quasar | 1c7f91a5e04f5c80a1c9ec36a0b6a78e762359236ac67a5ea57c4083f44339c8

General

Target

1c7f91a5e04f5c80a1c9ec36a0b6a78e762359236ac67a5ea57c4083f44339c8.exe
Size

546KB
MD5

099bce8eba599fd7262af4fe930ab098
SHA1

ccdfce07b8ca10a2b33e670dc09550e0b43d5dcb
SHA256

1c7f91a5e04f5c80a1c9ec36a0b6a78e762359236ac67a5ea57c4083f44339c8
SHA512

3b9aa646ba2862bbd1644ed62034dcf4ff3a6d4b9f63ecc95281832dfbc03cd96c4a1894150ea45b4288abd9eae9a7ee2fa01634a3d7232c169d4c7e3681e345

Score

10^/10

quasar venomrat office04 rat rootkit spyware stealer trojan

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

Office04

C2

10.0.0.74:1177

Mutex

VNM_MUTEX_DweppWsG4TQ0OOm4Hi

Attributes

encryption_key
G5PWQxh2RxlVLvkDxu7P
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Venom Client Startup
subdirectory
SubDir

Signatures

Contains code to disable Windows Defender 2 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
behavioral2/files/0x000700000001aba7-116.dat	disable_win_def
behavioral2/files/0x000700000001aba7-117.dat	disable_win_def

Quasar Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/files/0x000700000001aba7-116.dat	family_quasar
behavioral2/files/0x000700000001aba7-117.dat	family_quasar

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
VenomRAT
VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
rat rootkit stealer venomrat

Executes dropped EXE 1 IoCs

Processes:

$77-Venom.exe

pid	Process
2156	$77-Venom.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
3	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

$77-Venom.exe

description	pid	Process
Token: SeDebugPrivilege	2156	$77-Venom.exe
Token: SeDebugPrivilege	2156	$77-Venom.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

1c7f91a5e04f5c80a1c9ec36a0b6a78e762359236ac67a5ea57c4083f44339c8.exe

description	pid	Process	procid_target
PID 1952 wrote to memory of 2156	1952	1c7f91a5e04f5c80a1c9ec36a0b6a78e762359236ac67a5ea57c4083f44339c8.exe	69
PID 1952 wrote to memory of 2156	1952	1c7f91a5e04f5c80a1c9ec36a0b6a78e762359236ac67a5ea57c4083f44339c8.exe	69
PID 1952 wrote to memory of 2156	1952	1c7f91a5e04f5c80a1c9ec36a0b6a78e762359236ac67a5ea57c4083f44339c8.exe	69

C:\Users\Admin\AppData\Local\Temp\1c7f91a5e04f5c80a1c9ec36a0b6a78e762359236ac67a5ea57c4083f44339c8.exe
"C:\Users\Admin\AppData\Local\Temp\1c7f91a5e04f5c80a1c9ec36a0b6a78e762359236ac67a5ea57c4083f44339c8.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1952
- C:\Users\Admin\AppData\Roaming\$77-Venom.exe
  "C:\Users\Admin\AppData\Roaming\$77-Venom.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2156

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\$77-Venom.exe

MD5
eab7a704a7bea20eaa5494acecaada27

SHA1
f6ca815c1e4f567b55609d7785b26f510cf86402

SHA256
2cfa1686bbe1abeca02cc0009a8cdc523343814758fa621854fd6ef8fc2235a5

SHA512
8989eee40ee97463b3dcd2823cdc687d0918791490f1f39f81ac4e8ce9484681bb18bef906b5e833261f304ddfdb6da711acbeedb8007bf1de1eda87bc99cfbf

Download Submit
C:\Users\Admin\AppData\Roaming\$77-Venom.exe

MD5
eab7a704a7bea20eaa5494acecaada27

SHA1
f6ca815c1e4f567b55609d7785b26f510cf86402

SHA256
2cfa1686bbe1abeca02cc0009a8cdc523343814758fa621854fd6ef8fc2235a5

SHA512
8989eee40ee97463b3dcd2823cdc687d0918791490f1f39f81ac4e8ce9484681bb18bef906b5e833261f304ddfdb6da711acbeedb8007bf1de1eda87bc99cfbf

Download Submit
memory/1952-118-0x0000000002BD0000-0x0000000002BD1000-memory.dmp

Filesize
4KB

Download
memory/2156-115-0x0000000000000000-mapping.dmp

Download
memory/2156-119-0x0000000000970000-0x0000000000971000-memory.dmp

Filesize
4KB

Download
memory/2156-121-0x0000000005880000-0x0000000005881000-memory.dmp

Filesize
4KB

Download
memory/2156-122-0x0000000005420000-0x0000000005421000-memory.dmp

Filesize
4KB

Download
memory/2156-123-0x0000000005380000-0x000000000587E000-memory.dmp

Filesize
5.0MB

Download
memory/2156-124-0x00000000054C0000-0x00000000054C1000-memory.dmp

Filesize
4KB

Download
memory/2156-125-0x0000000006100000-0x0000000006101000-memory.dmp

Filesize
4KB

Download
memory/2156-126-0x00000000064F0000-0x00000000064F1000-memory.dmp

Filesize
4KB

Download
memory/2156-127-0x0000000006690000-0x0000000006691000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads