Clearly, we see that this attempts to use "MSHTA" to navigate to the minpic[.]de link pictured above. This results in the following powershell script, cleverly disguised as a JPEG file.
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh-CiNggUvnrAEHFvvluZb6SZ5DQtwrt7o0Xj_3sFP0FGyKH85mPnohHJZpexCyr8ve7xvmV93jqVVhwu6ENG__g99NIe5haduG0fJ-xUhjY3lf3JG5Sy0haeNgL8BcRiFvyK1tlQ-qv2c/w640-h310/Screen+Shot+2021-01-05+at+12.43.00+PM.png)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhMRai1hHK1i_rdYauZC7EYVqvKemhyqBz31YUexCeLH7xWYLq94Xr9rN6xb_PnvxxY688bM9RgfpH1ZElbd7vVN8-yAH92Vl3oXHf5cvwv6Yk9WliUy3hGDIMGfWKozMjKzGWpKpTHe24/w640-h48/Screen+Shot+2021-01-05+at+12.49.00+PM.png)
When we look at this URL we find a page that contains a whole bunch of Hex code!
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhmPgqOh5ThSCxoOxCpv2AleELsky3W3d5nAxGFBv_iaqSvmqXGdAvcF1QlrKnA1glAzcbOv-k6_B9Ux10yV4U00bzsorEEwptNqe_MdgvUr20shJUxM2uxo14UOcmpseh3t4SJh9lffwo/w400-h244/Screen+Shot+2021-01-05+at+12.54.57+PM.png)
The previous powershell script, which references this page of Hex code, also executes a function to build the code into something else.... wait for it..... Another powershell script!!!
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEglf3SIJNRcxtuMREiT_uPxbls11NGMz-AWLrE-BDl6S_KxOTQVl5O9_Nz_sljAVfIWGIN-OK-boURFUtk1vs-TqopY06qWRkxx9_vbRT2CUYNCn8533IhZfOCr5zKABjlKRj7vtytLYUM/w400-h216/Screen+Shot+2021-01-05+at+1.34.35+PM.png)
What strikes me as interesting here, is that the variable name starting with $a...... is loaded and executed very similar to how the Jupyter Malware I wrote about last month looks. So, extracting the executable from this should be a similar process. To test this, I used the following modifications and ran with it!
Yep! Very similar, I can use Cyberchef to "From Charcode Base 10" with a delimiter of "Line Feed" to extract the Quasar executable which the powershell loads into MSbuild.exe in this sample. In other samples I have seen RegSvcs.exe being used.
Here is the VirusTotal Link to the extracted Quasar executable!
IOCs:
VBS Downloader Hash: 119F4649E03ACB94BAE703CB1AED2D63
Downloader link: hxxps://www.minpic[.]de/t/be5s/f8wbe
Stage 2 Downloader: hxxps://www.minpic[.]de/t/be5r/18jv5z
Hex code for Stage 2 hxxps://www.minpic[.]de/k/be5q/2xolu/
Powershell MD5 loader for Quasar: 7f1a2ff37d10eb877e51efca0daf8910
Quasar Executable Hash: 9b9880756019b1eeea28019cc18b9ee5
C2: 164.68.122[.]235:5559
C2: top[.]killwhenabusing1[.]xyz
Comments
Post a Comment