quasar | 4b7b29f6ce0795d1f393f286bfb524e377ce76482daf84c4a5f0bafbbe204392

General

Target

dll injector.exe
Size

412KB
MD5

bbd4f2c780777a588f70d0a747bad1a4
SHA1

b865d58a7877d0807d3d4dbcd01c763c9afe266f
SHA256

29601ce154ca13b2db98aa15e48d48ad9d894420746b29e63bc48202d67bce8d
SHA512

c293059e9bcb6c28bbd01d1a9a144e03a9fdde04c867795747edf56ea4bb7cb3e3a8d04e61ca0a6dd05a22389e693e217e71199df747f28719e0077d29f98f06

Score

10^/10

quasar venomrat windows defender evasion rat rootkit spyware stealer trojan

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

Windows Defender

C2

flashy-rake.auto.playit.gg:52017

Mutex

VNM_MUTEX_LYc2mMMFlAV9sQbWDZ

Attributes

encryption_key
3k1niu66x6tavwV3IiuB
install_name
Windows Defender.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Windows Defender
subdirectory
Windows Defender

Signatures

Contains code to disable Windows Defender 5 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
behavioral1/files/0x0006000000023207-133.dat	disable_win_def
behavioral1/files/0x0006000000023207-132.dat	disable_win_def
behavioral1/memory/3056-136-0x00000000000A0000-0x000000000012C000-memory.dmp	disable_win_def
behavioral1/files/0x0006000000023212-147.dat	disable_win_def
behavioral1/files/0x0006000000023212-148.dat	disable_win_def

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089

Quasar Payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/files/0x0006000000023207-133.dat	family_quasar
behavioral1/files/0x0006000000023207-132.dat	family_quasar
behavioral1/memory/3056-136-0x00000000000A0000-0x000000000012C000-memory.dmp	family_quasar
behavioral1/files/0x0006000000023212-147.dat	family_quasar
behavioral1/files/0x0006000000023212-148.dat	family_quasar

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
VenomRAT
VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
rat rootkit stealer venomrat

Executes dropped EXE 3 IoCs

Processes:

windows defender.exeinjectorek.exeWindows Defender.exe

pid	Process
3056	windows defender.exe
4020	injectorek.exe
1228	Windows Defender.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

dll injector.exewindows defender.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	dll injector.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	windows defender.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

windows defender.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	windows defender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	windows defender.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
15	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exe

pid	Process
1300	schtasks.exe
4044	schtasks.exe

Suspicious behavior: EnumeratesProcesses 29 IoCs

Processes:

taskmgr.exepowershell.exewindows defender.exe

pid	Process
4248	taskmgr.exe
4248	taskmgr.exe
4248	taskmgr.exe
4248	taskmgr.exe
4248	taskmgr.exe
4248	taskmgr.exe
4248	taskmgr.exe
2024	powershell.exe
2024	powershell.exe
4248	taskmgr.exe
4248	taskmgr.exe
4248	taskmgr.exe
4248	taskmgr.exe
4248	taskmgr.exe
4248	taskmgr.exe
4248	taskmgr.exe
4248	taskmgr.exe
3056	windows defender.exe
3056	windows defender.exe
3056	windows defender.exe
3056	windows defender.exe
3056	windows defender.exe
3056	windows defender.exe
3056	windows defender.exe
4248	taskmgr.exe
4248	taskmgr.exe
4248	taskmgr.exe
4248	taskmgr.exe
4248	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

taskmgr.exewindows defender.exepowershell.exeWindows Defender.exe

description	pid	Process
Token: SeDebugPrivilege	4248	taskmgr.exe
Token: SeSystemProfilePrivilege	4248	taskmgr.exe
Token: SeCreateGlobalPrivilege	4248	taskmgr.exe
Token: SeDebugPrivilege	3056	windows defender.exe
Token: SeDebugPrivilege	2024	powershell.exe
Token: SeDebugPrivilege	1228	Windows Defender.exe
Token: SeDebugPrivilege	1228	Windows Defender.exe

Suspicious use of FindShellTrayWindow 29 IoCs

Processes:

taskmgr.exe

pid	Process
4248	taskmgr.exe
4248	taskmgr.exe
4248	taskmgr.exe
4248	taskmgr.exe
4248	taskmgr.exe
4248	taskmgr.exe
4248	taskmgr.exe
4248	taskmgr.exe
4248	taskmgr.exe
4248	taskmgr.exe
4248	taskmgr.exe
4248	taskmgr.exe
4248	taskmgr.exe
4248	taskmgr.exe
4248	taskmgr.exe
4248	taskmgr.exe
4248	taskmgr.exe
4248	taskmgr.exe
4248	taskmgr.exe
4248	taskmgr.exe
4248	taskmgr.exe
4248	taskmgr.exe
4248	taskmgr.exe
4248	taskmgr.exe
4248	taskmgr.exe
4248	taskmgr.exe
4248	taskmgr.exe
4248	taskmgr.exe
4248	taskmgr.exe

Suspicious use of SendNotifyMessage 29 IoCs

Processes:

taskmgr.exe

pid	Process
4248	taskmgr.exe
4248	taskmgr.exe
4248	taskmgr.exe
4248	taskmgr.exe
4248	taskmgr.exe
4248	taskmgr.exe
4248	taskmgr.exe
4248	taskmgr.exe
4248	taskmgr.exe
4248	taskmgr.exe
4248	taskmgr.exe
4248	taskmgr.exe
4248	taskmgr.exe
4248	taskmgr.exe
4248	taskmgr.exe
4248	taskmgr.exe
4248	taskmgr.exe
4248	taskmgr.exe
4248	taskmgr.exe
4248	taskmgr.exe
4248	taskmgr.exe
4248	taskmgr.exe
4248	taskmgr.exe
4248	taskmgr.exe
4248	taskmgr.exe
4248	taskmgr.exe
4248	taskmgr.exe
4248	taskmgr.exe
4248	taskmgr.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Windows Defender.exe

pid	Process
1228	Windows Defender.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

dll injector.exewindows defender.exeWindows Defender.execmd.exe

description	pid	Process	procid_target
PID 2688 wrote to memory of 3056	2688	dll injector.exe	82
PID 2688 wrote to memory of 3056	2688	dll injector.exe	82
PID 2688 wrote to memory of 3056	2688	dll injector.exe	82
PID 2688 wrote to memory of 4020	2688	dll injector.exe	83
PID 2688 wrote to memory of 4020	2688	dll injector.exe	83
PID 3056 wrote to memory of 1300	3056	windows defender.exe	88
PID 3056 wrote to memory of 1300	3056	windows defender.exe	88
PID 3056 wrote to memory of 1300	3056	windows defender.exe	88
PID 3056 wrote to memory of 1228	3056	windows defender.exe	90
PID 3056 wrote to memory of 1228	3056	windows defender.exe	90
PID 3056 wrote to memory of 1228	3056	windows defender.exe	90
PID 3056 wrote to memory of 2024	3056	windows defender.exe	91
PID 3056 wrote to memory of 2024	3056	windows defender.exe	91
PID 3056 wrote to memory of 2024	3056	windows defender.exe	91
PID 1228 wrote to memory of 4044	1228	Windows Defender.exe	94
PID 1228 wrote to memory of 4044	1228	Windows Defender.exe	94
PID 1228 wrote to memory of 4044	1228	Windows Defender.exe	94
PID 3056 wrote to memory of 5036	3056	windows defender.exe	98
PID 3056 wrote to memory of 5036	3056	windows defender.exe	98
PID 3056 wrote to memory of 5036	3056	windows defender.exe	98
PID 5036 wrote to memory of 2768	5036	cmd.exe	100
PID 5036 wrote to memory of 2768	5036	cmd.exe	100
PID 5036 wrote to memory of 2768	5036	cmd.exe	100

C:\Users\Admin\AppData\Local\Temp\dll injector.exe
"C:\Users\Admin\AppData\Local\Temp\dll injector.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2688
- C:\Users\Admin\AppData\Roaming\windows defender.exe
  "C:\Users\Admin\AppData\Roaming\windows defender.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Windows security modification
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3056
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\windows defender.exe" /rl HIGHEST /f
    3⤵
    - Creates scheduled task(s)
    PID:1300
- - C:\Users\Admin\AppData\Roaming\Windows Defender\Windows Defender.exe
    "C:\Users\Admin\AppData\Roaming\Windows Defender\Windows Defender.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1228
  - - C:\Windows\SysWOW64\schtasks.exe
      "schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Defender\Windows Defender.exe" /rl HIGHEST /f
      4⤵
      Creates scheduled task(s)
      PID:4044
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" Get-MpPreference -verbose
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2024
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k start /b del /q/f/s %TEMP%\* & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5036
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K del /q/f/s C:\Users\Admin\AppData\Local\Temp\*
      4⤵
      PID:2768
- C:\Users\Admin\AppData\Roaming\injectorek.exe
  "C:\Users\Admin\AppData\Roaming\injectorek.exe"
  2⤵
  - Executes dropped EXE
  PID:4020

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4248

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Modify Existing Service

Scheduled Task

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Windows Defender\Windows Defender.exe

Filesize
539KB

MD5
f1873887b499fb0bf5f711fc39229175

SHA1
c347191d199962c79a0f6199bc3e940d00b20e32

SHA256
256bedfceda04739912ed3a246f2144caf786f1894aaa3326ec1b0c229eb8cb2

SHA512
94a85813ab21ac7035f02e8ee11d5bacdc9bfea67cc0d07e4dce3d38f9137d72cc8f4f88b4f9b0be73f2216596cd1e574b3541e703c0241e2819e35ee275e045

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Defender\Windows Defender.exe

Filesize
539KB

MD5
f1873887b499fb0bf5f711fc39229175

SHA1
c347191d199962c79a0f6199bc3e940d00b20e32

SHA256
256bedfceda04739912ed3a246f2144caf786f1894aaa3326ec1b0c229eb8cb2

SHA512
94a85813ab21ac7035f02e8ee11d5bacdc9bfea67cc0d07e4dce3d38f9137d72cc8f4f88b4f9b0be73f2216596cd1e574b3541e703c0241e2819e35ee275e045

Download Submit
C:\Users\Admin\AppData\Roaming\injectorek.exe

Filesize
90KB

MD5
4491776a0764edab4717befb5b60f956

SHA1
23e6eeb6a8307052c0ea42c1c79a26f52aeeae47

SHA256
ba2a946a6edb417d92e94e214001351be1f837465fc2c38533dabc4c6ebb6383

SHA512
c2f4cd75bb6fb2638b3b8c7b9dd66e15cb48b9fd4cf9383c9740a4c7138bc2ea827641127de9948427c07d5ecd44e296f1a16bb239b2c287dbfc2a05535949ad

Download Submit
C:\Users\Admin\AppData\Roaming\injectorek.exe

Filesize
90KB

MD5
4491776a0764edab4717befb5b60f956

SHA1
23e6eeb6a8307052c0ea42c1c79a26f52aeeae47

SHA256
ba2a946a6edb417d92e94e214001351be1f837465fc2c38533dabc4c6ebb6383

SHA512
c2f4cd75bb6fb2638b3b8c7b9dd66e15cb48b9fd4cf9383c9740a4c7138bc2ea827641127de9948427c07d5ecd44e296f1a16bb239b2c287dbfc2a05535949ad

Download Submit
C:\Users\Admin\AppData\Roaming\windows defender.exe

Filesize
539KB

MD5
f1873887b499fb0bf5f711fc39229175

SHA1
c347191d199962c79a0f6199bc3e940d00b20e32

SHA256
256bedfceda04739912ed3a246f2144caf786f1894aaa3326ec1b0c229eb8cb2

SHA512
94a85813ab21ac7035f02e8ee11d5bacdc9bfea67cc0d07e4dce3d38f9137d72cc8f4f88b4f9b0be73f2216596cd1e574b3541e703c0241e2819e35ee275e045

Download Submit
C:\Users\Admin\AppData\Roaming\windows defender.exe

Filesize
539KB

MD5
f1873887b499fb0bf5f711fc39229175

SHA1
c347191d199962c79a0f6199bc3e940d00b20e32

SHA256
256bedfceda04739912ed3a246f2144caf786f1894aaa3326ec1b0c229eb8cb2

SHA512
94a85813ab21ac7035f02e8ee11d5bacdc9bfea67cc0d07e4dce3d38f9137d72cc8f4f88b4f9b0be73f2216596cd1e574b3541e703c0241e2819e35ee275e045

Download Submit
memory/1228-159-0x0000000006B60000-0x0000000006B6A000-memory.dmp

Filesize
40KB

Download
memory/1228-146-0x0000000000000000-mapping.dmp

Download
memory/1300-145-0x0000000000000000-mapping.dmp

Download
memory/2024-163-0x0000000002325000-0x0000000002327000-memory.dmp

Filesize
8KB

Download
memory/2024-164-0x0000000007650000-0x0000000007CCA000-memory.dmp

Filesize
6.5MB

Download
memory/2024-170-0x0000000007300000-0x0000000007308000-memory.dmp

Filesize
32KB

Download
memory/2024-169-0x0000000007310000-0x000000000732A000-memory.dmp

Filesize
104KB

Download
memory/2024-168-0x00000000072B0000-0x00000000072BE000-memory.dmp

Filesize
56KB

Download
memory/2024-167-0x0000000007340000-0x00000000073D6000-memory.dmp

Filesize
600KB

Download
memory/2024-166-0x0000000007080000-0x000000000708A000-memory.dmp

Filesize
40KB

Download
memory/2024-165-0x0000000007010000-0x000000000702A000-memory.dmp

Filesize
104KB

Download
memory/2024-162-0x00000000062B0000-0x00000000062CE000-memory.dmp

Filesize
120KB

Download
memory/2024-160-0x00000000062D0000-0x0000000006302000-memory.dmp

Filesize
200KB

Download
memory/2024-149-0x0000000000000000-mapping.dmp

Download
memory/2024-150-0x0000000002220000-0x0000000002256000-memory.dmp

Filesize
216KB

Download
memory/2024-151-0x0000000004CB0000-0x00000000052D8000-memory.dmp

Filesize
6.2MB

Download
memory/2024-152-0x0000000004BC0000-0x0000000004C42000-memory.dmp

Filesize
520KB

Download
memory/2024-153-0x00000000054A0000-0x00000000054C2000-memory.dmp

Filesize
136KB

Download
memory/2024-154-0x0000000005640000-0x00000000056A6000-memory.dmp

Filesize
408KB

Download
memory/2024-155-0x00000000055F0000-0x0000000005600000-memory.dmp

Filesize
64KB

Download
memory/2024-156-0x0000000005B90000-0x0000000005C92000-memory.dmp

Filesize
1.0MB

Download
memory/2024-157-0x0000000005CF0000-0x0000000005D0E000-memory.dmp

Filesize
120KB

Download
memory/2024-161-0x000000006FB90000-0x000000006FBDC000-memory.dmp

Filesize
304KB

Download
memory/2688-131-0x00000000748E0000-0x0000000074E91000-memory.dmp

Filesize
5.7MB

Download
memory/2768-173-0x0000000000000000-mapping.dmp

Download
memory/3056-138-0x0000000005040000-0x00000000055E4000-memory.dmp

Filesize
5.6MB

Download
memory/3056-136-0x00000000000A0000-0x000000000012C000-memory.dmp

Filesize
560KB

Download
memory/3056-130-0x0000000000000000-mapping.dmp

Download
memory/3056-140-0x0000000004D90000-0x0000000004DF6000-memory.dmp

Filesize
408KB

Download
memory/3056-139-0x00000000049A0000-0x0000000004A32000-memory.dmp

Filesize
584KB

Download
memory/3056-144-0x0000000005E50000-0x0000000005E70000-memory.dmp

Filesize
128KB

Download
memory/3056-143-0x0000000005EA0000-0x0000000005EEA000-memory.dmp

Filesize
296KB

Download
memory/3056-142-0x0000000005E10000-0x0000000005E4C000-memory.dmp

Filesize
240KB

Download
memory/3056-141-0x00000000059B0000-0x00000000059C2000-memory.dmp

Filesize
72KB

Download
memory/3056-171-0x00000000061B0000-0x00000000061F0000-memory.dmp

Filesize
256KB

Download
memory/4020-134-0x0000000000000000-mapping.dmp

Download
memory/4044-158-0x0000000000000000-mapping.dmp

Download
memory/5036-172-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads