quasar | 5941ff394c1b579d7e9d99cbc2f7fdd7e7a2998f2744e16c3ace35d49081a1f1

General

Target

5941ff394c1b579d7e9d99cbc2f7fdd7e7a2998f2744e16c3ace35d49081a1f1.exe
Size

814KB
MD5

a14720279a25c2635029d82e0b395d8d
SHA1

492f8568c09739c0ec3eae755c301be067ba7c3a
SHA256

5941ff394c1b579d7e9d99cbc2f7fdd7e7a2998f2744e16c3ace35d49081a1f1
SHA512

4c4001b3232257376437c7696e17671f35dde68b9c86a21690edad93d91ae80e4811e4d7b217d252534c9d51d6a3d259d29e572466997932217886f7f57db71f

Score

10^/10

quasar venomrat shop evasion persistence rat rootkit spyware stealer trojan

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

shop

C2

185.204.1.236:4521

Mutex

VNM_MUTEX_1NgafS3xkifQY5TYWL

Attributes

encryption_key
5KaBFSa6AfCkIN5zPsZV
install_name
$77loader.exe
log_directory
Logs
reconnect_delay
3000
startup_key
dllhost
subdirectory
$77loader

Signatures

Contains code to disable Windows Defender 5 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral2/files/0x0004000000020648-140.dat	disable_win_def
behavioral2/files/0x0004000000020648-141.dat	disable_win_def
behavioral2/memory/1668-142-0x0000000000890000-0x000000000091C000-memory.dmp	disable_win_def
behavioral2/files/0x000700000002052b-150.dat	disable_win_def
behavioral2/files/0x000700000002052b-151.dat	disable_win_def

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089

Quasar Payload 5 IoCs

resource	yara_rule
behavioral2/files/0x0004000000020648-140.dat	family_quasar
behavioral2/files/0x0004000000020648-141.dat	family_quasar
behavioral2/memory/1668-142-0x0000000000890000-0x000000000091C000-memory.dmp	family_quasar
behavioral2/files/0x000700000002052b-150.dat	family_quasar
behavioral2/files/0x000700000002052b-151.dat	family_quasar

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
VenomRAT
VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
rat rootkit stealer venomrat

Executes dropped EXE 3 IoCs

pid	Process
1784	server.sfx.exe
1668	server.exe
1248	$77loader.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation	server.sfx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation	5941ff394c1b579d7e9d99cbc2f7fdd7e7a2998f2744e16c3ace35d49081a1f1.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	server.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	server.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\RarSFX0\\server.exe\""	server.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
76	ip-api.com

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\$77loader\$77loader.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\$77loader\$77loader.exe	$77loader.exe
File opened for modification	C:\Windows\SysWOW64\$77loader	$77loader.exe
File created	C:\Windows\SysWOW64\$77loader\$77loader.exe	server.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4804	schtasks.exe
4784	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2888	powershell.exe
2888	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1668	server.exe
Token: SeDebugPrivilege	1248	$77loader.exe
Token: SeDebugPrivilege	1248	$77loader.exe
Token: SeDebugPrivilege	2888	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1248	$77loader.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 968 wrote to memory of 2288	968	5941ff394c1b579d7e9d99cbc2f7fdd7e7a2998f2744e16c3ace35d49081a1f1.exe	83
PID 968 wrote to memory of 2288	968	5941ff394c1b579d7e9d99cbc2f7fdd7e7a2998f2744e16c3ace35d49081a1f1.exe	83
PID 968 wrote to memory of 2288	968	5941ff394c1b579d7e9d99cbc2f7fdd7e7a2998f2744e16c3ace35d49081a1f1.exe	83
PID 2288 wrote to memory of 1784	2288	cmd.exe	88
PID 2288 wrote to memory of 1784	2288	cmd.exe	88
PID 2288 wrote to memory of 1784	2288	cmd.exe	88
PID 1784 wrote to memory of 1668	1784	server.sfx.exe	90
PID 1784 wrote to memory of 1668	1784	server.sfx.exe	90
PID 1784 wrote to memory of 1668	1784	server.sfx.exe	90
PID 1668 wrote to memory of 4784	1668	server.exe	106
PID 1668 wrote to memory of 4784	1668	server.exe	106
PID 1668 wrote to memory of 4784	1668	server.exe	106
PID 1668 wrote to memory of 1248	1668	server.exe	108
PID 1668 wrote to memory of 1248	1668	server.exe	108
PID 1668 wrote to memory of 1248	1668	server.exe	108
PID 1668 wrote to memory of 2888	1668	server.exe	109
PID 1668 wrote to memory of 2888	1668	server.exe	109
PID 1668 wrote to memory of 2888	1668	server.exe	109
PID 1248 wrote to memory of 4804	1248	$77loader.exe	111
PID 1248 wrote to memory of 4804	1248	$77loader.exe	111
PID 1248 wrote to memory of 4804	1248	$77loader.exe	111

C:\Users\Admin\AppData\Local\Temp\5941ff394c1b579d7e9d99cbc2f7fdd7e7a2998f2744e16c3ace35d49081a1f1.exe
"C:\Users\Admin\AppData\Local\Temp\5941ff394c1b579d7e9d99cbc2f7fdd7e7a2998f2744e16c3ace35d49081a1f1.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:968
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\start.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2288
- - C:\server.sfx.exe
    server.sfx -pFSPFJSDOFH9GGLDHGHDHDLDGFHLDGFHDFGHHLKFDG -dc:\
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:1784
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\server.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\server.exe"
      4⤵
      Executes dropped EXE
      Windows security modification
      Adds Run key to start application
      Drops file in System32 directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1668
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "dllhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\RarSFX0\server.exe" /rl HIGHEST /f
        5⤵
        Creates scheduled task(s)
        
        PID:4784
    - - C:\Windows\SysWOW64\$77loader\$77loader.exe
        
        "C:\Windows\SysWOW64\$77loader\$77loader.exe"
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1248
      - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "dllhost" /sc ONLOGON /tr "C:\Windows\SysWOW64\$77loader\$77loader.exe" /rl HIGHEST /f
        6⤵
        Creates scheduled task(s)
        
        PID:4804
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" Get-MpPreference -verbose
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2888

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1248-156-0x00000000060D0000-0x00000000060DA000-memory.dmp

Filesize
40KB

Download
memory/1668-146-0x0000000000DF0000-0x0000000000E02000-memory.dmp

Filesize
72KB

Download
memory/1668-144-0x00000000053D0000-0x0000000005462000-memory.dmp

Filesize
584KB

Download
memory/1668-145-0x0000000005330000-0x0000000005396000-memory.dmp

Filesize
408KB

Download
memory/1668-147-0x0000000005A60000-0x0000000005A9C000-memory.dmp

Filesize
240KB

Download
memory/1668-143-0x0000000005AD0000-0x0000000006074000-memory.dmp

Filesize
5.6MB

Download
memory/1668-142-0x0000000000890000-0x000000000091C000-memory.dmp

Filesize
560KB

Download
memory/2888-154-0x00000000021E0000-0x0000000002216000-memory.dmp

Filesize
216KB

Download
memory/2888-155-0x0000000004DA0000-0x00000000053C8000-memory.dmp

Filesize
6.2MB

Download
memory/2888-157-0x0000000004C00000-0x0000000004C22000-memory.dmp

Filesize
136KB

Download
memory/2888-158-0x0000000004CA0000-0x0000000004D06000-memory.dmp

Filesize
408KB

Download
memory/2888-159-0x0000000005A20000-0x0000000005A3E000-memory.dmp

Filesize
120KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads