Clearly, we see that this attempts to use "MSHTA" to navigate to the minpic[.]de link pictured above. This results in the following powershell script, cleverly disguised as a JPEG file.
When we look at this URL we find a page that contains a whole bunch of Hex code!
The previous powershell script, which references this page of Hex code, also executes a function to build the code into something else.... wait for it..... Another powershell script!!!
What strikes me as interesting here, is that the variable name starting with $a...... is loaded and executed very similar to how the Jupyter Malware I wrote about last month looks. So, extracting the executable from this should be a similar process. To test this, I used the following modifications and ran with it!
Yep! Very similar, I can use Cyberchef to "From Charcode Base 10" with a delimiter of "Line Feed" to extract the Quasar executable which the powershell loads into MSbuild.exe in this sample. In other samples I have seen RegSvcs.exe being used.
Here is the VirusTotal Link to the extracted Quasar executable!
IOCs:
VBS Downloader Hash: 119F4649E03ACB94BAE703CB1AED2D63
Downloader link: hxxps://www.minpic[.]de/t/be5s/f8wbe
Stage 2 Downloader: hxxps://www.minpic[.]de/t/be5r/18jv5z
Hex code for Stage 2 hxxps://www.minpic[.]de/k/be5q/2xolu/
Powershell MD5 loader for Quasar: 7f1a2ff37d10eb877e51efca0daf8910
Quasar Executable Hash: 9b9880756019b1eeea28019cc18b9ee5
C2: 164.68.122[.]235:5559
C2: top[.]killwhenabusing1[.]xyz
Comments
Post a Comment