quasar | 5e43890d2a5f7ccb9728e2eec8a030131c94be13d6358a85835806306ad44952

General

Target

5e43890d2a5f7ccb9728e2eec8a030131c94be13d6358a85835806306ad44952.exe
Size

716KB
MD5

57a24eb9bd6fcda2c033c8ca10890e09
SHA1

35a011428d3a4020658c294e35527c4205ede798
SHA256

5e43890d2a5f7ccb9728e2eec8a030131c94be13d6358a85835806306ad44952
SHA512

4bdca657fb1faf8bc9ea9459bb022837792483abb87d3bf257609a31e91b5f59af1fa672d588f567779f3b113c1b04a6ef1f81f6ff7c9779a6b4eb917c02e67c

Score

10^/10

quasar venomrat mundo rat rootkit spyware stealer trojan

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

Mundo

C2

201.111.223.252:6700

Mutex

VNM_MUTEX_KJflzK0oXUK0jjdJ05

Attributes

encryption_key
eSgMT4XlUNEBcxqW7GsH
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Venom Client Startup
subdirectory
SubDir

Signatures

Contains code to disable Windows Defender 3 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral2/files/0x0007000000022ecd-133.dat	disable_win_def
behavioral2/files/0x0007000000022ecd-134.dat	disable_win_def
behavioral2/memory/1552-135-0x0000000000C70000-0x0000000000CFA000-memory.dmp	disable_win_def

Quasar Payload 3 IoCs

resource	yara_rule
behavioral2/files/0x0007000000022ecd-133.dat	family_quasar
behavioral2/files/0x0007000000022ecd-134.dat	family_quasar
behavioral2/memory/1552-135-0x0000000000C70000-0x0000000000CFA000-memory.dmp	family_quasar

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
VenomRAT
VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
rat rootkit stealer venomrat

Executes dropped EXE 1 IoCs

pid	Process
1552	Pe.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	5e43890d2a5f7ccb9728e2eec8a030131c94be13d6358a85835806306ad44952.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
6	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2020	5e43890d2a5f7ccb9728e2eec8a030131c94be13d6358a85835806306ad44952.exe
2020	5e43890d2a5f7ccb9728e2eec8a030131c94be13d6358a85835806306ad44952.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2020	5e43890d2a5f7ccb9728e2eec8a030131c94be13d6358a85835806306ad44952.exe
Token: SeDebugPrivilege	1552	Pe.exe
Token: SeDebugPrivilege	1552	Pe.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2020 wrote to memory of 1552	2020	5e43890d2a5f7ccb9728e2eec8a030131c94be13d6358a85835806306ad44952.exe	81
PID 2020 wrote to memory of 1552	2020	5e43890d2a5f7ccb9728e2eec8a030131c94be13d6358a85835806306ad44952.exe	81
PID 2020 wrote to memory of 1552	2020	5e43890d2a5f7ccb9728e2eec8a030131c94be13d6358a85835806306ad44952.exe	81

C:\Users\Admin\AppData\Local\Temp\5e43890d2a5f7ccb9728e2eec8a030131c94be13d6358a85835806306ad44952.exe
"C:\Users\Admin\AppData\Local\Temp\5e43890d2a5f7ccb9728e2eec8a030131c94be13d6358a85835806306ad44952.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2020
- C:\Users\Admin\AppData\Local\Temp\Pe.exe
  "C:\Users\Admin\AppData\Local\Temp\Pe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1552

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Pe.exe

Filesize
526KB

MD5
c2f7ea121023823382bd0db241dc61e8

SHA1
afbe7c9bfe0e4515e022e0342cb8a2541602f675

SHA256
4fa410894274212479e682167d2182e16288a718b6afdf09c1f6620976fceca9

SHA512
6ec7e64a2b4c171161f9f342b5077819fbcd04e0d5ce190f5c3cdf655a7185323d8fb2ae9699d082f1f8e9d648e321b5b25d286c67e7b0b82ee0d88e24866d77

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pe.exe

Filesize
526KB

MD5
c2f7ea121023823382bd0db241dc61e8

SHA1
afbe7c9bfe0e4515e022e0342cb8a2541602f675

SHA256
4fa410894274212479e682167d2182e16288a718b6afdf09c1f6620976fceca9

SHA512
6ec7e64a2b4c171161f9f342b5077819fbcd04e0d5ce190f5c3cdf655a7185323d8fb2ae9699d082f1f8e9d648e321b5b25d286c67e7b0b82ee0d88e24866d77

Download Submit
memory/1552-135-0x0000000000C70000-0x0000000000CFA000-memory.dmp

Filesize
552KB

Download
memory/1552-136-0x0000000005D60000-0x0000000006304000-memory.dmp

Filesize
5.6MB

Download
memory/1552-137-0x00000000056C0000-0x0000000005752000-memory.dmp

Filesize
584KB

Download
memory/1552-138-0x0000000005AB0000-0x0000000005B16000-memory.dmp

Filesize
408KB

Download
memory/1552-139-0x00000000066D0000-0x00000000066E2000-memory.dmp

Filesize
72KB

Download
memory/1552-140-0x0000000006B00000-0x0000000006B3C000-memory.dmp

Filesize
240KB

Download
memory/1552-141-0x0000000006CC0000-0x0000000006CCA000-memory.dmp

Filesize
40KB

Download
memory/2020-130-0x0000000000A70000-0x0000000000B28000-memory.dmp

Filesize
736KB

Download
memory/2020-131-0x00007FFBD4600000-0x00007FFBD50C1000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing