quasar | 5941ff394c1b579d7e9d99cbc2f7fdd7e7a2998f2744e16c3ace35d49081a1f1

General

Target

5941ff394c1b579d7e9d99cbc2f7fdd7e7a2998f2744e16c3ace35d49081a1f1.exe
Size

814KB
MD5

a14720279a25c2635029d82e0b395d8d
SHA1

492f8568c09739c0ec3eae755c301be067ba7c3a
SHA256

5941ff394c1b579d7e9d99cbc2f7fdd7e7a2998f2744e16c3ace35d49081a1f1
SHA512

4c4001b3232257376437c7696e17671f35dde68b9c86a21690edad93d91ae80e4811e4d7b217d252534c9d51d6a3d259d29e572466997932217886f7f57db71f

Score

10^/10

quasar venomrat shop evasion persistence rat rootkit spyware stealer trojan

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

shop

C2

185.204.1.236:4521

Mutex

VNM_MUTEX_1NgafS3xkifQY5TYWL

Attributes

encryption_key
5KaBFSa6AfCkIN5zPsZV
install_name
$77loader.exe
log_directory
Logs
reconnect_delay
3000
startup_key
dllhost
subdirectory
$77loader

Signatures

Contains code to disable Windows Defender 5 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
behavioral2/files/0x0004000000020648-140.dat	disable_win_def
behavioral2/files/0x0004000000020648-141.dat	disable_win_def
behavioral2/memory/1668-142-0x0000000000890000-0x000000000091C000-memory.dmp	disable_win_def
behavioral2/files/0x000700000002052b-150.dat	disable_win_def
behavioral2/files/0x000700000002052b-151.dat	disable_win_def

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089

Quasar Payload 5 IoCs

Processes:

resource	yara_rule
behavioral2/files/0x0004000000020648-140.dat	family_quasar
behavioral2/files/0x0004000000020648-141.dat	family_quasar
behavioral2/memory/1668-142-0x0000000000890000-0x000000000091C000-memory.dmp	family_quasar
behavioral2/files/0x000700000002052b-150.dat	family_quasar
behavioral2/files/0x000700000002052b-151.dat	family_quasar

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
VenomRAT
VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
rat rootkit stealer venomrat

Executes dropped EXE 3 IoCs

Processes:

server.sfx.exeserver.exe$77loader.exe

pid	Process
1784	server.sfx.exe
1668	server.exe
1248	$77loader.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

server.sfx.exe5941ff394c1b579d7e9d99cbc2f7fdd7e7a2998f2744e16c3ace35d49081a1f1.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation	server.sfx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation	5941ff394c1b579d7e9d99cbc2f7fdd7e7a2998f2744e16c3ace35d49081a1f1.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

server.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	server.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	server.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

server.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\RarSFX0\\server.exe\""	server.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
76	ip-api.com

Drops file in System32 directory 4 IoCs

Processes:

server.exe$77loader.exe

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\$77loader\$77loader.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\$77loader\$77loader.exe	$77loader.exe
File opened for modification	C:\Windows\SysWOW64\$77loader	$77loader.exe
File created	C:\Windows\SysWOW64\$77loader\$77loader.exe	server.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exe

pid	Process
4804	schtasks.exe
4784	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid	Process
2888	powershell.exe
2888	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

server.exe$77loader.exepowershell.exe

description	pid	Process
Token: SeDebugPrivilege	1668	server.exe
Token: SeDebugPrivilege	1248	$77loader.exe
Token: SeDebugPrivilege	1248	$77loader.exe
Token: SeDebugPrivilege	2888	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

$77loader.exe

pid	Process
1248	$77loader.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

5941ff394c1b579d7e9d99cbc2f7fdd7e7a2998f2744e16c3ace35d49081a1f1.execmd.exeserver.sfx.exeserver.exe$77loader.exe

description	pid	Process	procid_target
PID 968 wrote to memory of 2288	968	5941ff394c1b579d7e9d99cbc2f7fdd7e7a2998f2744e16c3ace35d49081a1f1.exe	83
PID 968 wrote to memory of 2288	968	5941ff394c1b579d7e9d99cbc2f7fdd7e7a2998f2744e16c3ace35d49081a1f1.exe	83
PID 968 wrote to memory of 2288	968	5941ff394c1b579d7e9d99cbc2f7fdd7e7a2998f2744e16c3ace35d49081a1f1.exe	83
PID 2288 wrote to memory of 1784	2288	cmd.exe	88
PID 2288 wrote to memory of 1784	2288	cmd.exe	88
PID 2288 wrote to memory of 1784	2288	cmd.exe	88
PID 1784 wrote to memory of 1668	1784	server.sfx.exe	90
PID 1784 wrote to memory of 1668	1784	server.sfx.exe	90
PID 1784 wrote to memory of 1668	1784	server.sfx.exe	90
PID 1668 wrote to memory of 4784	1668	server.exe	106
PID 1668 wrote to memory of 4784	1668	server.exe	106
PID 1668 wrote to memory of 4784	1668	server.exe	106
PID 1668 wrote to memory of 1248	1668	server.exe	108
PID 1668 wrote to memory of 1248	1668	server.exe	108
PID 1668 wrote to memory of 1248	1668	server.exe	108
PID 1668 wrote to memory of 2888	1668	server.exe	109
PID 1668 wrote to memory of 2888	1668	server.exe	109
PID 1668 wrote to memory of 2888	1668	server.exe	109
PID 1248 wrote to memory of 4804	1248	$77loader.exe	111
PID 1248 wrote to memory of 4804	1248	$77loader.exe	111
PID 1248 wrote to memory of 4804	1248	$77loader.exe	111

C:\Users\Admin\AppData\Local\Temp\5941ff394c1b579d7e9d99cbc2f7fdd7e7a2998f2744e16c3ace35d49081a1f1.exe
"C:\Users\Admin\AppData\Local\Temp\5941ff394c1b579d7e9d99cbc2f7fdd7e7a2998f2744e16c3ace35d49081a1f1.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:968
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\start.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2288
- - C:\server.sfx.exe
    server.sfx -pFSPFJSDOFH9GGLDHGHDHDLDGFHLDGFHDFGHHLKFDG -dc:\
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:1784
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\server.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\server.exe"
      4⤵
      Executes dropped EXE
      Windows security modification
      Adds Run key to start application
      Drops file in System32 directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1668
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "dllhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\RarSFX0\server.exe" /rl HIGHEST /f
        5⤵
        Creates scheduled task(s)
        
        PID:4784
    - - C:\Windows\SysWOW64\$77loader\$77loader.exe
        
        "C:\Windows\SysWOW64\$77loader\$77loader.exe"
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1248
      - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "dllhost" /sc ONLOGON /tr "C:\Windows\SysWOW64\$77loader\$77loader.exe" /rl HIGHEST /f
        6⤵
        Creates scheduled task(s)
        
        PID:4804
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" Get-MpPreference -verbose
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2888

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\server.exe

MD5
ea1f8be51c446770d0134a512fad9426

SHA1
e667c956cf6e1a9e92aa29767c41b162f2b9302f

SHA256
429f741cb36e685a6b3ed9cf42f1878f2d673da97cb5603304d41b462ea7f349

SHA512
88497ad6fb543086303f25e1ea6c528065ecb38a27a46e61d5a7cd3a4e718849bb45df3b50bc023abffc7e0593a26fb97bbabae8cc417fe4fbccc93156c9cba2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\server.exe

MD5
ea1f8be51c446770d0134a512fad9426

SHA1
e667c956cf6e1a9e92aa29767c41b162f2b9302f

SHA256
429f741cb36e685a6b3ed9cf42f1878f2d673da97cb5603304d41b462ea7f349

SHA512
88497ad6fb543086303f25e1ea6c528065ecb38a27a46e61d5a7cd3a4e718849bb45df3b50bc023abffc7e0593a26fb97bbabae8cc417fe4fbccc93156c9cba2

Download Submit
C:\Windows\SysWOW64\$77loader\$77loader.exe

MD5
ea1f8be51c446770d0134a512fad9426

SHA1
e667c956cf6e1a9e92aa29767c41b162f2b9302f

SHA256
429f741cb36e685a6b3ed9cf42f1878f2d673da97cb5603304d41b462ea7f349

SHA512
88497ad6fb543086303f25e1ea6c528065ecb38a27a46e61d5a7cd3a4e718849bb45df3b50bc023abffc7e0593a26fb97bbabae8cc417fe4fbccc93156c9cba2

Download Submit
C:\Windows\SysWOW64\$77loader\$77loader.exe

MD5
ea1f8be51c446770d0134a512fad9426

SHA1
e667c956cf6e1a9e92aa29767c41b162f2b9302f

SHA256
429f741cb36e685a6b3ed9cf42f1878f2d673da97cb5603304d41b462ea7f349

SHA512
88497ad6fb543086303f25e1ea6c528065ecb38a27a46e61d5a7cd3a4e718849bb45df3b50bc023abffc7e0593a26fb97bbabae8cc417fe4fbccc93156c9cba2

Download Submit
C:\server.sfx.exe

MD5
822f0d54a7563937ed316924abaaf070

SHA1
d40c6decf2c31622a3924795ede8ab92a85423ad

SHA256
ad955c8e32f4f9678820bc6fc66584f10fb0ef2f4de2b309c707075f559bbbe9

SHA512
2a21d32fcfb6b8e5ff3d475c91d874276c8f85951c8c2b4225a40d5446acf9832b33f9002bfca55bd43dc4626141f9afb39a34d0aeb012b9355e7b46a517f8f2

Download Submit
C:\server.sfx.exe

MD5
822f0d54a7563937ed316924abaaf070

SHA1
d40c6decf2c31622a3924795ede8ab92a85423ad

SHA256
ad955c8e32f4f9678820bc6fc66584f10fb0ef2f4de2b309c707075f559bbbe9

SHA512
2a21d32fcfb6b8e5ff3d475c91d874276c8f85951c8c2b4225a40d5446acf9832b33f9002bfca55bd43dc4626141f9afb39a34d0aeb012b9355e7b46a517f8f2

Download Submit
C:\start.bat

MD5
9326d70f25bcef4acecb15269928d8a7

SHA1
5ccac15eb2ffa5e1e6f86687738bf96b71164319

SHA256
f349cb4c51987166c3fb70af358809391764d62dbc9444e75ccde5fd6287d678

SHA512
83e532136617747f1fa5abc021eb94bfd31f130ed466ee9fabca376bfefd8ede8e43fd6e7d19deaa8215188bc0fbe37e994961944c9313f2f82a0bdd13e505bc

Download Submit
memory/1248-149-0x0000000000000000-mapping.dmp

Download
memory/1248-156-0x00000000060D0000-0x00000000060DA000-memory.dmp

Filesize
40KB

Download
memory/1668-146-0x0000000000DF0000-0x0000000000E02000-memory.dmp

Filesize
72KB

Download
memory/1668-144-0x00000000053D0000-0x0000000005462000-memory.dmp

Filesize
584KB

Download
memory/1668-145-0x0000000005330000-0x0000000005396000-memory.dmp

Filesize
408KB

Download
memory/1668-147-0x0000000005A60000-0x0000000005A9C000-memory.dmp

Filesize
240KB

Download
memory/1668-143-0x0000000005AD0000-0x0000000006074000-memory.dmp

Filesize
5.6MB

Download
memory/1668-142-0x0000000000890000-0x000000000091C000-memory.dmp

Filesize
560KB

Download
memory/1668-139-0x0000000000000000-mapping.dmp

Download
memory/1784-136-0x0000000000000000-mapping.dmp

Download
memory/2288-134-0x0000000000000000-mapping.dmp

Download
memory/2888-152-0x0000000000000000-mapping.dmp

Download
memory/2888-154-0x00000000021E0000-0x0000000002216000-memory.dmp

Filesize
216KB

Download
memory/2888-155-0x0000000004DA0000-0x00000000053C8000-memory.dmp

Filesize
6.2MB

Download
memory/2888-157-0x0000000004C00000-0x0000000004C22000-memory.dmp

Filesize
136KB

Download
memory/2888-158-0x0000000004CA0000-0x0000000004D06000-memory.dmp

Filesize
408KB

Download
memory/2888-159-0x0000000005A20000-0x0000000005A3E000-memory.dmp

Filesize
120KB

Download
memory/4784-148-0x0000000000000000-mapping.dmp

Download
memory/4804-153-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads