quasar | 5941ff394c1b579d7e9d99cbc2f7fdd7e7a2998f2744e16c3ace35d49081a1f1

Analysis

max time kernel
4294216s
max time network
148s
platform
windows7_x64
resource
win7-20220310-en
submitted
25-03-2022 06:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5941ff394c1b579d7e9d99cbc2f7fdd7e7a2998f2744e16c3ace35d49081a1f1.exe
Size

814KB
MD5

a14720279a25c2635029d82e0b395d8d
SHA1

492f8568c09739c0ec3eae755c301be067ba7c3a
SHA256

5941ff394c1b579d7e9d99cbc2f7fdd7e7a2998f2744e16c3ace35d49081a1f1
SHA512

4c4001b3232257376437c7696e17671f35dde68b9c86a21690edad93d91ae80e4811e4d7b217d252534c9d51d6a3d259d29e572466997932217886f7f57db71f

Score

10^/10

quasar venomrat shop evasion persistence rat rootkit spyware stealer trojan

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

shop

185.204.1.236:4521

Mutex

VNM_MUTEX_1NgafS3xkifQY5TYWL

Attributes

encryption_key
5KaBFSa6AfCkIN5zPsZV
install_name
$77loader.exe
log_directory
Logs
reconnect_delay
3000
startup_key
dllhost
subdirectory
$77loader

Signatures

Contains code to disable Windows Defender 11 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral1/files/0x0009000000012712-61.dat	disable_win_def
behavioral1/files/0x0009000000012712-62.dat	disable_win_def
behavioral1/files/0x0009000000012712-63.dat	disable_win_def
behavioral1/files/0x0009000000012712-64.dat	disable_win_def
behavioral1/files/0x0009000000012712-66.dat	disable_win_def
behavioral1/files/0x0009000000012712-67.dat	disable_win_def
behavioral1/memory/1632-68-0x0000000000370000-0x00000000003FC000-memory.dmp	disable_win_def
behavioral1/files/0x00070000000131ce-73.dat	disable_win_def
behavioral1/files/0x00070000000131ce-72.dat	disable_win_def
behavioral1/files/0x00070000000131ce-70.dat	disable_win_def
behavioral1/memory/1916-74-0x00000000002D0000-0x000000000035C000-memory.dmp	disable_win_def

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089

Quasar Payload 11 IoCs

resource	yara_rule
behavioral1/files/0x0009000000012712-61.dat	family_quasar
behavioral1/files/0x0009000000012712-62.dat	family_quasar
behavioral1/files/0x0009000000012712-63.dat	family_quasar
behavioral1/files/0x0009000000012712-64.dat	family_quasar
behavioral1/files/0x0009000000012712-66.dat	family_quasar
behavioral1/files/0x0009000000012712-67.dat	family_quasar
behavioral1/memory/1632-68-0x0000000000370000-0x00000000003FC000-memory.dmp	family_quasar
behavioral1/files/0x00070000000131ce-73.dat	family_quasar
behavioral1/files/0x00070000000131ce-72.dat	family_quasar
behavioral1/files/0x00070000000131ce-70.dat	family_quasar
behavioral1/memory/1916-74-0x00000000002D0000-0x000000000035C000-memory.dmp	family_quasar

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
VenomRAT
VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
rat rootkit stealer venomrat

Executes dropped EXE 3 IoCs

pid	Process
1464	server.sfx.exe
1632	server.exe
1916	$77loader.exe

Loads dropped DLL 5 IoCs

pid	Process
1464	server.sfx.exe
1464	server.sfx.exe
1464	server.sfx.exe
1464	server.sfx.exe
1632	server.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	server.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	server.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\SysWOW64\\$77loader\\$77loader.exe\""	$77loader.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\RarSFX0\\server.exe\""	server.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	ip-api.com

