quasar | e83d13fcdc0f133482d558c8ce25b45a491ba3aff13849ce8169f05bb4972f0d

General

Target

77-Venom.exe
Size

576KB
MD5

a4a92cfdc1b3a949970eb6f5b20e1f21
SHA1

6f46b5386bb1cdcf83861666ddeb2be02ae7ee5f
SHA256

e83d13fcdc0f133482d558c8ce25b45a491ba3aff13849ce8169f05bb4972f0d
SHA512

8b9153e6ab420e088de44005f5bc8d335ae83ad2b7705802c6140cd407df6a6f690adb172806846e39ce2a899ea849520a0b71c2a7057cf5adb58df436369447

Score

10^/10

evasion trojan spyware quasar rat rootkit stealer venomrat

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
VenomRAT
VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
rat rootkit stealer venomrat

Executes dropped EXE 1 IoCs

Processes:

Discord.exe

pid	Process
1204	Discord.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

77-Venom.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	77-Venom.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	77-Venom.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
1	ip-api.com

Drops file in System32 directory 5 IoCs

Processes:

77-Venom.exeDiscord.exe

description	ioc	Process
File created	C:\Windows\SysWOW64\SubDir\Discord.exe	77-Venom.exe
File opened for modification	C:\Windows\SysWOW64\SubDir\Discord.exe	77-Venom.exe
File opened for modification	C:\Windows\SysWOW64\SubDir\Discord.exe	Discord.exe
File opened for modification	C:\Windows\SysWOW64\SubDir	Discord.exe
File created	C:\Windows\SysWOW64\SubDir\r77-x64.dll	77-Venom.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exe

pid	Process
404	schtasks.exe
3924	schtasks.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

powershell.exe77-Venom.exe

pid	Process
1456	powershell.exe
1456	powershell.exe
1456	powershell.exe
3288	77-Venom.exe
3288	77-Venom.exe
3288	77-Venom.exe
3288	77-Venom.exe
3288	77-Venom.exe
3288	77-Venom.exe
3288	77-Venom.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

77-Venom.exepowershell.exeDiscord.exe

description	pid	Process
Token: SeDebugPrivilege	3288	77-Venom.exe
Token: SeDebugPrivilege	1456	powershell.exe
Token: SeDebugPrivilege	1204	Discord.exe
Token: SeDebugPrivilege	1204	Discord.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Discord.exe

pid	Process
1204	Discord.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

77-Venom.exeDiscord.execmd.exe

description	pid	Process	procid_target
PID 3288 wrote to memory of 404	3288	77-Venom.exe	67
PID 3288 wrote to memory of 404	3288	77-Venom.exe	67
PID 3288 wrote to memory of 404	3288	77-Venom.exe	67
PID 3288 wrote to memory of 1204	3288	77-Venom.exe	69
PID 3288 wrote to memory of 1204	3288	77-Venom.exe	69
PID 3288 wrote to memory of 1204	3288	77-Venom.exe	69
PID 3288 wrote to memory of 1456	3288	77-Venom.exe	70
PID 3288 wrote to memory of 1456	3288	77-Venom.exe	70
PID 3288 wrote to memory of 1456	3288	77-Venom.exe	70
PID 1204 wrote to memory of 3924	1204	Discord.exe	74
PID 1204 wrote to memory of 3924	1204	Discord.exe	74
PID 1204 wrote to memory of 3924	1204	Discord.exe	74
PID 3288 wrote to memory of 2700	3288	77-Venom.exe	76
PID 3288 wrote to memory of 2700	3288	77-Venom.exe	76
PID 3288 wrote to memory of 2700	3288	77-Venom.exe	76
PID 3288 wrote to memory of 3788	3288	77-Venom.exe	78
PID 3288 wrote to memory of 3788	3288	77-Venom.exe	78
PID 3288 wrote to memory of 3788	3288	77-Venom.exe	78
PID 2700 wrote to memory of 408	2700	cmd.exe	80
PID 2700 wrote to memory of 408	2700	cmd.exe	80
PID 2700 wrote to memory of 408	2700	cmd.exe	80

C:\Users\Admin\AppData\Local\Temp\77-Venom.exe
"C:\Users\Admin\AppData\Local\Temp\77-Venom.exe"
1⤵
- Windows security modification
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3288
- C:\Windows\SysWOW64\schtasks.exe
  "schtasks" /create /tn "Venom Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\77-Venom.exe" /rl HIGHEST /f
  2⤵
  - Creates scheduled task(s)
  PID:404
- C:\Windows\SysWOW64\SubDir\Discord.exe
  "C:\Windows\SysWOW64\SubDir\Discord.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1204
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /create /tn "Venom Client Startup" /sc ONLOGON /tr "C:\Windows\SysWOW64\SubDir\Discord.exe" /rl HIGHEST /f
    3⤵
    - Creates scheduled task(s)
    PID:3924
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell" Get-MpPreference -verbose
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1456
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b del /q/f/s %TEMP%\* & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2700
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /K del /q/f/s C:\Users\Admin\AppData\Local\Temp\*
    3⤵
    PID:408
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1FluQtMZZYbd.bat" "
  2⤵
  PID:3788

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Modify Existing Service

Scheduled Task

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1FluQtMZZYbd.bat

Download Submit
C:\Windows\SysWOW64\SubDir\Discord.exe

Download Submit
C:\Windows\SysWOW64\SubDir\Discord.exe

Download Submit
memory/404-8-0x0000000000000000-mapping.dmp

Download
memory/408-51-0x0000000000000000-mapping.dmp

Download
memory/408-50-0x0000000000000000-mapping.dmp

Download
memory/1204-31-0x0000000005F40000-0x0000000005F41000-memory.dmp

Filesize
4KB

Download
memory/1204-12-0x00000000739F0000-0x00000000740DE000-memory.dmp

Filesize
6.9MB

Download
memory/1204-9-0x0000000000000000-mapping.dmp

Download
memory/1456-21-0x0000000007DE0000-0x0000000007DE1000-memory.dmp

Filesize
4KB

Download
memory/1456-25-0x0000000008190000-0x0000000008191000-memory.dmp

Filesize
4KB

Download
memory/1456-41-0x00000000095D0000-0x00000000095D1000-memory.dmp

Filesize
4KB

Download
memory/1456-13-0x0000000000000000-mapping.dmp

Download
memory/1456-18-0x00000000739F0000-0x00000000740DE000-memory.dmp

Filesize
6.9MB

Download
memory/1456-19-0x00000000070B0000-0x00000000070B1000-memory.dmp

Filesize
4KB

Download
memory/1456-20-0x0000000007760000-0x0000000007761000-memory.dmp

Filesize
4KB

Download
memory/1456-46-0x0000000009AB0000-0x0000000009AB1000-memory.dmp

Filesize
4KB

Download
memory/1456-22-0x0000000007E80000-0x0000000007E81000-memory.dmp

Filesize
4KB

Download
memory/1456-42-0x00000000097A0000-0x00000000097A1000-memory.dmp

Filesize
4KB

Download
memory/1456-44-0x0000000009AC0000-0x0000000009AC1000-memory.dmp

Filesize
4KB

Download
memory/1456-29-0x00000000080F0000-0x00000000080F1000-memory.dmp

Filesize
4KB

Download
memory/1456-30-0x00000000085B0000-0x00000000085B1000-memory.dmp

Filesize
4KB

Download
memory/1456-43-0x0000000009B10000-0x0000000009B11000-memory.dmp

Filesize
4KB

Download
memory/1456-32-0x0000000008860000-0x0000000008861000-memory.dmp

Filesize
4KB

Download
memory/1456-34-0x00000000095F0000-0x0000000009623000-memory.dmp

Filesize
204KB

Download
memory/2700-48-0x0000000000000000-mapping.dmp

Download
memory/3288-0-0x00000000739F0000-0x00000000740DE000-memory.dmp

Filesize
6.9MB

Download
memory/3288-5-0x0000000004920000-0x0000000004921000-memory.dmp

Filesize
4KB

Download
memory/3288-7-0x0000000005A40000-0x0000000005A41000-memory.dmp

Filesize
4KB

Download
memory/3288-6-0x0000000004EF0000-0x0000000004EF1000-memory.dmp

Filesize
4KB

Download
memory/3288-4-0x0000000004A10000-0x0000000004A11000-memory.dmp

Filesize
4KB

Download
memory/3288-3-0x0000000004F10000-0x0000000004F11000-memory.dmp

Filesize
4KB

Download
memory/3288-1-0x0000000000010000-0x0000000000011000-memory.dmp

Filesize
4KB

Download
memory/3788-49-0x0000000000000000-mapping.dmp

Download
memory/3924-28-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads