quasar | bc263ac14818e3dd2e48cc8954eadd8ec99a9287929f749cda1d5fa55ee4975c

General

Target

bc263ac14818e3dd2e48cc8954eadd8ec99a9287929f749cda1d5fa55ee4975c.exe
Size

699KB
MD5

5807ae1cd17e7f9bc109b3df90b243ba
SHA1

08595bc28d5f185fce26da9e8362d05ad6eed16d
SHA256

bc263ac14818e3dd2e48cc8954eadd8ec99a9287929f749cda1d5fa55ee4975c
SHA512

ad790053c056b0bf519c2bae2585c17f063ecc30961936f78092b9684df693d1eb83b15422841172ebb9398a689b4d3f115efb44bbd156739278cca4147482a9

Score

10^/10

quasar venomrat office04 persistence rat rootkit spyware stealer suricata trojan

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

Office04

C2

2.tcp.ngrok.io:12699

Mutex

VNM_MUTEX_ljpH86m9yQvMdFiQrM

Attributes

encryption_key
u0b02uZLknYm9c6g9jJR
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Security
subdirectory
SubDir

Signatures

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
behavioral2/memory/4852-137-0x0000000000400000-0x000000000048C000-memory.dmp	disable_win_def

Quasar Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4852-137-0x0000000000400000-0x000000000048C000-memory.dmp	family_quasar

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
VenomRAT
VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
rat rootkit stealer venomrat
suricata: ET MALWARE W32/Quasar 1.3/Venom RAT Connectivity Check 3
suricata: ET MALWARE W32/Quasar 1.3/Venom RAT Connectivity Check 3
suricata

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

bc263ac14818e3dd2e48cc8954eadd8ec99a9287929f749cda1d5fa55ee4975c.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Security = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\bc263ac14818e3dd2e48cc8954eadd8ec99a9287929f749cda1d5fa55ee4975c.exe\""	bc263ac14818e3dd2e48cc8954eadd8ec99a9287929f749cda1d5fa55ee4975c.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
12	ip-api.com
17	api.ipify.org

Suspicious use of SetThreadContext 2 IoCs

Processes:

bc263ac14818e3dd2e48cc8954eadd8ec99a9287929f749cda1d5fa55ee4975c.exebc263ac14818e3dd2e48cc8954eadd8ec99a9287929f749cda1d5fa55ee4975c.exe

description	pid	Process	procid_target
PID 4892 set thread context of 4868	4892	bc263ac14818e3dd2e48cc8954eadd8ec99a9287929f749cda1d5fa55ee4975c.exe	78
PID 4868 set thread context of 4852	4868	bc263ac14818e3dd2e48cc8954eadd8ec99a9287929f749cda1d5fa55ee4975c.exe	79

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exe

pid	Process
4216	schtasks.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

bc263ac14818e3dd2e48cc8954eadd8ec99a9287929f749cda1d5fa55ee4975c.exe

description	pid	Process
Token: SeDebugPrivilege	4852	bc263ac14818e3dd2e48cc8954eadd8ec99a9287929f749cda1d5fa55ee4975c.exe
Token: SeDebugPrivilege	4852	bc263ac14818e3dd2e48cc8954eadd8ec99a9287929f749cda1d5fa55ee4975c.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

bc263ac14818e3dd2e48cc8954eadd8ec99a9287929f749cda1d5fa55ee4975c.exe

pid	Process
4852	bc263ac14818e3dd2e48cc8954eadd8ec99a9287929f749cda1d5fa55ee4975c.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

bc263ac14818e3dd2e48cc8954eadd8ec99a9287929f749cda1d5fa55ee4975c.exebc263ac14818e3dd2e48cc8954eadd8ec99a9287929f749cda1d5fa55ee4975c.exebc263ac14818e3dd2e48cc8954eadd8ec99a9287929f749cda1d5fa55ee4975c.exe

description	pid	Process	procid_target
PID 4892 wrote to memory of 4868	4892	bc263ac14818e3dd2e48cc8954eadd8ec99a9287929f749cda1d5fa55ee4975c.exe	78
PID 4892 wrote to memory of 4868	4892	bc263ac14818e3dd2e48cc8954eadd8ec99a9287929f749cda1d5fa55ee4975c.exe	78
PID 4892 wrote to memory of 4868	4892	bc263ac14818e3dd2e48cc8954eadd8ec99a9287929f749cda1d5fa55ee4975c.exe	78
PID 4892 wrote to memory of 4868	4892	bc263ac14818e3dd2e48cc8954eadd8ec99a9287929f749cda1d5fa55ee4975c.exe	78
PID 4892 wrote to memory of 4868	4892	bc263ac14818e3dd2e48cc8954eadd8ec99a9287929f749cda1d5fa55ee4975c.exe	78
PID 4892 wrote to memory of 4868	4892	bc263ac14818e3dd2e48cc8954eadd8ec99a9287929f749cda1d5fa55ee4975c.exe	78
PID 4892 wrote to memory of 4868	4892	bc263ac14818e3dd2e48cc8954eadd8ec99a9287929f749cda1d5fa55ee4975c.exe	78
PID 4892 wrote to memory of 4868	4892	bc263ac14818e3dd2e48cc8954eadd8ec99a9287929f749cda1d5fa55ee4975c.exe	78
PID 4868 wrote to memory of 4852	4868	bc263ac14818e3dd2e48cc8954eadd8ec99a9287929f749cda1d5fa55ee4975c.exe	79
PID 4868 wrote to memory of 4852	4868	bc263ac14818e3dd2e48cc8954eadd8ec99a9287929f749cda1d5fa55ee4975c.exe	79
PID 4868 wrote to memory of 4852	4868	bc263ac14818e3dd2e48cc8954eadd8ec99a9287929f749cda1d5fa55ee4975c.exe	79
PID 4868 wrote to memory of 4852	4868	bc263ac14818e3dd2e48cc8954eadd8ec99a9287929f749cda1d5fa55ee4975c.exe	79
PID 4868 wrote to memory of 4852	4868	bc263ac14818e3dd2e48cc8954eadd8ec99a9287929f749cda1d5fa55ee4975c.exe	79
PID 4868 wrote to memory of 4852	4868	bc263ac14818e3dd2e48cc8954eadd8ec99a9287929f749cda1d5fa55ee4975c.exe	79
PID 4868 wrote to memory of 4852	4868	bc263ac14818e3dd2e48cc8954eadd8ec99a9287929f749cda1d5fa55ee4975c.exe	79
PID 4868 wrote to memory of 4852	4868	bc263ac14818e3dd2e48cc8954eadd8ec99a9287929f749cda1d5fa55ee4975c.exe	79
PID 4852 wrote to memory of 4216	4852	bc263ac14818e3dd2e48cc8954eadd8ec99a9287929f749cda1d5fa55ee4975c.exe	80
PID 4852 wrote to memory of 4216	4852	bc263ac14818e3dd2e48cc8954eadd8ec99a9287929f749cda1d5fa55ee4975c.exe	80
PID 4852 wrote to memory of 4216	4852	bc263ac14818e3dd2e48cc8954eadd8ec99a9287929f749cda1d5fa55ee4975c.exe	80

C:\Users\Admin\AppData\Local\Temp\bc263ac14818e3dd2e48cc8954eadd8ec99a9287929f749cda1d5fa55ee4975c.exe
"C:\Users\Admin\AppData\Local\Temp\bc263ac14818e3dd2e48cc8954eadd8ec99a9287929f749cda1d5fa55ee4975c.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4892
- C:\Users\Admin\AppData\Local\Temp\bc263ac14818e3dd2e48cc8954eadd8ec99a9287929f749cda1d5fa55ee4975c.exe
  "C:\Users\Admin\AppData\Local\Temp\bc263ac14818e3dd2e48cc8954eadd8ec99a9287929f749cda1d5fa55ee4975c.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:4868
- - C:\Users\Admin\AppData\Local\Temp\bc263ac14818e3dd2e48cc8954eadd8ec99a9287929f749cda1d5fa55ee4975c.exe
    "C:\Users\Admin\AppData\Local\Temp\bc263ac14818e3dd2e48cc8954eadd8ec99a9287929f749cda1d5fa55ee4975c.exe"
    3⤵
    - Adds Run key to start application
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4852
  - - C:\Windows\SysWOW64\schtasks.exe
      "schtasks" /create /tn "Security" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\bc263ac14818e3dd2e48cc8954eadd8ec99a9287929f749cda1d5fa55ee4975c.exe" /rl HIGHEST /f
      4⤵
      Creates scheduled task(s)
      PID:4216

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\bc263ac14818e3dd2e48cc8954eadd8ec99a9287929f749cda1d5fa55ee4975c.exe.log

Filesize
410B

MD5
3bbb825ef1319deb378787046587112b

SHA1
67da95f0031be525b4cf10645632ca34d66b913b

SHA256
d9c6d00fad02f7a9ef0fcddc298ffd58b17020fb12b1336d5733237cbfadb1e0

SHA512
7771ae543e188d544e1bb6c65e0453a6777c1c39790a355f4cce652a815bfaf94dd426de3db910a67bd06e463ac0143d9e2ca44d2b12af7f0d84c27b4a09cc54

Download Submit
memory/4216-140-0x0000000000000000-mapping.dmp

Download
memory/4852-137-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/4852-136-0x0000000000000000-mapping.dmp

Download
memory/4852-138-0x0000000005640000-0x00000000056A6000-memory.dmp

Filesize
408KB

Download
memory/4852-139-0x0000000006290000-0x00000000062A2000-memory.dmp

Filesize
72KB

Download
memory/4852-141-0x0000000006DB0000-0x0000000006DBA000-memory.dmp

Filesize
40KB

Download
memory/4868-133-0x0000000000000000-mapping.dmp

Download
memory/4868-134-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/4892-130-0x0000000000D50000-0x0000000000E08000-memory.dmp

Filesize
736KB

Download
memory/4892-131-0x000000000B2C0000-0x000000000B864000-memory.dmp

Filesize
5.6MB

Download
memory/4892-132-0x000000000AE00000-0x000000000AE92000-memory.dmp

Filesize
584KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads