quasar | eee05be1f50efe61ec62eee4af8bca29e1b37115e0e7d23221bbde4471a6258c

Analysis

max time kernel
150s
max time network
111s
platform
windows10_x64
resource
win10v20201028
submitted
09/11/2020, 20:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eee05be1f50efe61ec62eee4af8bca29e1b37115e0e7d23221bbde4471a6258c.exe
Size

534KB
MD5

13efb4a917e73740050da354d95b760b
SHA1

e2e0f2b32c1794169a66cee6eda2b36ee4814f9f
SHA256

eee05be1f50efe61ec62eee4af8bca29e1b37115e0e7d23221bbde4471a6258c
SHA512

c442cf4a4cca8a4c11cf90d0636d9211efd0ee0b69ed85b9fc427671f8e5693e8edff12df3d62c6b24060b6482c41c7c375b671b8111a598917881b09a40afea

Score

10^/10

quasar venomrat evasion rat rootkit spyware stealer trojan

Malware Config

Signatures

Contains code to disable Windows Defender 2 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral2/files/0x000100000001ab40-10.dat	disable_win_def
behavioral2/files/0x000100000001ab40-12.dat	disable_win_def

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
VenomRAT
VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
rat rootkit stealer venomrat

Executes dropped EXE 1 IoCs

pid	Process
3144	Client.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	eee05be1f50efe61ec62eee4af8bca29e1b37115e0e7d23221bbde4471a6258c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	eee05be1f50efe61ec62eee4af8bca29e1b37115e0e7d23221bbde4471a6258c.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
10	ip-api.com

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
2684	schtasks.exe
1448	schtasks.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2636	PING.EXE

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
2224	powershell.exe
2224	powershell.exe
2224	powershell.exe
3988	eee05be1f50efe61ec62eee4af8bca29e1b37115e0e7d23221bbde4471a6258c.exe
3988	eee05be1f50efe61ec62eee4af8bca29e1b37115e0e7d23221bbde4471a6258c.exe
3988	eee05be1f50efe61ec62eee4af8bca29e1b37115e0e7d23221bbde4471a6258c.exe
3988	eee05be1f50efe61ec62eee4af8bca29e1b37115e0e7d23221bbde4471a6258c.exe
3988	eee05be1f50efe61ec62eee4af8bca29e1b37115e0e7d23221bbde4471a6258c.exe
3988	eee05be1f50efe61ec62eee4af8bca29e1b37115e0e7d23221bbde4471a6258c.exe
3988	eee05be1f50efe61ec62eee4af8bca29e1b37115e0e7d23221bbde4471a6258c.exe
3280	eee05be1f50efe61ec62eee4af8bca29e1b37115e0e7d23221bbde4471a6258c.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	3988	eee05be1f50efe61ec62eee4af8bca29e1b37115e0e7d23221bbde4471a6258c.exe
Token: SeDebugPrivilege	2224	powershell.exe
Token: SeDebugPrivilege	3144	Client.exe
Token: SeDebugPrivilege	3144	Client.exe
Token: SeDebugPrivilege	3280	eee05be1f50efe61ec62eee4af8bca29e1b37115e0e7d23221bbde4471a6258c.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3144	Client.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 3988 wrote to memory of 2684	3988	eee05be1f50efe61ec62eee4af8bca29e1b37115e0e7d23221bbde4471a6258c.exe	76
PID 3988 wrote to memory of 2684	3988	eee05be1f50efe61ec62eee4af8bca29e1b37115e0e7d23221bbde4471a6258c.exe	76
PID 3988 wrote to memory of 2684	3988	eee05be1f50efe61ec62eee4af8bca29e1b37115e0e7d23221bbde4471a6258c.exe	76
PID 3988 wrote to memory of 3144	3988	eee05be1f50efe61ec62eee4af8bca29e1b37115e0e7d23221bbde4471a6258c.exe	78
PID 3988 wrote to memory of 3144	3988	eee05be1f50efe61ec62eee4af8bca29e1b37115e0e7d23221bbde4471a6258c.exe	78
PID 3988 wrote to memory of 3144	3988	eee05be1f50efe61ec62eee4af8bca29e1b37115e0e7d23221bbde4471a6258c.exe	78
PID 3988 wrote to memory of 2224	3988	eee05be1f50efe61ec62eee4af8bca29e1b37115e0e7d23221bbde4471a6258c.exe	79
PID 3988 wrote to memory of 2224	3988	eee05be1f50efe61ec62eee4af8bca29e1b37115e0e7d23221bbde4471a6258c.exe	79
PID 3988 wrote to memory of 2224	3988	eee05be1f50efe61ec62eee4af8bca29e1b37115e0e7d23221bbde4471a6258c.exe	79
PID 3144 wrote to memory of 1448	3144	Client.exe	81
PID 3144 wrote to memory of 1448	3144	Client.exe	81
PID 3144 wrote to memory of 1448	3144	Client.exe	81
PID 3988 wrote to memory of 1636	3988	eee05be1f50efe61ec62eee4af8bca29e1b37115e0e7d23221bbde4471a6258c.exe	86
PID 3988 wrote to memory of 1636	3988	eee05be1f50efe61ec62eee4af8bca29e1b37115e0e7d23221bbde4471a6258c.exe	86
PID 3988 wrote to memory of 1636	3988	eee05be1f50efe61ec62eee4af8bca29e1b37115e0e7d23221bbde4471a6258c.exe	86
PID 1636 wrote to memory of 2464	1636	cmd.exe	88
PID 1636 wrote to memory of 2464	1636	cmd.exe	88
PID 1636 wrote to memory of 2464	1636	cmd.exe	88
PID 3988 wrote to memory of 3492	3988	eee05be1f50efe61ec62eee4af8bca29e1b37115e0e7d23221bbde4471a6258c.exe	89
PID 3988 wrote to memory of 3492	3988	eee05be1f50efe61ec62eee4af8bca29e1b37115e0e7d23221bbde4471a6258c.exe	89
PID 3988 wrote to memory of 3492	3988	eee05be1f50efe61ec62eee4af8bca29e1b37115e0e7d23221bbde4471a6258c.exe	89
PID 3492 wrote to memory of 2128	3492	cmd.exe	91
PID 3492 wrote to memory of 2128	3492	cmd.exe	91
PID 3492 wrote to memory of 2128	3492	cmd.exe	91
PID 3492 wrote to memory of 2636	3492	cmd.exe	92
PID 3492 wrote to memory of 2636	3492	cmd.exe	92
PID 3492 wrote to memory of 2636	3492	cmd.exe	92
PID 3492 wrote to memory of 3280	3492	cmd.exe	93
PID 3492 wrote to memory of 3280	3492	cmd.exe	93
PID 3492 wrote to memory of 3280	3492	cmd.exe	93

C:\Users\Admin\AppData\Local\Temp\eee05be1f50efe61ec62eee4af8bca29e1b37115e0e7d23221bbde4471a6258c.exe
"C:\Users\Admin\AppData\Local\Temp\eee05be1f50efe61ec62eee4af8bca29e1b37115e0e7d23221bbde4471a6258c.exe"
1⤵
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3988
- C:\Windows\SysWOW64\schtasks.exe
  "schtasks" /create /tn "VenomTest" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\eee05be1f50efe61ec62eee4af8bca29e1b37115e0e7d23221bbde4471a6258c.exe" /rl HIGHEST /f
  2⤵
  - Creates scheduled task(s)
  PID:2684
- C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3144
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /create /tn "VenomTest" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Creates scheduled task(s)
    PID:1448
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell" Get-MpPreference -verbose
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2224
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b del /q/f/s %TEMP%\* & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1636
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /K del /q/f/s C:\Users\Admin\AppData\Local\Temp\*
    3⤵
    PID:2464
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VUSIYPFdEVOy.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3492
- - C:\Windows\SysWOW64\chcp.com
    chcp 65001
    3⤵
    PID:2128
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 10 localhost
    3⤵
    - Runs ping.exe
    PID:2636
- - C:\Users\Admin\AppData\Local\Temp\eee05be1f50efe61ec62eee4af8bca29e1b37115e0e7d23221bbde4471a6258c.exe
    "C:\Users\Admin\AppData\Local\Temp\eee05be1f50efe61ec62eee4af8bca29e1b37115e0e7d23221bbde4471a6258c.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3280

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2224-26-0x0000000006DF0000-0x0000000006DF1000-memory.dmp

Filesize
4KB

Download
memory/2224-42-0x0000000008980000-0x0000000008981000-memory.dmp

Filesize
4KB

Download
memory/2224-46-0x0000000008DD0000-0x0000000008DD1000-memory.dmp

Filesize
4KB

Download
memory/2224-44-0x0000000008DE0000-0x0000000008DE1000-memory.dmp

Filesize
4KB

Download
memory/2224-43-0x0000000008E30000-0x0000000008E31000-memory.dmp

Filesize
4KB

Download
memory/2224-18-0x0000000073980000-0x000000007406E000-memory.dmp

Filesize
6.9MB

Download
memory/2224-19-0x00000000068F0000-0x00000000068F1000-memory.dmp

Filesize
4KB

Download
memory/2224-20-0x0000000006FC0000-0x0000000006FC1000-memory.dmp

Filesize
4KB

Download
memory/2224-21-0x0000000004830000-0x0000000004831000-memory.dmp

Filesize
4KB

Download
memory/2224-22-0x0000000006D80000-0x0000000006D81000-memory.dmp

Filesize
4KB

Download
memory/2224-28-0x0000000007BC0000-0x0000000007BC1000-memory.dmp

Filesize
4KB

Download
memory/2224-25-0x0000000006D10000-0x0000000006D11000-memory.dmp

Filesize
4KB

Download
memory/2224-41-0x00000000088E0000-0x00000000088E1000-memory.dmp

Filesize
4KB

Download
memory/2224-24-0x00000000075F0000-0x00000000075F1000-memory.dmp

Filesize
4KB

Download
memory/2224-34-0x0000000008940000-0x0000000008973000-memory.dmp

Filesize
204KB

Download
memory/3144-32-0x0000000006280000-0x0000000006281000-memory.dmp

Filesize
4KB

Download
memory/3144-13-0x0000000073980000-0x000000007406E000-memory.dmp

Filesize
6.9MB

Download
memory/3280-58-0x0000000073980000-0x000000007406E000-memory.dmp

Filesize
6.9MB

Download
memory/3988-4-0x0000000005540000-0x0000000005541000-memory.dmp

Filesize
4KB

Download
memory/3988-3-0x0000000005A40000-0x0000000005A41000-memory.dmp

Filesize
4KB

Download
memory/3988-0-0x0000000073980000-0x000000007406E000-memory.dmp

Filesize
6.9MB

Download
memory/3988-7-0x0000000006630000-0x0000000006631000-memory.dmp

Filesize
4KB

Download
memory/3988-5-0x00000000055E0000-0x00000000055E1000-memory.dmp

Filesize
4KB

Download
memory/3988-1-0x0000000000BE0000-0x0000000000BE1000-memory.dmp

Filesize
4KB

Download
memory/3988-6-0x0000000005650000-0x0000000005651000-memory.dmp

Filesize
4KB

Download