Analysis

  • max time kernel
    142s
  • max time network
    136s
  • platform
    windows7_x64
  • resource
    win7-en-20210920
  • submitted
    22-09-2021 13:20

General

  • Target

    a0824896a6cb88bb0459cd54f5085056cfd2c9733b5cdc75623615e5d61f86c1.exe

  • Size

    1.0MB

  • MD5

    d9ae9f8e6be0c1d7c70a1d1b86f44a8c

  • SHA1

    1564057c68ed04ffe76aa192e867ed40cd868840

  • SHA256

    a0824896a6cb88bb0459cd54f5085056cfd2c9733b5cdc75623615e5d61f86c1

  • SHA512

    d13a512177f86e9a3de60c6b525175005870d5c1536f9e2af80da0c881314d3833b7140e777c65950d71053907f4608237f595490372e5e003fc9c3925786e2b

Malware Config

Extracted

Family

quasar

Version

2.8.0.1

Botnet

Venom Client

C2

192.168.0.149:4455

Mutex

PNMCyu2XSzVny0gdTw

Attributes
  • encryption_key

    aPDdCEtQpHs1yTAHJZ1B

  • install_name

    Venom.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Venom Client Startup

  • subdirectory

Signatures

  • Quasar Payload 2 IoCs
  • Quasar RAT

    Quasar is an open source Remote Access Tool.

  • Suspicious use of SetThreadContext 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 36 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a0824896a6cb88bb0459cd54f5085056cfd2c9733b5cdc75623615e5d61f86c1.exe
    "C:\Users\Admin\AppData\Local\Temp\a0824896a6cb88bb0459cd54f5085056cfd2c9733b5cdc75623615e5d61f86c1.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1268
    • C:\Users\Admin\AppData\Local\Temp\a0824896a6cb88bb0459cd54f5085056cfd2c9733b5cdc75623615e5d61f86c1.exe
      "C:\Users\Admin\AppData\Local\Temp\a0824896a6cb88bb0459cd54f5085056cfd2c9733b5cdc75623615e5d61f86c1.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1516
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=a0824896a6cb88bb0459cd54f5085056cfd2c9733b5cdc75623615e5d61f86c1.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.0
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1568
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1568 CREDAT:275457 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:584

Network

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

Modify Registry

1
T1112

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
    MD5

    ab5c36d10261c173c5896f3478cdc6b7

    SHA1

    87ac53810ad125663519e944bc87ded3979cbee4

    SHA256

    f8e90fb0557fe49d7702cfb506312ac0b24c97802f9c782696db6d47f434e8e9

    SHA512

    e83e4eae44e7a9cbcd267dbfc25a7f4f68b50591e3bbe267324b1f813c9220d565b284994ded5f7d2d371d50e1ebfa647176ec8de9716f754c6b5785c6e897fa

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    MD5

    a1c6dbe4e849eb1bf7dd46cda733ec3e

    SHA1

    1948efd344a8b1fdedb06f84ef01a1702c1c732e

    SHA256

    754ded7e64a14dfc0fdc01c9d92f917b719cad5ffa6f3b7341bef1cb9f4cdb3b

    SHA512

    2686e2bb247c61c56ac737da6aa41a2df112c4447fde700b26d430fa986e59509dbd81bf6b7d07ebe2d5335d054e8aca026ebb595792ab0be23fac943813fb8f

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\wkz58mr\imagestore.dat
    MD5

    83fe8fa4d1605bb9c8f95143d0295502

    SHA1

    8fc64e2b7f9e856b19906392e6b39835aebde4fe

    SHA256

    5401bfc4a4f3d9be8562026f3a177bd93ffff74482ec5433cf7ab5f19cef3b73

    SHA512

    3d3f31f621693e4872b1ad99495f415d84ea8690f76fc6370d7d4f831f744c3b886e75b24a5f4f106a758989bf0718321c5953177ec55ec2f96288dd3e7fcc21

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\WD2K4O01.txt
    MD5

    8987122932702e981a8442cdaf7de8d4

    SHA1

    97b56f732acc19330827f747b0bde2e936f20051

    SHA256

    a42d5a1893a1f232354285d87564c8e0080d88ff98b9742417523fb6ad554746

    SHA512

    ef9737afa4e4635e116593c0992ba6978bbef9fcb1aea44f3877dac5c94bf4cefb35cb59f3005bff491fd420bd45bee52a16c81a576f616636dfb8b2a660ef53

  • memory/584-61-0x0000000000000000-mapping.dmp
  • memory/1516-57-0x0000000000400000-0x00000000004EC000-memory.dmp
    Filesize

    944KB

  • memory/1516-58-0x00000000004E614E-mapping.dmp
  • memory/1516-59-0x00000000762D1000-0x00000000762D3000-memory.dmp
    Filesize

    8KB

  • memory/1568-60-0x0000000000000000-mapping.dmp