quasar | 5941ff394c1b579d7e9d99cbc2f7fdd7e7a2998f2744e16c3ace35d49081a1f1

Analysis

max time kernel
4294216s
max time network
148s
platform
windows7_x64
resource
win7-20220310-en
submitted
25-03-2022 06:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5941ff394c1b579d7e9d99cbc2f7fdd7e7a2998f2744e16c3ace35d49081a1f1.exe
Size

814KB
MD5

a14720279a25c2635029d82e0b395d8d
SHA1

492f8568c09739c0ec3eae755c301be067ba7c3a
SHA256

5941ff394c1b579d7e9d99cbc2f7fdd7e7a2998f2744e16c3ace35d49081a1f1
SHA512

4c4001b3232257376437c7696e17671f35dde68b9c86a21690edad93d91ae80e4811e4d7b217d252534c9d51d6a3d259d29e572466997932217886f7f57db71f

Score

10^/10

quasar venomrat shop evasion persistence rat rootkit spyware stealer trojan

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

shop

185.204.1.236:4521

Mutex

VNM_MUTEX_1NgafS3xkifQY5TYWL

Attributes

encryption_key
5KaBFSa6AfCkIN5zPsZV
install_name
$77loader.exe
log_directory
Logs
reconnect_delay
3000
startup_key
dllhost
subdirectory
$77loader

Signatures

Contains code to disable Windows Defender 11 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\RarSFX0\server.exe	disable_win_def
\Users\Admin\AppData\Local\Temp\RarSFX0\server.exe	disable_win_def
\Users\Admin\AppData\Local\Temp\RarSFX0\server.exe	disable_win_def
\Users\Admin\AppData\Local\Temp\RarSFX0\server.exe	disable_win_def
C:\Users\Admin\AppData\Local\Temp\RarSFX0\server.exe	disable_win_def
C:\Users\Admin\AppData\Local\Temp\RarSFX0\server.exe	disable_win_def
behavioral1/memory/1632-68-0x0000000000370000-0x00000000003FC000-memory.dmp	disable_win_def
C:\Windows\SysWOW64\$77loader\$77loader.exe	disable_win_def
C:\Windows\SysWOW64\$77loader\$77loader.exe	disable_win_def
\Windows\SysWOW64\$77loader\$77loader.exe	disable_win_def
behavioral1/memory/1916-74-0x00000000002D0000-0x000000000035C000-memory.dmp	disable_win_def

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089

Quasar Payload 11 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\RarSFX0\server.exe	family_quasar
\Users\Admin\AppData\Local\Temp\RarSFX0\server.exe	family_quasar
\Users\Admin\AppData\Local\Temp\RarSFX0\server.exe	family_quasar
\Users\Admin\AppData\Local\Temp\RarSFX0\server.exe	family_quasar
C:\Users\Admin\AppData\Local\Temp\RarSFX0\server.exe	family_quasar
C:\Users\Admin\AppData\Local\Temp\RarSFX0\server.exe	family_quasar
behavioral1/memory/1632-68-0x0000000000370000-0x00000000003FC000-memory.dmp	family_quasar
C:\Windows\SysWOW64\$77loader\$77loader.exe	family_quasar
C:\Windows\SysWOW64\$77loader\$77loader.exe	family_quasar
\Windows\SysWOW64\$77loader\$77loader.exe	family_quasar
behavioral1/memory/1916-74-0x00000000002D0000-0x000000000035C000-memory.dmp	family_quasar

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
VenomRAT
VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
rat rootkit stealer venomrat
Executes dropped EXE 3 IoCs

Processes:

server.sfx.exeserver.exe$77loader.exe

pid process

1464 server.sfx.exe
1632 server.exe
1916 $77loader.exe
Loads dropped DLL 5 IoCs

Processes:

server.sfx.exeserver.exe

pid process

1464 server.sfx.exe
1464 server.sfx.exe
1464 server.sfx.exe
1464 server.sfx.exe
1632 server.exe

pid	process
1464	server.sfx.exe
1632	server.exe
1916	$77loader.exe

pid	process
1464	server.sfx.exe
1464	server.sfx.exe
1464	server.sfx.exe
1464	server.sfx.exe
1632	server.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

server.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	server.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	server.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

$77loader.exeserver.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\SysWOW64\\$77loader\\$77loader.exe\""	$77loader.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\RarSFX0\\server.exe\""	server.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

2 ip-api.com

flow	ioc
2	ip-api.com

Drops file in System32 directory 4 IoCs

Processes:

$77loader.exeserver.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\$77loader	$77loader.exe
File created	C:\Windows\SysWOW64\$77loader\$77loader.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\$77loader\$77loader.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\$77loader\$77loader.exe	$77loader.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1384 schtasks.exe
1516 schtasks.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

server.exe$77loader.exe

description pid process

Token: SeDebugPrivilege 1632 server.exe
Token: SeDebugPrivilege 1916 $77loader.exe
Token: SeDebugPrivilege 1916 $77loader.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

$77loader.exe

pid process

1916 $77loader.exe

pid	process
1384	schtasks.exe
1516	schtasks.exe

description	pid	process
Token: SeDebugPrivilege	1632	server.exe
Token: SeDebugPrivilege	1916	$77loader.exe
Token: SeDebugPrivilege	1916	$77loader.exe

pid	process
1916	$77loader.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

5941ff394c1b579d7e9d99cbc2f7fdd7e7a2998f2744e16c3ace35d49081a1f1.execmd.exeserver.sfx.exeserver.exe$77loader.exe

description	pid	process	target process
PID 1064 wrote to memory of 1440	1064	5941ff394c1b579d7e9d99cbc2f7fdd7e7a2998f2744e16c3ace35d49081a1f1.exe	cmd.exe
PID 1064 wrote to memory of 1440	1064	5941ff394c1b579d7e9d99cbc2f7fdd7e7a2998f2744e16c3ace35d49081a1f1.exe	cmd.exe
PID 1064 wrote to memory of 1440	1064	5941ff394c1b579d7e9d99cbc2f7fdd7e7a2998f2744e16c3ace35d49081a1f1.exe	cmd.exe
PID 1064 wrote to memory of 1440	1064	5941ff394c1b579d7e9d99cbc2f7fdd7e7a2998f2744e16c3ace35d49081a1f1.exe	cmd.exe
PID 1440 wrote to memory of 1464	1440	cmd.exe	server.sfx.exe
PID 1440 wrote to memory of 1464	1440	cmd.exe	server.sfx.exe
PID 1440 wrote to memory of 1464	1440	cmd.exe	server.sfx.exe
PID 1440 wrote to memory of 1464	1440	cmd.exe	server.sfx.exe
PID 1464 wrote to memory of 1632	1464	server.sfx.exe	server.exe
PID 1464 wrote to memory of 1632	1464	server.sfx.exe	server.exe
PID 1464 wrote to memory of 1632	1464	server.sfx.exe	server.exe
PID 1464 wrote to memory of 1632	1464	server.sfx.exe	server.exe
PID 1632 wrote to memory of 1384	1632	server.exe	schtasks.exe
PID 1632 wrote to memory of 1384	1632	server.exe	schtasks.exe
PID 1632 wrote to memory of 1384	1632	server.exe	schtasks.exe
PID 1632 wrote to memory of 1384	1632	server.exe	schtasks.exe
PID 1632 wrote to memory of 1916	1632	server.exe	$77loader.exe
PID 1632 wrote to memory of 1916	1632	server.exe	$77loader.exe
PID 1632 wrote to memory of 1916	1632	server.exe	$77loader.exe
PID 1632 wrote to memory of 1916	1632	server.exe	$77loader.exe
PID 1632 wrote to memory of 1904	1632	server.exe	powershell.exe
PID 1632 wrote to memory of 1904	1632	server.exe	powershell.exe
PID 1632 wrote to memory of 1904	1632	server.exe	powershell.exe
PID 1632 wrote to memory of 1904	1632	server.exe	powershell.exe
PID 1916 wrote to memory of 1516	1916	$77loader.exe	schtasks.exe
PID 1916 wrote to memory of 1516	1916	$77loader.exe	schtasks.exe
PID 1916 wrote to memory of 1516	1916	$77loader.exe	schtasks.exe
PID 1916 wrote to memory of 1516	1916	$77loader.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\5941ff394c1b579d7e9d99cbc2f7fdd7e7a2998f2744e16c3ace35d49081a1f1.exe
"C:\Users\Admin\AppData\Local\Temp\5941ff394c1b579d7e9d99cbc2f7fdd7e7a2998f2744e16c3ace35d49081a1f1.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1064

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\start.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:1440

C:\server.sfx.exe
server.sfx -pFSPFJSDOFH9GGLDHGHDHDLDGFHLDGFHDFGHHLKFDG -dc:\
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1464

C:\Users\Admin\AppData\Local\Temp\RarSFX0\server.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\server.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1632

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "dllhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\RarSFX0\server.exe" /rl HIGHEST /f
5⤵
- Creates scheduled task(s)
PID:1384

C:\Windows\SysWOW64\$77loader\$77loader.exe
"C:\Windows\SysWOW64\$77loader\$77loader.exe"
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1916

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "dllhost" /sc ONLOGON /tr "C:\Windows\SysWOW64\$77loader\$77loader.exe" /rl HIGHEST /f
6⤵
- Creates scheduled task(s)
PID:1516

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-MpPreference -verbose
5⤵
PID:1904

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\server.exe
MD5
ea1f8be51c446770d0134a512fad9426

SHA1
e667c956cf6e1a9e92aa29767c41b162f2b9302f

SHA256
429f741cb36e685a6b3ed9cf42f1878f2d673da97cb5603304d41b462ea7f349

SHA512
88497ad6fb543086303f25e1ea6c528065ecb38a27a46e61d5a7cd3a4e718849bb45df3b50bc023abffc7e0593a26fb97bbabae8cc417fe4fbccc93156c9cba2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\server.exe
MD5
ea1f8be51c446770d0134a512fad9426

SHA1
e667c956cf6e1a9e92aa29767c41b162f2b9302f

SHA256
429f741cb36e685a6b3ed9cf42f1878f2d673da97cb5603304d41b462ea7f349

SHA512
88497ad6fb543086303f25e1ea6c528065ecb38a27a46e61d5a7cd3a4e718849bb45df3b50bc023abffc7e0593a26fb97bbabae8cc417fe4fbccc93156c9cba2

Download Submit
C:\Windows\SysWOW64\$77loader\$77loader.exe
MD5
ea1f8be51c446770d0134a512fad9426

SHA1
e667c956cf6e1a9e92aa29767c41b162f2b9302f

SHA256
429f741cb36e685a6b3ed9cf42f1878f2d673da97cb5603304d41b462ea7f349

SHA512
88497ad6fb543086303f25e1ea6c528065ecb38a27a46e61d5a7cd3a4e718849bb45df3b50bc023abffc7e0593a26fb97bbabae8cc417fe4fbccc93156c9cba2

Download Submit
C:\Windows\SysWOW64\$77loader\$77loader.exe
MD5
ea1f8be51c446770d0134a512fad9426

SHA1
e667c956cf6e1a9e92aa29767c41b162f2b9302f

SHA256
429f741cb36e685a6b3ed9cf42f1878f2d673da97cb5603304d41b462ea7f349

SHA512
88497ad6fb543086303f25e1ea6c528065ecb38a27a46e61d5a7cd3a4e718849bb45df3b50bc023abffc7e0593a26fb97bbabae8cc417fe4fbccc93156c9cba2

Download Submit
C:\server.sfx.exe
MD5
822f0d54a7563937ed316924abaaf070

SHA1
d40c6decf2c31622a3924795ede8ab92a85423ad

SHA256
ad955c8e32f4f9678820bc6fc66584f10fb0ef2f4de2b309c707075f559bbbe9

SHA512
2a21d32fcfb6b8e5ff3d475c91d874276c8f85951c8c2b4225a40d5446acf9832b33f9002bfca55bd43dc4626141f9afb39a34d0aeb012b9355e7b46a517f8f2

Download Submit
C:\server.sfx.exe
MD5
822f0d54a7563937ed316924abaaf070

SHA1
d40c6decf2c31622a3924795ede8ab92a85423ad

SHA256
ad955c8e32f4f9678820bc6fc66584f10fb0ef2f4de2b309c707075f559bbbe9

SHA512
2a21d32fcfb6b8e5ff3d475c91d874276c8f85951c8c2b4225a40d5446acf9832b33f9002bfca55bd43dc4626141f9afb39a34d0aeb012b9355e7b46a517f8f2

Download Submit
C:\start.bat
MD5
9326d70f25bcef4acecb15269928d8a7

SHA1
5ccac15eb2ffa5e1e6f86687738bf96b71164319

SHA256
f349cb4c51987166c3fb70af358809391764d62dbc9444e75ccde5fd6287d678

SHA512
83e532136617747f1fa5abc021eb94bfd31f130ed466ee9fabca376bfefd8ede8e43fd6e7d19deaa8215188bc0fbe37e994961944c9313f2f82a0bdd13e505bc

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\server.exe
MD5
ea1f8be51c446770d0134a512fad9426

SHA1
e667c956cf6e1a9e92aa29767c41b162f2b9302f

SHA256
429f741cb36e685a6b3ed9cf42f1878f2d673da97cb5603304d41b462ea7f349

SHA512
88497ad6fb543086303f25e1ea6c528065ecb38a27a46e61d5a7cd3a4e718849bb45df3b50bc023abffc7e0593a26fb97bbabae8cc417fe4fbccc93156c9cba2

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\server.exe
MD5
ea1f8be51c446770d0134a512fad9426

SHA1
e667c956cf6e1a9e92aa29767c41b162f2b9302f

SHA256
429f741cb36e685a6b3ed9cf42f1878f2d673da97cb5603304d41b462ea7f349

SHA512
88497ad6fb543086303f25e1ea6c528065ecb38a27a46e61d5a7cd3a4e718849bb45df3b50bc023abffc7e0593a26fb97bbabae8cc417fe4fbccc93156c9cba2

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\server.exe
MD5
ea1f8be51c446770d0134a512fad9426

SHA1
e667c956cf6e1a9e92aa29767c41b162f2b9302f

SHA256
429f741cb36e685a6b3ed9cf42f1878f2d673da97cb5603304d41b462ea7f349

SHA512
88497ad6fb543086303f25e1ea6c528065ecb38a27a46e61d5a7cd3a4e718849bb45df3b50bc023abffc7e0593a26fb97bbabae8cc417fe4fbccc93156c9cba2

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\server.exe
MD5
ea1f8be51c446770d0134a512fad9426

SHA1
e667c956cf6e1a9e92aa29767c41b162f2b9302f

SHA256
429f741cb36e685a6b3ed9cf42f1878f2d673da97cb5603304d41b462ea7f349

SHA512
88497ad6fb543086303f25e1ea6c528065ecb38a27a46e61d5a7cd3a4e718849bb45df3b50bc023abffc7e0593a26fb97bbabae8cc417fe4fbccc93156c9cba2

Download Submit
\Windows\SysWOW64\$77loader\$77loader.exe
MD5
ea1f8be51c446770d0134a512fad9426

SHA1
e667c956cf6e1a9e92aa29767c41b162f2b9302f

SHA256
429f741cb36e685a6b3ed9cf42f1878f2d673da97cb5603304d41b462ea7f349

SHA512
88497ad6fb543086303f25e1ea6c528065ecb38a27a46e61d5a7cd3a4e718849bb45df3b50bc023abffc7e0593a26fb97bbabae8cc417fe4fbccc93156c9cba2

Download Submit
memory/1064-54-0x0000000075691000-0x0000000075693000-memory.dmp

Filesize
8KB

Download
memory/1384-69-0x0000000000000000-mapping.dmp

Download
memory/1440-55-0x0000000000000000-mapping.dmp

Download
memory/1464-58-0x0000000000000000-mapping.dmp

Download
memory/1516-76-0x0000000000000000-mapping.dmp

Download
memory/1632-65-0x0000000000000000-mapping.dmp

Download
memory/1632-68-0x0000000000370000-0x00000000003FC000-memory.dmp

Filesize
560KB

Download
memory/1904-75-0x0000000000000000-mapping.dmp

Download
memory/1916-71-0x0000000000000000-mapping.dmp

Download
memory/1916-74-0x00000000002D0000-0x000000000035C000-memory.dmp

Filesize
560KB

Download