General
-
Target
svchost.bat
-
Size
608KB
-
Sample
240702-qhfd9stekf
-
MD5
0598b47f8cba2aa8042d5241594a2a18
-
SHA1
2f9923a0cd52476a33e005156675c19d445a627f
-
SHA256
edd1a3237614dc5b6554baaf7f937285850b22b294bfe506309549cb4f62984e
-
SHA512
146fb2f4ba190434ac42c22054c992fd4276da789145401fab9702e3e8cb140194be5c49bc00b20de58557f0d3e4425e80029113fc2cd55dcdc5dbb59306ccd1
-
SSDEEP
12288:NK2Dh0mFsRXQ7ZpK1b4Bdbi6EGv8/K9yxnQ3nzvc7l87wrJJ3HMU:Nhjsxb4B0KAxnww7y7+v
Static task
static1
Malware Config
Extracted
quasar
-
reconnect_delay
3000
Extracted
xworm
super-nearest.gl.at.ply.gg:17835
best-bird.gl.at.ply.gg:27196
wiz.bounceme.net:6000
-
Install_directory
%ProgramData%
Extracted
asyncrat
Default
finally-grande.gl.at.ply.gg:25844
-
delay
1
-
install
false
-
install_folder
%AppData%
Extracted
quasar
3.1.5
Slave
stop-largely.gl.at.ply.gg:27116
$Sxr-kl1r656AGsPQksTmi8
-
encryption_key
WyBm1iVkHZmEnGPMAZWV
-
install_name
$phantom.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
$phantomSTARTUP~MSF
-
subdirectory
$phantom
Targets
-
-
Target
svchost.bat
-
Size
608KB
-
MD5
0598b47f8cba2aa8042d5241594a2a18
-
SHA1
2f9923a0cd52476a33e005156675c19d445a627f
-
SHA256
edd1a3237614dc5b6554baaf7f937285850b22b294bfe506309549cb4f62984e
-
SHA512
146fb2f4ba190434ac42c22054c992fd4276da789145401fab9702e3e8cb140194be5c49bc00b20de58557f0d3e4425e80029113fc2cd55dcdc5dbb59306ccd1
-
SSDEEP
12288:NK2Dh0mFsRXQ7ZpK1b4Bdbi6EGv8/K9yxnQ3nzvc7l87wrJJ3HMU:Nhjsxb4B0KAxnww7y7+v
-
Detect Xworm Payload
-
Quasar payload
-
Async RAT payload
-
Blocklisted process makes network request
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
MITRE ATT&CK Matrix ATT&CK v13
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1