quasar | d959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726

Analysis

max time kernel
140s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
03-05-2022 20:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726.exe
Size

664KB
MD5

1f2f26a299287d8353502a9133df4cf1
SHA1

ee40f71067f91d23841e2f2f2b178a153e0f4e07
SHA256

d959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726
SHA512

135124918b26b6dffecf39953eacfaef9ab1e715423a1c1db6ca87fb79c2c38e7b068dcfc01cb70ecaf56af2f6f2b5a270b1e2eb0fcc9d3f4b48ae1a00846c97

Score

10^/10

quasar venomrat office04 evasion rat rootkit spyware stealer suricata trojan

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

Office04

127.0.0.1:4782

karmina113.sytes.net:2222

karmina200.sytes.net:2222

Mutex

VNM_MUTEX_c2q7y2ayYutZ2XaYe7

Attributes

encryption_key
Utv1d8B5zhHYcWfy3OEQ
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
svchost
subdirectory
SubDir

Signatures

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral2/memory/4964-132-0x0000000000400000-0x000000000048C000-memory.dmp	disable_win_def

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089

Quasar Payload 1 IoCs

resource	yara_rule
behavioral2/memory/4964-132-0x0000000000400000-0x000000000048C000-memory.dmp	family_quasar

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
VenomRAT
VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
rat rootkit stealer venomrat
suricata: ET MALWARE Common RAT Connectivity Check Observed
suricata: ET MALWARE Common RAT Connectivity Check Observed
suricata

Executes dropped EXE 2 IoCs

pid	Process
688	Client.exe
3392	Client.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	d959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	d959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	d959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
19	ip-api.com

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3648 set thread context of 4964	3648	d959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726.exe	81
PID 688 set thread context of 3392	688	Client.exe	89

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1860	schtasks.exe
540	schtasks.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
2400	powershell.exe
2400	powershell.exe
4964	d959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726.exe
4964	d959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726.exe
4964	d959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726.exe
4964	d959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726.exe
4964	d959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726.exe
4964	d959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726.exe
4964	d959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	3648	d959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726.exe
Token: SeDebugPrivilege	4964	d959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726.exe
Token: SeDebugPrivilege	688	Client.exe
Token: SeDebugPrivilege	2400	powershell.exe
Token: SeDebugPrivilege	3392	Client.exe
Token: SeDebugPrivilege	3392	Client.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3392	Client.exe

Suspicious use of WriteProcessMemory 34 IoCs

description	pid	Process	procid_target
PID 3648 wrote to memory of 4964	3648	d959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726.exe	81
PID 3648 wrote to memory of 4964	3648	d959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726.exe	81
PID 3648 wrote to memory of 4964	3648	d959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726.exe	81
PID 3648 wrote to memory of 4964	3648	d959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726.exe	81
PID 3648 wrote to memory of 4964	3648	d959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726.exe	81
PID 3648 wrote to memory of 4964	3648	d959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726.exe	81
PID 3648 wrote to memory of 4964	3648	d959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726.exe	81
PID 3648 wrote to memory of 4964	3648	d959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726.exe	81
PID 4964 wrote to memory of 1860	4964	d959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726.exe	84
PID 4964 wrote to memory of 1860	4964	d959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726.exe	84
PID 4964 wrote to memory of 1860	4964	d959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726.exe	84
PID 4964 wrote to memory of 688	4964	d959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726.exe	86
PID 4964 wrote to memory of 688	4964	d959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726.exe	86
PID 4964 wrote to memory of 688	4964	d959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726.exe	86
PID 4964 wrote to memory of 2400	4964	d959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726.exe	87
PID 4964 wrote to memory of 2400	4964	d959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726.exe	87
PID 4964 wrote to memory of 2400	4964	d959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726.exe	87
PID 688 wrote to memory of 3392	688	Client.exe	89
PID 688 wrote to memory of 3392	688	Client.exe	89
PID 688 wrote to memory of 3392	688	Client.exe	89
PID 688 wrote to memory of 3392	688	Client.exe	89
PID 688 wrote to memory of 3392	688	Client.exe	89
PID 688 wrote to memory of 3392	688	Client.exe	89
PID 688 wrote to memory of 3392	688	Client.exe	89
PID 688 wrote to memory of 3392	688	Client.exe	89
PID 3392 wrote to memory of 540	3392	Client.exe	91
PID 3392 wrote to memory of 540	3392	Client.exe	91
PID 3392 wrote to memory of 540	3392	Client.exe	91
PID 4964 wrote to memory of 3272	4964	d959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726.exe	106
PID 4964 wrote to memory of 3272	4964	d959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726.exe	106
PID 4964 wrote to memory of 3272	4964	d959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726.exe	106
PID 3272 wrote to memory of 4908	3272	cmd.exe	108
PID 3272 wrote to memory of 4908	3272	cmd.exe	108
PID 3272 wrote to memory of 4908	3272	cmd.exe	108

C:\Users\Admin\AppData\Local\Temp\d959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726.exe
"C:\Users\Admin\AppData\Local\Temp\d959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3648
- C:\Users\Admin\AppData\Local\Temp\d959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726.exe
  "C:\Users\Admin\AppData\Local\Temp\d959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726.exe"
  2⤵
  - Checks computer location settings
  - Windows security modification
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4964
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\d959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726.exe" /rl HIGHEST /f
    3⤵
    - Creates scheduled task(s)
    PID:1860
- - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
    "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:688
  - - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3392
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        5⤵
        Creates scheduled task(s)
        
        PID:540
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" Get-MpPreference -verbose
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2400
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k start /b del /q/f/s %TEMP%\* & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3272
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K del /q/f/s C:\Users\Admin\AppData\Local\Temp\*
      4⤵
      PID:4908

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Client.exe.log

Filesize
425B

MD5
4eaca4566b22b01cd3bc115b9b0b2196

SHA1
e743e0792c19f71740416e7b3c061d9f1336bf94

SHA256
34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb

SHA512
bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\d959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726.exe.log

Filesize
425B

MD5
4eaca4566b22b01cd3bc115b9b0b2196

SHA1
e743e0792c19f71740416e7b3c061d9f1336bf94

SHA256
34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb

SHA512
bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Filesize
664KB

MD5
1f2f26a299287d8353502a9133df4cf1

SHA1
ee40f71067f91d23841e2f2f2b178a153e0f4e07

SHA256
d959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726

SHA512
135124918b26b6dffecf39953eacfaef9ab1e715423a1c1db6ca87fb79c2c38e7b068dcfc01cb70ecaf56af2f6f2b5a270b1e2eb0fcc9d3f4b48ae1a00846c97

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Filesize
664KB

MD5
1f2f26a299287d8353502a9133df4cf1

SHA1
ee40f71067f91d23841e2f2f2b178a153e0f4e07

SHA256
d959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726

SHA512
135124918b26b6dffecf39953eacfaef9ab1e715423a1c1db6ca87fb79c2c38e7b068dcfc01cb70ecaf56af2f6f2b5a270b1e2eb0fcc9d3f4b48ae1a00846c97

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Filesize
664KB

MD5
1f2f26a299287d8353502a9133df4cf1

SHA1
ee40f71067f91d23841e2f2f2b178a153e0f4e07

SHA256
d959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726

SHA512
135124918b26b6dffecf39953eacfaef9ab1e715423a1c1db6ca87fb79c2c38e7b068dcfc01cb70ecaf56af2f6f2b5a270b1e2eb0fcc9d3f4b48ae1a00846c97

Download Submit
memory/2400-149-0x0000000004DD0000-0x00000000053F8000-memory.dmp

Filesize
6.2MB

Download
memory/2400-160-0x0000000007100000-0x000000000710A000-memory.dmp

Filesize
40KB

Download
memory/2400-155-0x0000000006F40000-0x0000000006F72000-memory.dmp

Filesize
200KB

Download
memory/2400-164-0x0000000007320000-0x0000000007328000-memory.dmp

Filesize
32KB

Download
memory/2400-163-0x00000000073D0000-0x00000000073EA000-memory.dmp

Filesize
104KB

Download
memory/2400-144-0x00000000046F0000-0x0000000004726000-memory.dmp

Filesize
216KB

Download
memory/2400-162-0x00000000072E0000-0x00000000072EE000-memory.dmp

Filesize
56KB

Download
memory/2400-161-0x0000000007330000-0x00000000073C6000-memory.dmp

Filesize
600KB

Download
memory/2400-156-0x000000006FE20000-0x000000006FE6C000-memory.dmp

Filesize
304KB

Download
memory/2400-159-0x00000000070A0000-0x00000000070BA000-memory.dmp

Filesize
104KB

Download
memory/2400-150-0x0000000004CF0000-0x0000000004D12000-memory.dmp

Filesize
136KB

Download
memory/2400-151-0x0000000005400000-0x0000000005466000-memory.dmp

Filesize
408KB

Download
memory/2400-158-0x00000000076F0000-0x0000000007D6A000-memory.dmp

Filesize
6.5MB

Download
memory/2400-157-0x0000000006350000-0x000000000636E000-memory.dmp

Filesize
120KB

Download
memory/2400-154-0x0000000005D90000-0x0000000005DAE000-memory.dmp

Filesize
120KB

Download
memory/3392-153-0x00000000068E0000-0x00000000068EA000-memory.dmp

Filesize
40KB

Download
memory/3648-130-0x0000000000BE0000-0x0000000000C8C000-memory.dmp

Filesize
688KB

Download
memory/4964-132-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/4964-134-0x0000000005A70000-0x0000000006014000-memory.dmp

Filesize
5.6MB

Download
memory/4964-138-0x0000000006C00000-0x0000000006C3C000-memory.dmp

Filesize
240KB

Download
memory/4964-135-0x0000000005560000-0x00000000055F2000-memory.dmp

Filesize
584KB

Download
memory/4964-136-0x0000000005900000-0x0000000005966000-memory.dmp

Filesize
408KB

Download
memory/4964-137-0x0000000006690000-0x00000000066A2000-memory.dmp

Filesize
72KB

Download