quasar | bc263ac14818e3dd2e48cc8954eadd8ec99a9287929f749cda1d5fa55ee4975c

General

Target

bc263ac14818e3dd2e48cc8954eadd8ec99a9287929f749cda1d5fa55ee4975c.exe
Size

699KB
MD5

5807ae1cd17e7f9bc109b3df90b243ba
SHA1

08595bc28d5f185fce26da9e8362d05ad6eed16d
SHA256

bc263ac14818e3dd2e48cc8954eadd8ec99a9287929f749cda1d5fa55ee4975c
SHA512

ad790053c056b0bf519c2bae2585c17f063ecc30961936f78092b9684df693d1eb83b15422841172ebb9398a689b4d3f115efb44bbd156739278cca4147482a9

Score

10^/10

quasar venomrat office04 rat rootkit spyware stealer trojan

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

Office04

C2

2.tcp.ngrok.io:12699

Mutex

VNM_MUTEX_ljpH86m9yQvMdFiQrM

Attributes

encryption_key
u0b02uZLknYm9c6g9jJR
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Security
subdirectory
SubDir

Signatures

Contains code to disable Windows Defender 6 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
behavioral1/memory/668-72-0x0000000000400000-0x000000000048C000-memory.dmp	disable_win_def
behavioral1/memory/668-73-0x0000000000400000-0x000000000048C000-memory.dmp	disable_win_def
behavioral1/memory/668-74-0x0000000000400000-0x000000000048C000-memory.dmp	disable_win_def
behavioral1/memory/668-75-0x0000000000486BEE-mapping.dmp	disable_win_def
behavioral1/memory/668-77-0x0000000000400000-0x000000000048C000-memory.dmp	disable_win_def
behavioral1/memory/668-79-0x0000000000400000-0x000000000048C000-memory.dmp	disable_win_def

Quasar Payload 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/668-72-0x0000000000400000-0x000000000048C000-memory.dmp	family_quasar
behavioral1/memory/668-73-0x0000000000400000-0x000000000048C000-memory.dmp	family_quasar
behavioral1/memory/668-74-0x0000000000400000-0x000000000048C000-memory.dmp	family_quasar
behavioral1/memory/668-75-0x0000000000486BEE-mapping.dmp	family_quasar
behavioral1/memory/668-77-0x0000000000400000-0x000000000048C000-memory.dmp	family_quasar
behavioral1/memory/668-79-0x0000000000400000-0x000000000048C000-memory.dmp	family_quasar

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
VenomRAT
VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
rat rootkit stealer venomrat

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
1	ip-api.com

Suspicious use of SetThreadContext 2 IoCs

Processes:

bc263ac14818e3dd2e48cc8954eadd8ec99a9287929f749cda1d5fa55ee4975c.exebc263ac14818e3dd2e48cc8954eadd8ec99a9287929f749cda1d5fa55ee4975c.exe

description	pid	Process	procid_target
PID 1572 set thread context of 944	1572	bc263ac14818e3dd2e48cc8954eadd8ec99a9287929f749cda1d5fa55ee4975c.exe	28
PID 944 set thread context of 668	944	bc263ac14818e3dd2e48cc8954eadd8ec99a9287929f749cda1d5fa55ee4975c.exe	30

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exe

pid	Process
824	schtasks.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

bc263ac14818e3dd2e48cc8954eadd8ec99a9287929f749cda1d5fa55ee4975c.exe

pid	Process
944	bc263ac14818e3dd2e48cc8954eadd8ec99a9287929f749cda1d5fa55ee4975c.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

bc263ac14818e3dd2e48cc8954eadd8ec99a9287929f749cda1d5fa55ee4975c.exebc263ac14818e3dd2e48cc8954eadd8ec99a9287929f749cda1d5fa55ee4975c.exe

description	pid	Process
Token: SeDebugPrivilege	944	bc263ac14818e3dd2e48cc8954eadd8ec99a9287929f749cda1d5fa55ee4975c.exe
Token: SeDebugPrivilege	668	bc263ac14818e3dd2e48cc8954eadd8ec99a9287929f749cda1d5fa55ee4975c.exe
Token: SeDebugPrivilege	668	bc263ac14818e3dd2e48cc8954eadd8ec99a9287929f749cda1d5fa55ee4975c.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

bc263ac14818e3dd2e48cc8954eadd8ec99a9287929f749cda1d5fa55ee4975c.exe

pid	Process
668	bc263ac14818e3dd2e48cc8954eadd8ec99a9287929f749cda1d5fa55ee4975c.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

bc263ac14818e3dd2e48cc8954eadd8ec99a9287929f749cda1d5fa55ee4975c.exebc263ac14818e3dd2e48cc8954eadd8ec99a9287929f749cda1d5fa55ee4975c.exebc263ac14818e3dd2e48cc8954eadd8ec99a9287929f749cda1d5fa55ee4975c.exe

description	pid	Process	procid_target
PID 1572 wrote to memory of 944	1572	bc263ac14818e3dd2e48cc8954eadd8ec99a9287929f749cda1d5fa55ee4975c.exe	28
PID 1572 wrote to memory of 944	1572	bc263ac14818e3dd2e48cc8954eadd8ec99a9287929f749cda1d5fa55ee4975c.exe	28
PID 1572 wrote to memory of 944	1572	bc263ac14818e3dd2e48cc8954eadd8ec99a9287929f749cda1d5fa55ee4975c.exe	28
PID 1572 wrote to memory of 944	1572	bc263ac14818e3dd2e48cc8954eadd8ec99a9287929f749cda1d5fa55ee4975c.exe	28
PID 1572 wrote to memory of 944	1572	bc263ac14818e3dd2e48cc8954eadd8ec99a9287929f749cda1d5fa55ee4975c.exe	28
PID 1572 wrote to memory of 944	1572	bc263ac14818e3dd2e48cc8954eadd8ec99a9287929f749cda1d5fa55ee4975c.exe	28
PID 1572 wrote to memory of 944	1572	bc263ac14818e3dd2e48cc8954eadd8ec99a9287929f749cda1d5fa55ee4975c.exe	28
PID 1572 wrote to memory of 944	1572	bc263ac14818e3dd2e48cc8954eadd8ec99a9287929f749cda1d5fa55ee4975c.exe	28
PID 1572 wrote to memory of 944	1572	bc263ac14818e3dd2e48cc8954eadd8ec99a9287929f749cda1d5fa55ee4975c.exe	28
PID 944 wrote to memory of 1988	944	bc263ac14818e3dd2e48cc8954eadd8ec99a9287929f749cda1d5fa55ee4975c.exe	29
PID 944 wrote to memory of 1988	944	bc263ac14818e3dd2e48cc8954eadd8ec99a9287929f749cda1d5fa55ee4975c.exe	29
PID 944 wrote to memory of 1988	944	bc263ac14818e3dd2e48cc8954eadd8ec99a9287929f749cda1d5fa55ee4975c.exe	29
PID 944 wrote to memory of 1988	944	bc263ac14818e3dd2e48cc8954eadd8ec99a9287929f749cda1d5fa55ee4975c.exe	29
PID 944 wrote to memory of 668	944	bc263ac14818e3dd2e48cc8954eadd8ec99a9287929f749cda1d5fa55ee4975c.exe	30
PID 944 wrote to memory of 668	944	bc263ac14818e3dd2e48cc8954eadd8ec99a9287929f749cda1d5fa55ee4975c.exe	30
PID 944 wrote to memory of 668	944	bc263ac14818e3dd2e48cc8954eadd8ec99a9287929f749cda1d5fa55ee4975c.exe	30
PID 944 wrote to memory of 668	944	bc263ac14818e3dd2e48cc8954eadd8ec99a9287929f749cda1d5fa55ee4975c.exe	30
PID 944 wrote to memory of 668	944	bc263ac14818e3dd2e48cc8954eadd8ec99a9287929f749cda1d5fa55ee4975c.exe	30
PID 944 wrote to memory of 668	944	bc263ac14818e3dd2e48cc8954eadd8ec99a9287929f749cda1d5fa55ee4975c.exe	30
PID 944 wrote to memory of 668	944	bc263ac14818e3dd2e48cc8954eadd8ec99a9287929f749cda1d5fa55ee4975c.exe	30
PID 944 wrote to memory of 668	944	bc263ac14818e3dd2e48cc8954eadd8ec99a9287929f749cda1d5fa55ee4975c.exe	30
PID 944 wrote to memory of 668	944	bc263ac14818e3dd2e48cc8954eadd8ec99a9287929f749cda1d5fa55ee4975c.exe	30
PID 668 wrote to memory of 824	668	bc263ac14818e3dd2e48cc8954eadd8ec99a9287929f749cda1d5fa55ee4975c.exe	32
PID 668 wrote to memory of 824	668	bc263ac14818e3dd2e48cc8954eadd8ec99a9287929f749cda1d5fa55ee4975c.exe	32
PID 668 wrote to memory of 824	668	bc263ac14818e3dd2e48cc8954eadd8ec99a9287929f749cda1d5fa55ee4975c.exe	32
PID 668 wrote to memory of 824	668	bc263ac14818e3dd2e48cc8954eadd8ec99a9287929f749cda1d5fa55ee4975c.exe	32

C:\Users\Admin\AppData\Local\Temp\bc263ac14818e3dd2e48cc8954eadd8ec99a9287929f749cda1d5fa55ee4975c.exe
"C:\Users\Admin\AppData\Local\Temp\bc263ac14818e3dd2e48cc8954eadd8ec99a9287929f749cda1d5fa55ee4975c.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1572
- C:\Users\Admin\AppData\Local\Temp\bc263ac14818e3dd2e48cc8954eadd8ec99a9287929f749cda1d5fa55ee4975c.exe
  "C:\Users\Admin\AppData\Local\Temp\bc263ac14818e3dd2e48cc8954eadd8ec99a9287929f749cda1d5fa55ee4975c.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:944
- - C:\Users\Admin\AppData\Local\Temp\bc263ac14818e3dd2e48cc8954eadd8ec99a9287929f749cda1d5fa55ee4975c.exe
    "C:\Users\Admin\AppData\Local\Temp\bc263ac14818e3dd2e48cc8954eadd8ec99a9287929f749cda1d5fa55ee4975c.exe"
    3⤵
    PID:1988
- - C:\Users\Admin\AppData\Local\Temp\bc263ac14818e3dd2e48cc8954eadd8ec99a9287929f749cda1d5fa55ee4975c.exe
    "C:\Users\Admin\AppData\Local\Temp\bc263ac14818e3dd2e48cc8954eadd8ec99a9287929f749cda1d5fa55ee4975c.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:668
  - - C:\Windows\SysWOW64\schtasks.exe
      "schtasks" /create /tn "Security" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\bc263ac14818e3dd2e48cc8954eadd8ec99a9287929f749cda1d5fa55ee4975c.exe" /rl HIGHEST /f
      4⤵
      Creates scheduled task(s)
      PID:824

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/668-69-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/668-79-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/668-77-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/668-75-0x0000000000486BEE-mapping.dmp

Download
memory/668-74-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/668-73-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/668-72-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/668-70-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/824-80-0x0000000000000000-mapping.dmp

Download
memory/944-60-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/944-68-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/944-66-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/944-63-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/944-64-0x000000000048CDBE-mapping.dmp

Download
memory/944-62-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/944-58-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/944-57-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/1572-54-0x0000000000840000-0x00000000008F8000-memory.dmp

Filesize
736KB

Download
memory/1572-56-0x0000000000340000-0x000000000034A000-memory.dmp

Filesize
40KB

Download
memory/1572-55-0x00000000003D0000-0x00000000003D6000-memory.dmp

Filesize
24KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads