quasar | cd5a8de963a29d07bb003a8d03fa7ba38e5004641fe8138885c967db46bef0fc

Analysis

max time kernel
155s
max time network
168s
platform
windows10_x64
resource
win10-en
submitted
03-09-2021 09:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cd5a8de963a29d07bb003a8d03fa7ba38e5004641fe8138885c967db46bef0fc.exe
Size

792KB
MD5

4ef1927705d28faf8456c200397d0af6
SHA1

b92ab805e7c2884abcf371179b0d8989c4f90025
SHA256

cd5a8de963a29d07bb003a8d03fa7ba38e5004641fe8138885c967db46bef0fc
SHA512

fe7f2405a8beb2bd70cfc689ce5ea3fc2cc4e03c72c925db698ea0e56b269b3e66c20f88afc382ea734e39b25cf66b0bcf24d72dab12d1b791ef91c690af17ac

Score

10^/10

quasar venomrat office04 evasion rat rootkit spyware stealer trojan

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

Office04

192.168.1.154:4782

Mutex

VNM_MUTEX_ph9lkMeWS6xgznetvP

Attributes

encryption_key
2ABr09PX2FCCobHek8sv
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Venom Client Startup
subdirectory
SubDir

Signatures

Contains code to disable Windows Defender 2 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
behavioral2/files/0x000400000001aaef-125.dat	disable_win_def
behavioral2/files/0x000400000001aaef-127.dat	disable_win_def

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089

Quasar Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/files/0x000400000001aaef-125.dat	family_quasar
behavioral2/files/0x000400000001aaef-127.dat	family_quasar

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
VenomRAT
VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
rat rootkit stealer venomrat

Executes dropped EXE 1 IoCs

Processes:

Client.exe

pid	Process
2976	Client.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

cd5a8de963a29d07bb003a8d03fa7ba38e5004641fe8138885c967db46bef0fc.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	cd5a8de963a29d07bb003a8d03fa7ba38e5004641fe8138885c967db46bef0fc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	cd5a8de963a29d07bb003a8d03fa7ba38e5004641fe8138885c967db46bef0fc.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
10	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exe

pid	Process
2924	schtasks.exe
2312	schtasks.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

Processes:

PING.EXE

pid	Process
1156	PING.EXE

Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

powershell.execd5a8de963a29d07bb003a8d03fa7ba38e5004641fe8138885c967db46bef0fc.execd5a8de963a29d07bb003a8d03fa7ba38e5004641fe8138885c967db46bef0fc.exe

pid	Process
2504	powershell.exe
2504	powershell.exe
2504	powershell.exe
3680	cd5a8de963a29d07bb003a8d03fa7ba38e5004641fe8138885c967db46bef0fc.exe
3680	cd5a8de963a29d07bb003a8d03fa7ba38e5004641fe8138885c967db46bef0fc.exe
3680	cd5a8de963a29d07bb003a8d03fa7ba38e5004641fe8138885c967db46bef0fc.exe
3680	cd5a8de963a29d07bb003a8d03fa7ba38e5004641fe8138885c967db46bef0fc.exe
3680	cd5a8de963a29d07bb003a8d03fa7ba38e5004641fe8138885c967db46bef0fc.exe
3680	cd5a8de963a29d07bb003a8d03fa7ba38e5004641fe8138885c967db46bef0fc.exe
3680	cd5a8de963a29d07bb003a8d03fa7ba38e5004641fe8138885c967db46bef0fc.exe
3780	cd5a8de963a29d07bb003a8d03fa7ba38e5004641fe8138885c967db46bef0fc.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

cd5a8de963a29d07bb003a8d03fa7ba38e5004641fe8138885c967db46bef0fc.exepowershell.exeClient.execd5a8de963a29d07bb003a8d03fa7ba38e5004641fe8138885c967db46bef0fc.exe

description	pid	Process
Token: SeDebugPrivilege	3680	cd5a8de963a29d07bb003a8d03fa7ba38e5004641fe8138885c967db46bef0fc.exe
Token: SeDebugPrivilege	2504	powershell.exe
Token: SeDebugPrivilege	2976	Client.exe
Token: SeDebugPrivilege	2976	Client.exe
Token: SeDebugPrivilege	3780	cd5a8de963a29d07bb003a8d03fa7ba38e5004641fe8138885c967db46bef0fc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Client.exe

pid	Process
2976	Client.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

cd5a8de963a29d07bb003a8d03fa7ba38e5004641fe8138885c967db46bef0fc.exeClient.execmd.execmd.exe

description	pid	Process	procid_target
PID 3680 wrote to memory of 2924	3680	cd5a8de963a29d07bb003a8d03fa7ba38e5004641fe8138885c967db46bef0fc.exe	76
PID 3680 wrote to memory of 2924	3680	cd5a8de963a29d07bb003a8d03fa7ba38e5004641fe8138885c967db46bef0fc.exe	76
PID 3680 wrote to memory of 2924	3680	cd5a8de963a29d07bb003a8d03fa7ba38e5004641fe8138885c967db46bef0fc.exe	76
PID 3680 wrote to memory of 2976	3680	cd5a8de963a29d07bb003a8d03fa7ba38e5004641fe8138885c967db46bef0fc.exe	78
PID 3680 wrote to memory of 2976	3680	cd5a8de963a29d07bb003a8d03fa7ba38e5004641fe8138885c967db46bef0fc.exe	78
PID 3680 wrote to memory of 2976	3680	cd5a8de963a29d07bb003a8d03fa7ba38e5004641fe8138885c967db46bef0fc.exe	78
PID 3680 wrote to memory of 2504	3680	cd5a8de963a29d07bb003a8d03fa7ba38e5004641fe8138885c967db46bef0fc.exe	79
PID 3680 wrote to memory of 2504	3680	cd5a8de963a29d07bb003a8d03fa7ba38e5004641fe8138885c967db46bef0fc.exe	79
PID 3680 wrote to memory of 2504	3680	cd5a8de963a29d07bb003a8d03fa7ba38e5004641fe8138885c967db46bef0fc.exe	79
PID 2976 wrote to memory of 2312	2976	Client.exe	81
PID 2976 wrote to memory of 2312	2976	Client.exe	81
PID 2976 wrote to memory of 2312	2976	Client.exe	81
PID 3680 wrote to memory of 1848	3680	cd5a8de963a29d07bb003a8d03fa7ba38e5004641fe8138885c967db46bef0fc.exe	85
PID 3680 wrote to memory of 1848	3680	cd5a8de963a29d07bb003a8d03fa7ba38e5004641fe8138885c967db46bef0fc.exe	85
PID 3680 wrote to memory of 1848	3680	cd5a8de963a29d07bb003a8d03fa7ba38e5004641fe8138885c967db46bef0fc.exe	85
PID 1848 wrote to memory of 3760	1848	cmd.exe	87
PID 1848 wrote to memory of 3760	1848	cmd.exe	87
PID 1848 wrote to memory of 3760	1848	cmd.exe	87
PID 3680 wrote to memory of 3676	3680	cd5a8de963a29d07bb003a8d03fa7ba38e5004641fe8138885c967db46bef0fc.exe	89
PID 3680 wrote to memory of 3676	3680	cd5a8de963a29d07bb003a8d03fa7ba38e5004641fe8138885c967db46bef0fc.exe	89
PID 3680 wrote to memory of 3676	3680	cd5a8de963a29d07bb003a8d03fa7ba38e5004641fe8138885c967db46bef0fc.exe	89
PID 3676 wrote to memory of 3980	3676	cmd.exe	91
PID 3676 wrote to memory of 3980	3676	cmd.exe	91
PID 3676 wrote to memory of 3980	3676	cmd.exe	91
PID 3676 wrote to memory of 1156	3676	cmd.exe	92
PID 3676 wrote to memory of 1156	3676	cmd.exe	92
PID 3676 wrote to memory of 1156	3676	cmd.exe	92
PID 3676 wrote to memory of 3780	3676	cmd.exe	93
PID 3676 wrote to memory of 3780	3676	cmd.exe	93
PID 3676 wrote to memory of 3780	3676	cmd.exe	93

C:\Users\Admin\AppData\Local\Temp\cd5a8de963a29d07bb003a8d03fa7ba38e5004641fe8138885c967db46bef0fc.exe
"C:\Users\Admin\AppData\Local\Temp\cd5a8de963a29d07bb003a8d03fa7ba38e5004641fe8138885c967db46bef0fc.exe"
1⤵
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3680
- C:\Windows\SysWOW64\schtasks.exe
  "schtasks" /create /tn "Venom Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\cd5a8de963a29d07bb003a8d03fa7ba38e5004641fe8138885c967db46bef0fc.exe" /rl HIGHEST /f
  2⤵
  - Creates scheduled task(s)
  PID:2924
- C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2976
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /create /tn "Venom Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Creates scheduled task(s)
    PID:2312
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell" Get-MpPreference -verbose
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2504
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b del /q/f/s %TEMP%\* & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1848
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /K del /q/f/s C:\Users\Admin\AppData\Local\Temp\*
    3⤵
    PID:3760
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UMPPb97JcMCv.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3676
- - C:\Windows\SysWOW64\chcp.com
    chcp 65001
    3⤵
    PID:3980
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 10 localhost
    3⤵
    - Runs ping.exe
    PID:1156
- - C:\Users\Admin\AppData\Local\Temp\cd5a8de963a29d07bb003a8d03fa7ba38e5004641fe8138885c967db46bef0fc.exe
    "C:\Users\Admin\AppData\Local\Temp\cd5a8de963a29d07bb003a8d03fa7ba38e5004641fe8138885c967db46bef0fc.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3780

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\cd5a8de963a29d07bb003a8d03fa7ba38e5004641fe8138885c967db46bef0fc.exe.log

MD5
1efce85e583a7a2f123317a20f889d04

SHA1
60f71aa73ea2e2a48ed1c17e3c6d440abf39c914

SHA256
2b5532a94879134a876b11c188ade1a61deaba6a80fe1f3a3a77cc442f1cca0d

SHA512
45a5cd283e6a6ac34c3d8b1a6d73dc1cf52d8c974cf84624e8e9924eddaf354ccda929bce728b47db2b62175e47bdc3eaca6bc6b84d3565881fa87c50319d24c

Download Submit
C:\Users\Admin\AppData\Local\Temp\UMPPb97JcMCv.bat

MD5
a0a6194b2b84596c3b324231de84c8d2

SHA1
25a4e4db9a426ac6526b0cbe11bc4480dedcb375

SHA256
061678e8cf184ed86c1a9bb5617f15748bcea66fe88d485ea1b41b996f42889b

SHA512
37ab47ac98fc360a9c04ce016bf1f4983a15fc454ea7e5b6021003d0d54470e9b67d0e92965a99d8902bb9ffde001b8c23a46e8bcd7c6bd388a6445d55b25558

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

MD5
4ef1927705d28faf8456c200397d0af6

SHA1
b92ab805e7c2884abcf371179b0d8989c4f90025

SHA256
cd5a8de963a29d07bb003a8d03fa7ba38e5004641fe8138885c967db46bef0fc

SHA512
fe7f2405a8beb2bd70cfc689ce5ea3fc2cc4e03c72c925db698ea0e56b269b3e66c20f88afc382ea734e39b25cf66b0bcf24d72dab12d1b791ef91c690af17ac

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

MD5
4ef1927705d28faf8456c200397d0af6

SHA1
b92ab805e7c2884abcf371179b0d8989c4f90025

SHA256
cd5a8de963a29d07bb003a8d03fa7ba38e5004641fe8138885c967db46bef0fc

SHA512
fe7f2405a8beb2bd70cfc689ce5ea3fc2cc4e03c72c925db698ea0e56b269b3e66c20f88afc382ea734e39b25cf66b0bcf24d72dab12d1b791ef91c690af17ac

Download Submit
memory/1156-392-0x0000000000000000-mapping.dmp

Download
memory/1848-387-0x0000000000000000-mapping.dmp

Download
memory/2312-149-0x0000000000000000-mapping.dmp

Download
memory/2504-143-0x0000000007FE0000-0x0000000007FE1000-memory.dmp

Filesize
4KB

Download
memory/2504-372-0x0000000009A40000-0x0000000009A41000-memory.dmp

Filesize
4KB

Download
memory/2504-366-0x0000000009A50000-0x0000000009A51000-memory.dmp

Filesize
4KB

Download
memory/2504-173-0x0000000009AC0000-0x0000000009AC1000-memory.dmp

Filesize
4KB

Download
memory/2504-126-0x0000000000000000-mapping.dmp

Download
memory/2504-134-0x0000000004CD0000-0x0000000004CD1000-memory.dmp

Filesize
4KB

Download
memory/2504-135-0x0000000007720000-0x0000000007721000-memory.dmp

Filesize
4KB

Download
memory/2504-136-0x0000000007E80000-0x0000000007E81000-memory.dmp

Filesize
4KB

Download
memory/2504-137-0x0000000007F20000-0x0000000007F21000-memory.dmp

Filesize
4KB

Download
memory/2504-139-0x0000000008250000-0x0000000008251000-memory.dmp

Filesize
4KB

Download
memory/2504-172-0x00000000070E3000-0x00000000070E4000-memory.dmp

Filesize
4KB

Download
memory/2504-141-0x00000000070E0000-0x00000000070E1000-memory.dmp

Filesize
4KB

Download
memory/2504-142-0x00000000070E2000-0x00000000070E3000-memory.dmp

Filesize
4KB

Download
memory/2504-171-0x000000007F4F0000-0x000000007F4F1000-memory.dmp

Filesize
4KB

Download
memory/2504-144-0x0000000008A10000-0x0000000008A11000-memory.dmp

Filesize
4KB

Download
memory/2504-145-0x0000000008820000-0x0000000008821000-memory.dmp

Filesize
4KB

Download
memory/2504-170-0x0000000009900000-0x0000000009901000-memory.dmp

Filesize
4KB

Download
memory/2504-165-0x0000000009560000-0x0000000009561000-memory.dmp

Filesize
4KB

Download
memory/2504-158-0x0000000009580000-0x00000000095B3000-memory.dmp

Filesize
204KB

Download
memory/2924-123-0x0000000000000000-mapping.dmp

Download
memory/2976-152-0x0000000006010000-0x0000000006011000-memory.dmp

Filesize
4KB

Download
memory/2976-140-0x00000000049A0000-0x0000000004E9E000-memory.dmp

Filesize
5.0MB

Download
memory/2976-124-0x0000000000000000-mapping.dmp

Download
memory/3676-389-0x0000000000000000-mapping.dmp

Download
memory/3680-118-0x0000000005120000-0x0000000005121000-memory.dmp

Filesize
4KB

Download
memory/3680-122-0x0000000006420000-0x0000000006421000-memory.dmp

Filesize
4KB

Download
memory/3680-120-0x00000000054C0000-0x00000000054C1000-memory.dmp

Filesize
4KB

Download
memory/3680-115-0x00000000007C0000-0x00000000007C1000-memory.dmp

Filesize
4KB

Download
memory/3680-119-0x0000000005070000-0x000000000556E000-memory.dmp

Filesize
5.0MB

Download
memory/3680-121-0x0000000006050000-0x0000000006051000-memory.dmp

Filesize
4KB

Download
memory/3680-117-0x0000000005570000-0x0000000005571000-memory.dmp

Filesize
4KB

Download
memory/3760-388-0x0000000000000000-mapping.dmp

Download
memory/3780-393-0x0000000000000000-mapping.dmp

Download
memory/3780-399-0x0000000004A70000-0x0000000004F6E000-memory.dmp

Filesize
5.0MB

Download
memory/3980-391-0x0000000000000000-mapping.dmp

Download