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\$77loader	$77loader.exe
File created	C:\Windows\SysWOW64\$77loader\$77loader.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\$77loader\$77loader.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\$77loader\$77loader.exe	$77loader.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1384	schtasks.exe
1516	schtasks.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1632	server.exe
Token: SeDebugPrivilege	1916	$77loader.exe
Token: SeDebugPrivilege	1916	$77loader.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1916	$77loader.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1064 wrote to memory of 1440	1064	5941ff394c1b579d7e9d99cbc2f7fdd7e7a2998f2744e16c3ace35d49081a1f1.exe	27
PID 1064 wrote to memory of 1440	1064	5941ff394c1b579d7e9d99cbc2f7fdd7e7a2998f2744e16c3ace35d49081a1f1.exe	27
PID 1064 wrote to memory of 1440	1064	5941ff394c1b579d7e9d99cbc2f7fdd7e7a2998f2744e16c3ace35d49081a1f1.exe	27
PID 1064 wrote to memory of 1440	1064	5941ff394c1b579d7e9d99cbc2f7fdd7e7a2998f2744e16c3ace35d49081a1f1.exe	27
PID 1440 wrote to memory of 1464	1440	cmd.exe	29
PID 1440 wrote to memory of 1464	1440	cmd.exe	29
PID 1440 wrote to memory of 1464	1440	cmd.exe	29
PID 1440 wrote to memory of 1464	1440	cmd.exe	29
PID 1464 wrote to memory of 1632	1464	server.sfx.exe	30
PID 1464 wrote to memory of 1632	1464	server.sfx.exe	30
PID 1464 wrote to memory of 1632	1464	server.sfx.exe	30
PID 1464 wrote to memory of 1632	1464	server.sfx.exe	30
PID 1632 wrote to memory of 1384	1632	server.exe	34
PID 1632 wrote to memory of 1384	1632	server.exe	34
PID 1632 wrote to memory of 1384	1632	server.exe	34
PID 1632 wrote to memory of 1384	1632	server.exe	34
PID 1632 wrote to memory of 1916	1632	server.exe	36
PID 1632 wrote to memory of 1916	1632	server.exe	36
PID 1632 wrote to memory of 1916	1632	server.exe	36
PID 1632 wrote to memory of 1916	1632	server.exe	36
PID 1632 wrote to memory of 1904	1632	server.exe	37
PID 1632 wrote to memory of 1904	1632	server.exe	37
PID 1632 wrote to memory of 1904	1632	server.exe	37
PID 1632 wrote to memory of 1904	1632	server.exe	37
PID 1916 wrote to memory of 1516	1916	$77loader.exe	39
PID 1916 wrote to memory of 1516	1916	$77loader.exe	39
PID 1916 wrote to memory of 1516	1916	$77loader.exe	39
PID 1916 wrote to memory of 1516	1916	$77loader.exe	39

C:\Users\Admin\AppData\Local\Temp\5941ff394c1b579d7e9d99cbc2f7fdd7e7a2998f2744e16c3ace35d49081a1f1.exe
"C:\Users\Admin\AppData\Local\Temp\5941ff394c1b579d7e9d99cbc2f7fdd7e7a2998f2744e16c3ace35d49081a1f1.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1064
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\start.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1440
- - C:\server.sfx.exe
    server.sfx -pFSPFJSDOFH9GGLDHGHDHDLDGFHLDGFHDFGHHLKFDG -dc:\
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1464
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\server.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\server.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Windows security modification
      Adds Run key to start application
      Drops file in System32 directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1632
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "dllhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\RarSFX0\server.exe" /rl HIGHEST /f
        5⤵
        Creates scheduled task(s)
        
        PID:1384
    - - C:\Windows\SysWOW64\$77loader\$77loader.exe
        
        "C:\Windows\SysWOW64\$77loader\$77loader.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1916
      - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "dllhost" /sc ONLOGON /tr "C:\Windows\SysWOW64\$77loader\$77loader.exe" /rl HIGHEST /f
        6⤵
        Creates scheduled task(s)
        
        PID:1516
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" Get-MpPreference -verbose
        5⤵
        
        PID:1904

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1064-54-0x0000000075691000-0x0000000075693000-memory.dmp

Filesize
8KB

Download
memory/1632-68-0x0000000000370000-0x00000000003FC000-memory.dmp

Filesize
560KB

Download
memory/1916-74-0x00000000002D0000-0x000000000035C000-memory.dmp

Filesize
560KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads