quasar | bfc55cb35294fba322924cd2fe7ab9e79875b2cca66419ee5ef6d675b895349c

Analysis

max time kernel
124s
max time network
139s
platform
windows7_x64
resource
win7-20220414-en
submitted
03-05-2022 20:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bfc55cb35294fba322924cd2fe7ab9e79875b2cca66419ee5ef6d675b895349c.exe
Size

683KB
MD5

a8b9706ed1ca326d4673b88fed84db23
SHA1

72fb18cdcd67d83fe1484b8ff93ba477e8082f7d
SHA256

bfc55cb35294fba322924cd2fe7ab9e79875b2cca66419ee5ef6d675b895349c
SHA512

89c5706bba41e6b25ad1f4431eba26df9145c2292f0c42c64c688851c1882004814bf4444f8013efc1504b4bb2bbb4d11896fec7c2e42088604eedadd28ebb9b

Score

10^/10

quasar venomrat $77systemtelemtry evasion rat rootkit spyware stealer suricata trojan

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

$77systemtelemtry

192.168.0.44:80

67.61.188.107:80

Mutex

VNM_MUTEX_OplgS6EDrflEgnBXyU

Attributes

encryption_key
6opnJj4VnPTLLOS9SdTg
install_name
windowsrc.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Windows Registry Handler
subdirectory
bin

Signatures

Contains code to disable Windows Defender 6 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
behavioral1/memory/1540-54-0x0000000000A50000-0x0000000000B00000-memory.dmp	disable_win_def
behavioral1/files/0x000a00000001310c-57.dat	disable_win_def
behavioral1/files/0x000a00000001310c-59.dat	disable_win_def
behavioral1/files/0x000a00000001310c-60.dat	disable_win_def
behavioral1/memory/1176-62-0x00000000008B0000-0x0000000000960000-memory.dmp	disable_win_def
behavioral1/memory/980-74-0x0000000000CE0000-0x0000000000D90000-memory.dmp	disable_win_def

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089

Quasar Payload 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1540-54-0x0000000000A50000-0x0000000000B00000-memory.dmp	family_quasar
behavioral1/files/0x000a00000001310c-57.dat	family_quasar
behavioral1/files/0x000a00000001310c-59.dat	family_quasar
behavioral1/files/0x000a00000001310c-60.dat	family_quasar
behavioral1/memory/1176-62-0x00000000008B0000-0x0000000000960000-memory.dmp	family_quasar
behavioral1/memory/980-74-0x0000000000CE0000-0x0000000000D90000-memory.dmp	family_quasar

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
VenomRAT
VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
rat rootkit stealer venomrat
suricata: ET MALWARE Common RAT Connectivity Check Observed
suricata: ET MALWARE Common RAT Connectivity Check Observed
suricata

Executes dropped EXE 1 IoCs

Processes:

windowsrc.exe

pid	Process
1176	windowsrc.exe

Loads dropped DLL 1 IoCs

Processes:

bfc55cb35294fba322924cd2fe7ab9e79875b2cca66419ee5ef6d675b895349c.exe

pid	Process
1540	bfc55cb35294fba322924cd2fe7ab9e79875b2cca66419ee5ef6d675b895349c.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

bfc55cb35294fba322924cd2fe7ab9e79875b2cca66419ee5ef6d675b895349c.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	bfc55cb35294fba322924cd2fe7ab9e79875b2cca66419ee5ef6d675b895349c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	bfc55cb35294fba322924cd2fe7ab9e79875b2cca66419ee5ef6d675b895349c.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
1	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exe

pid	Process
2008	schtasks.exe
1748	schtasks.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

bfc55cb35294fba322924cd2fe7ab9e79875b2cca66419ee5ef6d675b895349c.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	bfc55cb35294fba322924cd2fe7ab9e79875b2cca66419ee5ef6d675b895349c.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	bfc55cb35294fba322924cd2fe7ab9e79875b2cca66419ee5ef6d675b895349c.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

Processes:

PING.EXE

pid	Process
928	PING.EXE

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

powershell.exebfc55cb35294fba322924cd2fe7ab9e79875b2cca66419ee5ef6d675b895349c.exebfc55cb35294fba322924cd2fe7ab9e79875b2cca66419ee5ef6d675b895349c.exe

pid	Process
1732	powershell.exe
1540	bfc55cb35294fba322924cd2fe7ab9e79875b2cca66419ee5ef6d675b895349c.exe
1540	bfc55cb35294fba322924cd2fe7ab9e79875b2cca66419ee5ef6d675b895349c.exe
1540	bfc55cb35294fba322924cd2fe7ab9e79875b2cca66419ee5ef6d675b895349c.exe
1540	bfc55cb35294fba322924cd2fe7ab9e79875b2cca66419ee5ef6d675b895349c.exe
1540	bfc55cb35294fba322924cd2fe7ab9e79875b2cca66419ee5ef6d675b895349c.exe
1540	bfc55cb35294fba322924cd2fe7ab9e79875b2cca66419ee5ef6d675b895349c.exe
1540	bfc55cb35294fba322924cd2fe7ab9e79875b2cca66419ee5ef6d675b895349c.exe
980	bfc55cb35294fba322924cd2fe7ab9e79875b2cca66419ee5ef6d675b895349c.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

bfc55cb35294fba322924cd2fe7ab9e79875b2cca66419ee5ef6d675b895349c.exepowershell.exewindowsrc.exebfc55cb35294fba322924cd2fe7ab9e79875b2cca66419ee5ef6d675b895349c.exe

description	pid	Process
Token: SeDebugPrivilege	1540	bfc55cb35294fba322924cd2fe7ab9e79875b2cca66419ee5ef6d675b895349c.exe
Token: SeDebugPrivilege	1732	powershell.exe
Token: SeDebugPrivilege	1176	windowsrc.exe
Token: SeDebugPrivilege	1176	windowsrc.exe
Token: SeDebugPrivilege	980	bfc55cb35294fba322924cd2fe7ab9e79875b2cca66419ee5ef6d675b895349c.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

windowsrc.exe

pid	Process
1176	windowsrc.exe

Suspicious use of WriteProcessMemory 40 IoCs

Processes:

bfc55cb35294fba322924cd2fe7ab9e79875b2cca66419ee5ef6d675b895349c.exewindowsrc.execmd.execmd.exe

description	pid	Process	procid_target
PID 1540 wrote to memory of 1748	1540	bfc55cb35294fba322924cd2fe7ab9e79875b2cca66419ee5ef6d675b895349c.exe	28
PID 1540 wrote to memory of 1748	1540	bfc55cb35294fba322924cd2fe7ab9e79875b2cca66419ee5ef6d675b895349c.exe	28
PID 1540 wrote to memory of 1748	1540	bfc55cb35294fba322924cd2fe7ab9e79875b2cca66419ee5ef6d675b895349c.exe	28
PID 1540 wrote to memory of 1748	1540	bfc55cb35294fba322924cd2fe7ab9e79875b2cca66419ee5ef6d675b895349c.exe	28
PID 1540 wrote to memory of 1176	1540	bfc55cb35294fba322924cd2fe7ab9e79875b2cca66419ee5ef6d675b895349c.exe	30
PID 1540 wrote to memory of 1176	1540	bfc55cb35294fba322924cd2fe7ab9e79875b2cca66419ee5ef6d675b895349c.exe	30
PID 1540 wrote to memory of 1176	1540	bfc55cb35294fba322924cd2fe7ab9e79875b2cca66419ee5ef6d675b895349c.exe	30
PID 1540 wrote to memory of 1176	1540	bfc55cb35294fba322924cd2fe7ab9e79875b2cca66419ee5ef6d675b895349c.exe	30
PID 1540 wrote to memory of 1732	1540	bfc55cb35294fba322924cd2fe7ab9e79875b2cca66419ee5ef6d675b895349c.exe	31
PID 1540 wrote to memory of 1732	1540	bfc55cb35294fba322924cd2fe7ab9e79875b2cca66419ee5ef6d675b895349c.exe	31
PID 1540 wrote to memory of 1732	1540	bfc55cb35294fba322924cd2fe7ab9e79875b2cca66419ee5ef6d675b895349c.exe	31
PID 1540 wrote to memory of 1732	1540	bfc55cb35294fba322924cd2fe7ab9e79875b2cca66419ee5ef6d675b895349c.exe	31
PID 1176 wrote to memory of 2008	1176	windowsrc.exe	33
PID 1176 wrote to memory of 2008	1176	windowsrc.exe	33
PID 1176 wrote to memory of 2008	1176	windowsrc.exe	33
PID 1176 wrote to memory of 2008	1176	windowsrc.exe	33
PID 1540 wrote to memory of 1940	1540	bfc55cb35294fba322924cd2fe7ab9e79875b2cca66419ee5ef6d675b895349c.exe	35
PID 1540 wrote to memory of 1940	1540	bfc55cb35294fba322924cd2fe7ab9e79875b2cca66419ee5ef6d675b895349c.exe	35
PID 1540 wrote to memory of 1940	1540	bfc55cb35294fba322924cd2fe7ab9e79875b2cca66419ee5ef6d675b895349c.exe	35
PID 1540 wrote to memory of 1940	1540	bfc55cb35294fba322924cd2fe7ab9e79875b2cca66419ee5ef6d675b895349c.exe	35
PID 1940 wrote to memory of 668	1940	cmd.exe	37
PID 1940 wrote to memory of 668	1940	cmd.exe	37
PID 1940 wrote to memory of 668	1940	cmd.exe	37
PID 1940 wrote to memory of 668	1940	cmd.exe	37
PID 1540 wrote to memory of 1452	1540	bfc55cb35294fba322924cd2fe7ab9e79875b2cca66419ee5ef6d675b895349c.exe	38
PID 1540 wrote to memory of 1452	1540	bfc55cb35294fba322924cd2fe7ab9e79875b2cca66419ee5ef6d675b895349c.exe	38
PID 1540 wrote to memory of 1452	1540	bfc55cb35294fba322924cd2fe7ab9e79875b2cca66419ee5ef6d675b895349c.exe	38
PID 1540 wrote to memory of 1452	1540	bfc55cb35294fba322924cd2fe7ab9e79875b2cca66419ee5ef6d675b895349c.exe	38
PID 1452 wrote to memory of 1492	1452	cmd.exe	40
PID 1452 wrote to memory of 1492	1452	cmd.exe	40
PID 1452 wrote to memory of 1492	1452	cmd.exe	40
PID 1452 wrote to memory of 1492	1452	cmd.exe	40
PID 1452 wrote to memory of 928	1452	cmd.exe	41
PID 1452 wrote to memory of 928	1452	cmd.exe	41
PID 1452 wrote to memory of 928	1452	cmd.exe	41
PID 1452 wrote to memory of 928	1452	cmd.exe	41
PID 1452 wrote to memory of 980	1452	cmd.exe	42
PID 1452 wrote to memory of 980	1452	cmd.exe	42
PID 1452 wrote to memory of 980	1452	cmd.exe	42
PID 1452 wrote to memory of 980	1452	cmd.exe	42

C:\Users\Admin\AppData\Local\Temp\bfc55cb35294fba322924cd2fe7ab9e79875b2cca66419ee5ef6d675b895349c.exe
"C:\Users\Admin\AppData\Local\Temp\bfc55cb35294fba322924cd2fe7ab9e79875b2cca66419ee5ef6d675b895349c.exe"
1⤵
- Loads dropped DLL
- Windows security modification
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1540
- C:\Windows\SysWOW64\schtasks.exe
  "schtasks" /create /tn "Windows Registry Handler" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\bfc55cb35294fba322924cd2fe7ab9e79875b2cca66419ee5ef6d675b895349c.exe" /rl HIGHEST /f
  2⤵
  - Creates scheduled task(s)
  PID:1748
- C:\Users\Admin\AppData\Roaming\bin\windowsrc.exe
  "C:\Users\Admin\AppData\Roaming\bin\windowsrc.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1176
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /create /tn "Windows Registry Handler" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\bin\windowsrc.exe" /rl HIGHEST /f
    3⤵
    - Creates scheduled task(s)
    PID:2008
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell" Get-MpPreference -verbose
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1732
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b del /q/f/s %TEMP%\* & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1940
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /K del /q/f/s C:\Users\Admin\AppData\Local\Temp\*
    3⤵
    PID:668
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FvihVwZ4xoR9.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1452
- - C:\Windows\SysWOW64\chcp.com
    chcp 65001
    3⤵
    PID:1492
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 10 localhost
    3⤵
    - Runs ping.exe
    PID:928
- - C:\Users\Admin\AppData\Local\Temp\bfc55cb35294fba322924cd2fe7ab9e79875b2cca66419ee5ef6d675b895349c.exe
    "C:\Users\Admin\AppData\Local\Temp\bfc55cb35294fba322924cd2fe7ab9e79875b2cca66419ee5ef6d675b895349c.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:980

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\FvihVwZ4xoR9.bat

Filesize
261B

MD5
34ecfeb97f99d9d26bc14f00747238c2

SHA1
018c4ff66cb4a060bf6789cead5b8aa16e988497

SHA256
fd7aeab9a9159b9928811225af198d9f14a1d2142f825de34bb9d940c295cf45

SHA512
e50bd26c32bbfb2edb7120ef0fa0a1d19cd7788f2dd87970a72bd6babd7205bf3686ded99185636eaf8402769ec5277c13ccb88a1d44584e4668385fc8690b62

Download Submit
C:\Users\Admin\AppData\Roaming\bin\windowsrc.exe

Filesize
683KB

MD5
a8b9706ed1ca326d4673b88fed84db23

SHA1
72fb18cdcd67d83fe1484b8ff93ba477e8082f7d

SHA256
bfc55cb35294fba322924cd2fe7ab9e79875b2cca66419ee5ef6d675b895349c

SHA512
89c5706bba41e6b25ad1f4431eba26df9145c2292f0c42c64c688851c1882004814bf4444f8013efc1504b4bb2bbb4d11896fec7c2e42088604eedadd28ebb9b

Download Submit
C:\Users\Admin\AppData\Roaming\bin\windowsrc.exe

Filesize
683KB

MD5
a8b9706ed1ca326d4673b88fed84db23

SHA1
72fb18cdcd67d83fe1484b8ff93ba477e8082f7d

SHA256
bfc55cb35294fba322924cd2fe7ab9e79875b2cca66419ee5ef6d675b895349c

SHA512
89c5706bba41e6b25ad1f4431eba26df9145c2292f0c42c64c688851c1882004814bf4444f8013efc1504b4bb2bbb4d11896fec7c2e42088604eedadd28ebb9b

Download Submit
\Users\Admin\AppData\Roaming\bin\windowsrc.exe

Filesize
683KB

MD5
a8b9706ed1ca326d4673b88fed84db23

SHA1
72fb18cdcd67d83fe1484b8ff93ba477e8082f7d

SHA256
bfc55cb35294fba322924cd2fe7ab9e79875b2cca66419ee5ef6d675b895349c

SHA512
89c5706bba41e6b25ad1f4431eba26df9145c2292f0c42c64c688851c1882004814bf4444f8013efc1504b4bb2bbb4d11896fec7c2e42088604eedadd28ebb9b

Download Submit
memory/668-68-0x0000000000000000-mapping.dmp

Download
memory/928-72-0x0000000000000000-mapping.dmp

Download
memory/980-74-0x0000000000CE0000-0x0000000000D90000-memory.dmp

Filesize
704KB

Download
memory/980-73-0x0000000000000000-mapping.dmp

Download
memory/1176-58-0x0000000000000000-mapping.dmp

Download
memory/1176-62-0x00000000008B0000-0x0000000000960000-memory.dmp

Filesize
704KB

Download
memory/1452-69-0x0000000000000000-mapping.dmp

Download
memory/1492-71-0x0000000000000000-mapping.dmp

Download
memory/1540-54-0x0000000000A50000-0x0000000000B00000-memory.dmp

Filesize
704KB

Download
memory/1540-55-0x0000000074B51000-0x0000000074B53000-memory.dmp

Filesize
8KB

Download
memory/1732-65-0x000000006E6E0000-0x000000006EC8B000-memory.dmp

Filesize
5.7MB

Download
memory/1732-61-0x0000000000000000-mapping.dmp

Download
memory/1748-56-0x0000000000000000-mapping.dmp

Download
memory/1940-67-0x0000000000000000-mapping.dmp

Download
memory/2008-66-0x0000000000000000-mapping.dmp

Download