quasar | 9c8ea131bde14b5038358c608f55b0238e3610ceb8503b32527ae936221e862e

General

Target

9c8ea131bde14b5038358c608f55b0238e3610ceb8503b32527ae936221e862e.exe
Size

725KB
MD5

a7ab1b1d14ae721f0ed0b0b828feb078
SHA1

bcb83a1665a7a1436af50ef13d01e78303f349c0
SHA256

9c8ea131bde14b5038358c608f55b0238e3610ceb8503b32527ae936221e862e
SHA512

0d8e7cf0fe51b9f695debce7a37d721992f88f574095c96152fb15bff6c0ab1b1574495c793cc6a1446031c9c8069d2ff3c3bca7f8acc9e16dcd7168236a4118

Score

10^/10

quasar venomrat mundo rat rootkit spyware stealer suricata trojan

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

Mundo

C2

201.111.223.252:6700

Mutex

VNM_MUTEX_KJflzK0oXUK0jjdJ05

Attributes

encryption_key
eSgMT4XlUNEBcxqW7GsH
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Venom Client Startup
subdirectory
SubDir

Signatures

Contains code to disable Windows Defender 3 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
behavioral2/files/0x000700000002313e-142.dat	disable_win_def
behavioral2/files/0x000700000002313e-143.dat	disable_win_def
behavioral2/memory/3288-144-0x0000000000F00000-0x0000000000F8A000-memory.dmp	disable_win_def

Quasar Payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/files/0x000700000002313e-142.dat	family_quasar
behavioral2/files/0x000700000002313e-143.dat	family_quasar
behavioral2/memory/3288-144-0x0000000000F00000-0x0000000000F8A000-memory.dmp	family_quasar

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
VenomRAT
VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
rat rootkit stealer venomrat
suricata: ET MALWARE W32/Quasar 1.3/Venom RAT Connectivity Check 3
suricata: ET MALWARE W32/Quasar 1.3/Venom RAT Connectivity Check 3
suricata

Executes dropped EXE 2 IoCs

Processes:

NordVPN.exePe.exe

pid	Process
2492	NordVPN.exe
3288	Pe.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

NordVPN.exe9c8ea131bde14b5038358c608f55b0238e3610ceb8503b32527ae936221e862e.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	NordVPN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	9c8ea131bde14b5038358c608f55b0238e3610ceb8503b32527ae936221e862e.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
8	ip-api.com
12	api.ipify.org

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

9c8ea131bde14b5038358c608f55b0238e3610ceb8503b32527ae936221e862e.exeNordVPN.exe

pid	Process
3520	9c8ea131bde14b5038358c608f55b0238e3610ceb8503b32527ae936221e862e.exe
3520	9c8ea131bde14b5038358c608f55b0238e3610ceb8503b32527ae936221e862e.exe
2492	NordVPN.exe
2492	NordVPN.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

9c8ea131bde14b5038358c608f55b0238e3610ceb8503b32527ae936221e862e.exeNordVPN.exePe.exe

description	pid	Process
Token: SeDebugPrivilege	3520	9c8ea131bde14b5038358c608f55b0238e3610ceb8503b32527ae936221e862e.exe
Token: SeDebugPrivilege	2492	NordVPN.exe
Token: SeDebugPrivilege	3288	Pe.exe
Token: SeDebugPrivilege	3288	Pe.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

9c8ea131bde14b5038358c608f55b0238e3610ceb8503b32527ae936221e862e.exeNordVPN.exe

description	pid	Process	procid_target
PID 3520 wrote to memory of 2492	3520	9c8ea131bde14b5038358c608f55b0238e3610ceb8503b32527ae936221e862e.exe	79
PID 3520 wrote to memory of 2492	3520	9c8ea131bde14b5038358c608f55b0238e3610ceb8503b32527ae936221e862e.exe	79
PID 2492 wrote to memory of 3288	2492	NordVPN.exe	80
PID 2492 wrote to memory of 3288	2492	NordVPN.exe	80
PID 2492 wrote to memory of 3288	2492	NordVPN.exe	80

C:\Users\Admin\AppData\Local\Temp\9c8ea131bde14b5038358c608f55b0238e3610ceb8503b32527ae936221e862e.exe
"C:\Users\Admin\AppData\Local\Temp\9c8ea131bde14b5038358c608f55b0238e3610ceb8503b32527ae936221e862e.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3520
- C:\Users\Admin\AppData\Local\Temp\NordVPN.exe
  "C:\Users\Admin\AppData\Local\Temp\NordVPN.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2492
- - C:\Users\Admin\AppData\Local\Temp\Pe.exe
    "C:\Users\Admin\AppData\Local\Temp\Pe.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:3288

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\NordVPN.exe

Filesize
683KB

MD5
d6ff667f9f439f8d9129e1072d44ae25

SHA1
49727eb49e6a5add20e051d46c9b6d3c69386644

SHA256
328757dc3ea4591650f4a238df9873fb9dd64cc4a7a27ef6858458044c5ea337

SHA512
761e9dfae3466cf5f8e0f911da4aa5c5f80bcf9be875a63235000b1a96815b051bc87c06cabe79a7aa5f3efeace0c6370bae06841a2ab9a3cad49581fffe44bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\NordVPN.exe

Filesize
683KB

MD5
d6ff667f9f439f8d9129e1072d44ae25

SHA1
49727eb49e6a5add20e051d46c9b6d3c69386644

SHA256
328757dc3ea4591650f4a238df9873fb9dd64cc4a7a27ef6858458044c5ea337

SHA512
761e9dfae3466cf5f8e0f911da4aa5c5f80bcf9be875a63235000b1a96815b051bc87c06cabe79a7aa5f3efeace0c6370bae06841a2ab9a3cad49581fffe44bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pe.exe

Filesize
526KB

MD5
c2f7ea121023823382bd0db241dc61e8

SHA1
afbe7c9bfe0e4515e022e0342cb8a2541602f675

SHA256
4fa410894274212479e682167d2182e16288a718b6afdf09c1f6620976fceca9

SHA512
6ec7e64a2b4c171161f9f342b5077819fbcd04e0d5ce190f5c3cdf655a7185323d8fb2ae9699d082f1f8e9d648e321b5b25d286c67e7b0b82ee0d88e24866d77

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pe.exe

Filesize
526KB

MD5
c2f7ea121023823382bd0db241dc61e8

SHA1
afbe7c9bfe0e4515e022e0342cb8a2541602f675

SHA256
4fa410894274212479e682167d2182e16288a718b6afdf09c1f6620976fceca9

SHA512
6ec7e64a2b4c171161f9f342b5077819fbcd04e0d5ce190f5c3cdf655a7185323d8fb2ae9699d082f1f8e9d648e321b5b25d286c67e7b0b82ee0d88e24866d77

Download Submit
memory/2492-140-0x000000001C844000-0x000000001C846000-memory.dmp

Filesize
8KB

Download
memory/2492-136-0x00000000000C0000-0x000000000016E000-memory.dmp

Filesize
696KB

Download
memory/2492-132-0x0000000000000000-mapping.dmp

Download
memory/2492-137-0x00007FFDC6C40000-0x00007FFDC7701000-memory.dmp

Filesize
10.8MB

Download
memory/2492-138-0x000000001C840000-0x000000001C842000-memory.dmp

Filesize
8KB

Download
memory/2492-139-0x000000001C842000-0x000000001C844000-memory.dmp

Filesize
8KB

Download
memory/3288-141-0x0000000000000000-mapping.dmp

Download
memory/3288-144-0x0000000000F00000-0x0000000000F8A000-memory.dmp

Filesize
552KB

Download
memory/3288-145-0x0000000006020000-0x00000000065C4000-memory.dmp

Filesize
5.6MB

Download
memory/3288-146-0x00000000059A0000-0x0000000005A32000-memory.dmp

Filesize
584KB

Download
memory/3288-147-0x0000000005D70000-0x0000000005DD6000-memory.dmp

Filesize
408KB

Download
memory/3288-148-0x0000000006A70000-0x0000000006A82000-memory.dmp

Filesize
72KB

Download
memory/3288-149-0x0000000006E90000-0x0000000006E9A000-memory.dmp

Filesize
40KB

Download
memory/3520-130-0x00000000007A0000-0x0000000000858000-memory.dmp

Filesize
736KB

Download
memory/3520-133-0x000000001C100000-0x000000001C102000-memory.dmp

Filesize
8KB

Download
memory/3520-131-0x00007FFDC6C40000-0x00007FFDC7701000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads