quasar | 5e43890d2a5f7ccb9728e2eec8a030131c94be13d6358a85835806306ad44952

General

Target

5e43890d2a5f7ccb9728e2eec8a030131c94be13d6358a85835806306ad44952.exe
Size

716KB
MD5

57a24eb9bd6fcda2c033c8ca10890e09
SHA1

35a011428d3a4020658c294e35527c4205ede798
SHA256

5e43890d2a5f7ccb9728e2eec8a030131c94be13d6358a85835806306ad44952
SHA512

4bdca657fb1faf8bc9ea9459bb022837792483abb87d3bf257609a31e91b5f59af1fa672d588f567779f3b113c1b04a6ef1f81f6ff7c9779a6b4eb917c02e67c

Score

10^/10

quasar venomrat mundo rat rootkit spyware stealer trojan

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

Mundo

C2

201.111.223.252:6700

Mutex

VNM_MUTEX_KJflzK0oXUK0jjdJ05

Attributes

encryption_key
eSgMT4XlUNEBcxqW7GsH
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Venom Client Startup
subdirectory
SubDir

Signatures

Contains code to disable Windows Defender 3 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
behavioral1/files/0x000d000000005ba9-59.dat	disable_win_def
behavioral1/files/0x000d000000005ba9-60.dat	disable_win_def
behavioral1/memory/888-62-0x0000000000A20000-0x0000000000AAA000-memory.dmp	disable_win_def

Quasar Payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/files/0x000d000000005ba9-59.dat	family_quasar
behavioral1/files/0x000d000000005ba9-60.dat	family_quasar
behavioral1/memory/888-62-0x0000000000A20000-0x0000000000AAA000-memory.dmp	family_quasar

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
VenomRAT
VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
rat rootkit stealer venomrat

Executes dropped EXE 1 IoCs

Processes:

Pe.exe

pid	Process
888	Pe.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
1	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

5e43890d2a5f7ccb9728e2eec8a030131c94be13d6358a85835806306ad44952.exe

pid	Process
532	5e43890d2a5f7ccb9728e2eec8a030131c94be13d6358a85835806306ad44952.exe
532	5e43890d2a5f7ccb9728e2eec8a030131c94be13d6358a85835806306ad44952.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

5e43890d2a5f7ccb9728e2eec8a030131c94be13d6358a85835806306ad44952.exePe.exe

description	pid	Process
Token: SeDebugPrivilege	532	5e43890d2a5f7ccb9728e2eec8a030131c94be13d6358a85835806306ad44952.exe
Token: SeDebugPrivilege	888	Pe.exe
Token: SeDebugPrivilege	888	Pe.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

5e43890d2a5f7ccb9728e2eec8a030131c94be13d6358a85835806306ad44952.exe

description	pid	Process	procid_target
PID 532 wrote to memory of 888	532	5e43890d2a5f7ccb9728e2eec8a030131c94be13d6358a85835806306ad44952.exe	27
PID 532 wrote to memory of 888	532	5e43890d2a5f7ccb9728e2eec8a030131c94be13d6358a85835806306ad44952.exe	27
PID 532 wrote to memory of 888	532	5e43890d2a5f7ccb9728e2eec8a030131c94be13d6358a85835806306ad44952.exe	27
PID 532 wrote to memory of 888	532	5e43890d2a5f7ccb9728e2eec8a030131c94be13d6358a85835806306ad44952.exe	27

C:\Users\Admin\AppData\Local\Temp\5e43890d2a5f7ccb9728e2eec8a030131c94be13d6358a85835806306ad44952.exe
"C:\Users\Admin\AppData\Local\Temp\5e43890d2a5f7ccb9728e2eec8a030131c94be13d6358a85835806306ad44952.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:532
- C:\Users\Admin\AppData\Local\Temp\Pe.exe
  "C:\Users\Admin\AppData\Local\Temp\Pe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:888

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Pe.exe

Filesize
526KB

MD5
c2f7ea121023823382bd0db241dc61e8

SHA1
afbe7c9bfe0e4515e022e0342cb8a2541602f675

SHA256
4fa410894274212479e682167d2182e16288a718b6afdf09c1f6620976fceca9

SHA512
6ec7e64a2b4c171161f9f342b5077819fbcd04e0d5ce190f5c3cdf655a7185323d8fb2ae9699d082f1f8e9d648e321b5b25d286c67e7b0b82ee0d88e24866d77

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pe.exe

Filesize
526KB

MD5
c2f7ea121023823382bd0db241dc61e8

SHA1
afbe7c9bfe0e4515e022e0342cb8a2541602f675

SHA256
4fa410894274212479e682167d2182e16288a718b6afdf09c1f6620976fceca9

SHA512
6ec7e64a2b4c171161f9f342b5077819fbcd04e0d5ce190f5c3cdf655a7185323d8fb2ae9699d082f1f8e9d648e321b5b25d286c67e7b0b82ee0d88e24866d77

Download Submit
memory/532-54-0x0000000000EC0000-0x0000000000F78000-memory.dmp

Filesize
736KB

Download
memory/532-55-0x0000000000550000-0x000000000055A000-memory.dmp

Filesize
40KB

Download
memory/532-56-0x0000000000E00000-0x0000000000EAA000-memory.dmp

Filesize
680KB

Download
memory/532-57-0x000007FEFB7D1000-0x000007FEFB7D3000-memory.dmp

Filesize
8KB

Download
memory/532-61-0x000000001AEC6000-0x000000001AEE5000-memory.dmp

Filesize
124KB

Download
memory/888-58-0x0000000000000000-mapping.dmp

Download
memory/888-62-0x0000000000A20000-0x0000000000AAA000-memory.dmp

Filesize
552KB

Download
memory/888-63-0x0000000075701000-0x0000000075703000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads