Analysis
-
max time kernel
143s -
max time network
175s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
08-05-2022 07:36
General
-
Target
bf79b08db6040f007e6ba07e7628388df2ab9f666e75b16e230d3e9d8600ab31.exe
-
Size
351KB
-
MD5
ce5ad18cc090c8a1405f084d9144671d
-
SHA1
67530a17331ad6477e4b25ef866412349791a3cb
-
SHA256
bf79b08db6040f007e6ba07e7628388df2ab9f666e75b16e230d3e9d8600ab31
-
SHA512
66f3d07eb12c2a94f30fd37dadf832769fb87d10be3751f91ac474f4e72d86b535c5159f7fe2ac80500a844e9a7ace0db1d6dac69c1150475f03c207b9e8bc2a
Malware Config
Extracted
quasar
2.1.0.0
1
10.0.2.15:1337
VNM_MUTEX_28broDsmlFWTzx7r3B
-
encryption_key
0hi0YaDWMh7jhT37Tcsm
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Windows Defender
-
subdirectory
SubDir
Signatures
-
Contains code to disable Windows Defender 3 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Quasar Payload 3 IoCs
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
VenomRAT
VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
-
suricata: ET MALWARE Common RAT Connectivity Check Observed
suricata: ET MALWARE Common RAT Connectivity Check Observed
-
Executes dropped EXE 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\bf79b08db6040f007e6ba07e7628388df2ab9f666e75b16e230d3e9d8600ab31.exe"C:\Users\Admin\AppData\Local\Temp\bf79b08db6040f007e6ba07e7628388df2ab9f666e75b16e230d3e9d8600ab31.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Iwpblky.exe"C:\Users\Admin\AppData\Local\Temp\Iwpblky.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Iwpblky.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
534KB
MD57877fc84e5fad8018d10fedee3fd7b4e
SHA1ee58d0a7ee2db778d20bf292393696614443fefa
SHA2562a2e8ebc771d27fc3b32a7e059e1f9aa458324cb225ebea2b4bed0acd191e1be
SHA512ba5a3e9072876c89f1c2bb40e748fd6eb7ae0c9eb99756ab4bcd1bb5d5b1dedb1e517b0e3efd354cf3ed58bb3c49b8d365d340d95781b8eb8577e22ab0675175
-
Filesize
534KB
MD57877fc84e5fad8018d10fedee3fd7b4e
SHA1ee58d0a7ee2db778d20bf292393696614443fefa
SHA2562a2e8ebc771d27fc3b32a7e059e1f9aa458324cb225ebea2b4bed0acd191e1be
SHA512ba5a3e9072876c89f1c2bb40e748fd6eb7ae0c9eb99756ab4bcd1bb5d5b1dedb1e517b0e3efd354cf3ed58bb3c49b8d365d340d95781b8eb8577e22ab0675175
-
Filesize
384KB
-
Filesize
5.6MB
-
Filesize
584KB
-
Filesize
40KB
-
Filesize
560KB
-
Filesize
408KB
-
Filesize
72KB
-
Filesize
240KB