quasar | 23210003a18c718c32fdd5de4d4ac93ed751458b7971c824f1aad0620b05bff7

Analysis

max time kernel
132s
max time network
142s
platform
windows10_x64
resource
win10v20201028
submitted
10-11-2020 10:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

23210003a18c718c32fdd5de4d4ac93ed751458b7971c824f1aad0620b05bff7.exe
Size

534KB
MD5

f811e2467c4093bffa92ec60e7157500
SHA1

2d9c29b8d7156619d144e14ffc2a1ab12424b883
SHA256

23210003a18c718c32fdd5de4d4ac93ed751458b7971c824f1aad0620b05bff7
SHA512

f32962a0f05e2918472a74632515596e2152e5e7fd2300c0238aeec73ca03fc2b35301ed9ef3f0a3e42e978c08d562dcd113ddb4ed9b86762f40cd3a59349f5d

Score

10^/10

quasar venomrat evasion rat rootkit spyware stealer trojan

Malware Config

Signatures

Contains code to disable Windows Defender 2 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
behavioral2/files/0x000200000001ab53-10.dat	disable_win_def
behavioral2/files/0x000200000001ab53-12.dat	disable_win_def

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
VenomRAT
VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
rat rootkit stealer venomrat

Executes dropped EXE 1 IoCs

Processes:

Client.exe

pid	Process
1500	Client.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

23210003a18c718c32fdd5de4d4ac93ed751458b7971c824f1aad0620b05bff7.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	23210003a18c718c32fdd5de4d4ac93ed751458b7971c824f1aad0620b05bff7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	23210003a18c718c32fdd5de4d4ac93ed751458b7971c824f1aad0620b05bff7.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
10	ip-api.com

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exe

pid	Process
2640	schtasks.exe
1204	schtasks.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

Processes:

PING.EXE

pid	Process
2452	PING.EXE

Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

powershell.exe23210003a18c718c32fdd5de4d4ac93ed751458b7971c824f1aad0620b05bff7.exe23210003a18c718c32fdd5de4d4ac93ed751458b7971c824f1aad0620b05bff7.exe

pid	Process
748	powershell.exe
748	powershell.exe
748	powershell.exe
3932	23210003a18c718c32fdd5de4d4ac93ed751458b7971c824f1aad0620b05bff7.exe
3932	23210003a18c718c32fdd5de4d4ac93ed751458b7971c824f1aad0620b05bff7.exe
3932	23210003a18c718c32fdd5de4d4ac93ed751458b7971c824f1aad0620b05bff7.exe
3932	23210003a18c718c32fdd5de4d4ac93ed751458b7971c824f1aad0620b05bff7.exe
3932	23210003a18c718c32fdd5de4d4ac93ed751458b7971c824f1aad0620b05bff7.exe
3932	23210003a18c718c32fdd5de4d4ac93ed751458b7971c824f1aad0620b05bff7.exe
3932	23210003a18c718c32fdd5de4d4ac93ed751458b7971c824f1aad0620b05bff7.exe
1328	23210003a18c718c32fdd5de4d4ac93ed751458b7971c824f1aad0620b05bff7.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

23210003a18c718c32fdd5de4d4ac93ed751458b7971c824f1aad0620b05bff7.exepowershell.exeClient.exe23210003a18c718c32fdd5de4d4ac93ed751458b7971c824f1aad0620b05bff7.exe

description	pid	Process
Token: SeDebugPrivilege	3932	23210003a18c718c32fdd5de4d4ac93ed751458b7971c824f1aad0620b05bff7.exe
Token: SeDebugPrivilege	748	powershell.exe
Token: SeDebugPrivilege	1500	Client.exe
Token: SeDebugPrivilege	1500	Client.exe
Token: SeDebugPrivilege	1328	23210003a18c718c32fdd5de4d4ac93ed751458b7971c824f1aad0620b05bff7.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Client.exe

pid	Process
1500	Client.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

23210003a18c718c32fdd5de4d4ac93ed751458b7971c824f1aad0620b05bff7.exeClient.execmd.execmd.exe

description	pid	Process	procid_target
PID 3932 wrote to memory of 2640	3932	23210003a18c718c32fdd5de4d4ac93ed751458b7971c824f1aad0620b05bff7.exe	75
PID 3932 wrote to memory of 2640	3932	23210003a18c718c32fdd5de4d4ac93ed751458b7971c824f1aad0620b05bff7.exe	75
PID 3932 wrote to memory of 2640	3932	23210003a18c718c32fdd5de4d4ac93ed751458b7971c824f1aad0620b05bff7.exe	75
PID 3932 wrote to memory of 1500	3932	23210003a18c718c32fdd5de4d4ac93ed751458b7971c824f1aad0620b05bff7.exe	77
PID 3932 wrote to memory of 1500	3932	23210003a18c718c32fdd5de4d4ac93ed751458b7971c824f1aad0620b05bff7.exe	77
PID 3932 wrote to memory of 1500	3932	23210003a18c718c32fdd5de4d4ac93ed751458b7971c824f1aad0620b05bff7.exe	77
PID 3932 wrote to memory of 748	3932	23210003a18c718c32fdd5de4d4ac93ed751458b7971c824f1aad0620b05bff7.exe	78
PID 3932 wrote to memory of 748	3932	23210003a18c718c32fdd5de4d4ac93ed751458b7971c824f1aad0620b05bff7.exe	78
PID 3932 wrote to memory of 748	3932	23210003a18c718c32fdd5de4d4ac93ed751458b7971c824f1aad0620b05bff7.exe	78
PID 1500 wrote to memory of 1204	1500	Client.exe	80
PID 1500 wrote to memory of 1204	1500	Client.exe	80
PID 1500 wrote to memory of 1204	1500	Client.exe	80
PID 3932 wrote to memory of 1216	3932	23210003a18c718c32fdd5de4d4ac93ed751458b7971c824f1aad0620b05bff7.exe	85
PID 3932 wrote to memory of 1216	3932	23210003a18c718c32fdd5de4d4ac93ed751458b7971c824f1aad0620b05bff7.exe	85
PID 3932 wrote to memory of 1216	3932	23210003a18c718c32fdd5de4d4ac93ed751458b7971c824f1aad0620b05bff7.exe	85
PID 1216 wrote to memory of 1604	1216	cmd.exe	87
PID 1216 wrote to memory of 1604	1216	cmd.exe	87
PID 1216 wrote to memory of 1604	1216	cmd.exe	87
PID 3932 wrote to memory of 1744	3932	23210003a18c718c32fdd5de4d4ac93ed751458b7971c824f1aad0620b05bff7.exe	88
PID 3932 wrote to memory of 1744	3932	23210003a18c718c32fdd5de4d4ac93ed751458b7971c824f1aad0620b05bff7.exe	88
PID 3932 wrote to memory of 1744	3932	23210003a18c718c32fdd5de4d4ac93ed751458b7971c824f1aad0620b05bff7.exe	88
PID 1744 wrote to memory of 2380	1744	cmd.exe	90
PID 1744 wrote to memory of 2380	1744	cmd.exe	90
PID 1744 wrote to memory of 2380	1744	cmd.exe	90
PID 1744 wrote to memory of 2452	1744	cmd.exe	91
PID 1744 wrote to memory of 2452	1744	cmd.exe	91
PID 1744 wrote to memory of 2452	1744	cmd.exe	91
PID 1744 wrote to memory of 1328	1744	cmd.exe	92
PID 1744 wrote to memory of 1328	1744	cmd.exe	92
PID 1744 wrote to memory of 1328	1744	cmd.exe	92

C:\Users\Admin\AppData\Local\Temp\23210003a18c718c32fdd5de4d4ac93ed751458b7971c824f1aad0620b05bff7.exe
"C:\Users\Admin\AppData\Local\Temp\23210003a18c718c32fdd5de4d4ac93ed751458b7971c824f1aad0620b05bff7.exe"
1⤵
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3932
- C:\Windows\SysWOW64\schtasks.exe
  "schtasks" /create /tn "TwitchFollowy" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\23210003a18c718c32fdd5de4d4ac93ed751458b7971c824f1aad0620b05bff7.exe" /rl HIGHEST /f
  2⤵
  - Creates scheduled task(s)
  PID:2640
- C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1500
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /create /tn "TwitchFollowy" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Creates scheduled task(s)
    PID:1204
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell" Get-MpPreference -verbose
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:748
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b del /q/f/s %TEMP%\* & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1216
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /K del /q/f/s C:\Users\Admin\AppData\Local\Temp\*
    3⤵
    PID:1604
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WnvI3vrpvdw1.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1744
- - C:\Windows\SysWOW64\chcp.com
    chcp 65001
    3⤵
    PID:2380
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 10 localhost
    3⤵
    - Runs ping.exe
    PID:2452
- - C:\Users\Admin\AppData\Local\Temp\23210003a18c718c32fdd5de4d4ac93ed751458b7971c824f1aad0620b05bff7.exe
    "C:\Users\Admin\AppData\Local\Temp\23210003a18c718c32fdd5de4d4ac93ed751458b7971c824f1aad0620b05bff7.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1328

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\23210003a18c718c32fdd5de4d4ac93ed751458b7971c824f1aad0620b05bff7.exe.log

MD5
1efce85e583a7a2f123317a20f889d04

SHA1
60f71aa73ea2e2a48ed1c17e3c6d440abf39c914

SHA256
2b5532a94879134a876b11c188ade1a61deaba6a80fe1f3a3a77cc442f1cca0d

SHA512
45a5cd283e6a6ac34c3d8b1a6d73dc1cf52d8c974cf84624e8e9924eddaf354ccda929bce728b47db2b62175e47bdc3eaca6bc6b84d3565881fa87c50319d24c

Download Submit
C:\Users\Admin\AppData\Local\Temp\WnvI3vrpvdw1.bat

MD5
d3965af769ff53af26ece8f4671d73d1

SHA1
dba5825411a834ee5f7410d3b68b2b9344a19e15

SHA256
d50219e626a4a2ea00e1e091689bc48a1a07efd55fdac687f0df4f272657ac9f

SHA512
17e5493f2f6f4d7c3fccdbcdd4c1c508774edb028c01e8c254178150d36e38a0223f20be0e5aaa491959502f6fc9982e431e455893c593c6e7d1464cbcbbbff8

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

MD5
f811e2467c4093bffa92ec60e7157500

SHA1
2d9c29b8d7156619d144e14ffc2a1ab12424b883

SHA256
23210003a18c718c32fdd5de4d4ac93ed751458b7971c824f1aad0620b05bff7

SHA512
f32962a0f05e2918472a74632515596e2152e5e7fd2300c0238aeec73ca03fc2b35301ed9ef3f0a3e42e978c08d562dcd113ddb4ed9b86762f40cd3a59349f5d

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

MD5
f811e2467c4093bffa92ec60e7157500

SHA1
2d9c29b8d7156619d144e14ffc2a1ab12424b883

SHA256
23210003a18c718c32fdd5de4d4ac93ed751458b7971c824f1aad0620b05bff7

SHA512
f32962a0f05e2918472a74632515596e2152e5e7fd2300c0238aeec73ca03fc2b35301ed9ef3f0a3e42e978c08d562dcd113ddb4ed9b86762f40cd3a59349f5d

Download Submit
memory/748-26-0x0000000007DC0000-0x0000000007DC1000-memory.dmp

Filesize
4KB

Download
memory/748-18-0x00000000733A0000-0x0000000073A8E000-memory.dmp

Filesize
6.9MB

Download
memory/748-43-0x0000000009000000-0x0000000009001000-memory.dmp

Filesize
4KB

Download
memory/748-27-0x0000000007CC0000-0x0000000007CC1000-memory.dmp

Filesize
4KB

Download
memory/748-42-0x0000000008E90000-0x0000000008E91000-memory.dmp

Filesize
4KB

Download
memory/748-34-0x0000000008B20000-0x0000000008B53000-memory.dmp

Filesize
204KB

Download
memory/748-44-0x0000000008FB0000-0x0000000008FB1000-memory.dmp

Filesize
4KB

Download
memory/748-11-0x0000000000000000-mapping.dmp

Download
memory/748-41-0x0000000008070000-0x0000000008071000-memory.dmp

Filesize
4KB

Download
memory/748-46-0x0000000008FA0000-0x0000000008FA1000-memory.dmp

Filesize
4KB

Download
memory/748-19-0x0000000004220000-0x0000000004221000-memory.dmp

Filesize
4KB

Download
memory/748-20-0x0000000006CF0000-0x0000000006CF1000-memory.dmp

Filesize
4KB

Download
memory/748-21-0x0000000006CA0000-0x0000000006CA1000-memory.dmp

Filesize
4KB

Download
memory/748-22-0x0000000007390000-0x0000000007391000-memory.dmp

Filesize
4KB

Download
memory/748-24-0x00000000076D0000-0x00000000076D1000-memory.dmp

Filesize
4KB

Download
memory/748-25-0x0000000007460000-0x0000000007461000-memory.dmp

Filesize
4KB

Download
memory/1204-31-0x0000000000000000-mapping.dmp

Download
memory/1216-48-0x0000000000000000-mapping.dmp

Download
memory/1328-56-0x0000000000000000-mapping.dmp

Download
memory/1328-55-0x0000000000000000-mapping.dmp

Download
memory/1328-58-0x00000000733A0000-0x0000000073A8E000-memory.dmp

Filesize
6.9MB

Download
memory/1500-13-0x00000000733A0000-0x0000000073A8E000-memory.dmp

Filesize
6.9MB

Download
memory/1500-32-0x0000000006720000-0x0000000006721000-memory.dmp

Filesize
4KB

Download
memory/1500-9-0x0000000000000000-mapping.dmp

Download
memory/1604-50-0x0000000000000000-mapping.dmp

Download
memory/1604-49-0x0000000000000000-mapping.dmp

Download
memory/1744-51-0x0000000000000000-mapping.dmp

Download
memory/2380-53-0x0000000000000000-mapping.dmp

Download
memory/2452-54-0x0000000000000000-mapping.dmp

Download
memory/2640-8-0x0000000000000000-mapping.dmp

Download
memory/3932-1-0x0000000000C00000-0x0000000000C01000-memory.dmp

Filesize
4KB

Download
memory/3932-6-0x0000000006390000-0x0000000006391000-memory.dmp

Filesize
4KB

Download
memory/3932-3-0x0000000005A70000-0x0000000005A71000-memory.dmp

Filesize
4KB

Download
memory/3932-0-0x00000000733A0000-0x0000000073A8E000-memory.dmp

Filesize
6.9MB

Download
memory/3932-4-0x00000000056C0000-0x00000000056C1000-memory.dmp

Filesize
4KB

Download
memory/3932-5-0x0000000005860000-0x0000000005861000-memory.dmp

Filesize
4KB

Download
memory/3932-7-0x0000000006760000-0x0000000006761000-memory.dmp

Filesize
4KB

Download