d26404509381306bcbd405d86dd47df403a375220b097aa7fd05162422c1dd594df3778
-
Detect Xworm Payload
-
Quasar payload
-
Async RAT payload
-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
MITRE ATT&CK Matrix ATT&CK v13
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1