quasar | c3fc5c1cd66f7e367cd4194310500aead7341c0154e61111bd1031e262de5648

Analysis

max time kernel
157s
max time network
165s
platform
windows7_x64
resource
win7-20220414-en
submitted
08-05-2022 17:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c3fc5c1cd66f7e367cd4194310500aead7341c0154e61111bd1031e262de5648.exe
Size

617KB
MD5

7ca7553bd7447c208b5ef00e7374cb44
SHA1

2718e5d21d8f12748f8353cd5574554c654f82a0
SHA256

c3fc5c1cd66f7e367cd4194310500aead7341c0154e61111bd1031e262de5648
SHA512

472b6931e9e712b7c8f045efa99b5a4fd23e3aa14dab256a6690850e711f3263d27c85c6df222ab72f2f4ab120986080e96e1bca2b1d4e5c52a29dc26eaecb1c

Score

10^/10

quasar venomrat windows defender security host evasion persistence rat rootkit spyware stealer suricata trojan

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

Windows Defender Security Host

vilvaraj-32652.portmap.io:32652

Mutex

VNM_MUTEX_s1ArJSYbui8dt0HUpJ

Attributes

encryption_key
8gl4TCjsLQUmqCIxalku
install_name
Windows Defender Security Host.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Windows Defender Security Host
subdirectory
SubDir

Signatures

Contains code to disable Windows Defender 7 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral1/memory/984-60-0x0000000000400000-0x000000000048C000-memory.dmp	disable_win_def
behavioral1/memory/984-61-0x0000000000400000-0x000000000048C000-memory.dmp	disable_win_def
behavioral1/memory/984-63-0x0000000000486CAE-mapping.dmp	disable_win_def
behavioral1/memory/984-62-0x0000000000400000-0x000000000048C000-memory.dmp	disable_win_def
behavioral1/memory/984-65-0x0000000000400000-0x000000000048C000-memory.dmp	disable_win_def
behavioral1/memory/984-67-0x0000000000400000-0x000000000048C000-memory.dmp	disable_win_def
behavioral1/memory/684-82-0x0000000000486CAE-mapping.dmp	disable_win_def

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089

Quasar Payload 7 IoCs

resource	yara_rule
behavioral1/memory/984-60-0x0000000000400000-0x000000000048C000-memory.dmp	family_quasar
behavioral1/memory/984-61-0x0000000000400000-0x000000000048C000-memory.dmp	family_quasar
behavioral1/memory/984-63-0x0000000000486CAE-mapping.dmp	family_quasar
behavioral1/memory/984-62-0x0000000000400000-0x000000000048C000-memory.dmp	family_quasar
behavioral1/memory/984-65-0x0000000000400000-0x000000000048C000-memory.dmp	family_quasar
behavioral1/memory/984-67-0x0000000000400000-0x000000000048C000-memory.dmp	family_quasar
behavioral1/memory/684-82-0x0000000000486CAE-mapping.dmp	family_quasar

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
VenomRAT
VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
rat rootkit stealer venomrat
suricata: ET MALWARE Common RAT Connectivity Check Observed
suricata: ET MALWARE Common RAT Connectivity Check Observed
suricata

Executes dropped EXE 3 IoCs

pid	Process
1468	Windows Defender Security Host.exe
2016	Windows Defender Security Host.exe
684	Windows Defender Security Host.exe

Loads dropped DLL 1 IoCs

pid	Process
984	c3fc5c1cd66f7e367cd4194310500aead7341c0154e61111bd1031e262de5648.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	c3fc5c1cd66f7e367cd4194310500aead7341c0154e61111bd1031e262de5648.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	c3fc5c1cd66f7e367cd4194310500aead7341c0154e61111bd1031e262de5648.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\zHRMiXKHpW = "C:\\Users\\Admin\\AppData\\Roaming\\LbFPJdQtDA\\ZmFSAqsNCM.exe"	c3fc5c1cd66f7e367cd4194310500aead7341c0154e61111bd1031e262de5648.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Defender Security Host = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\c3fc5c1cd66f7e367cd4194310500aead7341c0154e61111bd1031e262de5648.exe\""	c3fc5c1cd66f7e367cd4194310500aead7341c0154e61111bd1031e262de5648.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Defender Security Host = "\"C:\\Users\\Admin\\AppData\\Roaming\\SubDir\\Windows Defender Security Host.exe\""	Windows Defender Security Host.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	ip-api.com

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1660 set thread context of 984	1660	c3fc5c1cd66f7e367cd4194310500aead7341c0154e61111bd1031e262de5648.exe	27
PID 1468 set thread context of 684	1468	Windows Defender Security Host.exe	33

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1696	schtasks.exe
1288	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1468	Windows Defender Security Host.exe
1468	Windows Defender Security Host.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	984	c3fc5c1cd66f7e367cd4194310500aead7341c0154e61111bd1031e262de5648.exe
Token: SeDebugPrivilege	1468	Windows Defender Security Host.exe
Token: SeDebugPrivilege	684	Windows Defender Security Host.exe
Token: SeDebugPrivilege	684	Windows Defender Security Host.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
684	Windows Defender Security Host.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 1660 wrote to memory of 984	1660	c3fc5c1cd66f7e367cd4194310500aead7341c0154e61111bd1031e262de5648.exe	27
PID 1660 wrote to memory of 984	1660	c3fc5c1cd66f7e367cd4194310500aead7341c0154e61111bd1031e262de5648.exe	27
PID 1660 wrote to memory of 984	1660	c3fc5c1cd66f7e367cd4194310500aead7341c0154e61111bd1031e262de5648.exe	27
PID 1660 wrote to memory of 984	1660	c3fc5c1cd66f7e367cd4194310500aead7341c0154e61111bd1031e262de5648.exe	27
PID 1660 wrote to memory of 984	1660	c3fc5c1cd66f7e367cd4194310500aead7341c0154e61111bd1031e262de5648.exe	27
PID 1660 wrote to memory of 984	1660	c3fc5c1cd66f7e367cd4194310500aead7341c0154e61111bd1031e262de5648.exe	27
PID 1660 wrote to memory of 984	1660	c3fc5c1cd66f7e367cd4194310500aead7341c0154e61111bd1031e262de5648.exe	27
PID 1660 wrote to memory of 984	1660	c3fc5c1cd66f7e367cd4194310500aead7341c0154e61111bd1031e262de5648.exe	27
PID 1660 wrote to memory of 984	1660	c3fc5c1cd66f7e367cd4194310500aead7341c0154e61111bd1031e262de5648.exe	27
PID 984 wrote to memory of 1696	984	c3fc5c1cd66f7e367cd4194310500aead7341c0154e61111bd1031e262de5648.exe	29
PID 984 wrote to memory of 1696	984	c3fc5c1cd66f7e367cd4194310500aead7341c0154e61111bd1031e262de5648.exe	29
PID 984 wrote to memory of 1696	984	c3fc5c1cd66f7e367cd4194310500aead7341c0154e61111bd1031e262de5648.exe	29
PID 984 wrote to memory of 1696	984	c3fc5c1cd66f7e367cd4194310500aead7341c0154e61111bd1031e262de5648.exe	29
PID 984 wrote to memory of 1468	984	c3fc5c1cd66f7e367cd4194310500aead7341c0154e61111bd1031e262de5648.exe	31
PID 984 wrote to memory of 1468	984	c3fc5c1cd66f7e367cd4194310500aead7341c0154e61111bd1031e262de5648.exe	31
PID 984 wrote to memory of 1468	984	c3fc5c1cd66f7e367cd4194310500aead7341c0154e61111bd1031e262de5648.exe	31
PID 984 wrote to memory of 1468	984	c3fc5c1cd66f7e367cd4194310500aead7341c0154e61111bd1031e262de5648.exe	31
PID 1468 wrote to memory of 2016	1468	Windows Defender Security Host.exe	32
PID 1468 wrote to memory of 2016	1468	Windows Defender Security Host.exe	32
PID 1468 wrote to memory of 2016	1468	Windows Defender Security Host.exe	32
PID 1468 wrote to memory of 2016	1468	Windows Defender Security Host.exe	32
PID 1468 wrote to memory of 684	1468	Windows Defender Security Host.exe	33
PID 1468 wrote to memory of 684	1468	Windows Defender Security Host.exe	33
PID 1468 wrote to memory of 684	1468	Windows Defender Security Host.exe	33
PID 1468 wrote to memory of 684	1468	Windows Defender Security Host.exe	33
PID 1468 wrote to memory of 684	1468	Windows Defender Security Host.exe	33
PID 1468 wrote to memory of 684	1468	Windows Defender Security Host.exe	33
PID 1468 wrote to memory of 684	1468	Windows Defender Security Host.exe	33
PID 1468 wrote to memory of 684	1468	Windows Defender Security Host.exe	33
PID 1468 wrote to memory of 684	1468	Windows Defender Security Host.exe	33
PID 984 wrote to memory of 672	984	c3fc5c1cd66f7e367cd4194310500aead7341c0154e61111bd1031e262de5648.exe	34
PID 984 wrote to memory of 672	984	c3fc5c1cd66f7e367cd4194310500aead7341c0154e61111bd1031e262de5648.exe	34
PID 984 wrote to memory of 672	984	c3fc5c1cd66f7e367cd4194310500aead7341c0154e61111bd1031e262de5648.exe	34
PID 984 wrote to memory of 672	984	c3fc5c1cd66f7e367cd4194310500aead7341c0154e61111bd1031e262de5648.exe	34
PID 684 wrote to memory of 1288	684	Windows Defender Security Host.exe	36
PID 684 wrote to memory of 1288	684	Windows Defender Security Host.exe	36
PID 684 wrote to memory of 1288	684	Windows Defender Security Host.exe	36
PID 684 wrote to memory of 1288	684	Windows Defender Security Host.exe	36

C:\Users\Admin\AppData\Local\Temp\c3fc5c1cd66f7e367cd4194310500aead7341c0154e61111bd1031e262de5648.exe
"C:\Users\Admin\AppData\Local\Temp\c3fc5c1cd66f7e367cd4194310500aead7341c0154e61111bd1031e262de5648.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1660
- C:\Users\Admin\AppData\Local\Temp\c3fc5c1cd66f7e367cd4194310500aead7341c0154e61111bd1031e262de5648.exe
  "C:\Users\Admin\AppData\Local\Temp\c3fc5c1cd66f7e367cd4194310500aead7341c0154e61111bd1031e262de5648.exe"
  2⤵
  - Loads dropped DLL
  - Windows security modification
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:984
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /create /tn "Windows Defender Security Host" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\c3fc5c1cd66f7e367cd4194310500aead7341c0154e61111bd1031e262de5648.exe" /rl HIGHEST /f
    3⤵
    - Creates scheduled task(s)
    PID:1696
- - C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security Host.exe
    "C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security Host.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1468
  - - C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security Host.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security Host.exe"
      4⤵
      Executes dropped EXE
      PID:2016
  - - C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security Host.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security Host.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:684
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Security Host" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security Host.exe" /rl HIGHEST /f
        5⤵
        Creates scheduled task(s)
        
        PID:1288
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" Get-MpPreference -verbose
    3⤵
    PID:672

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security Host.exe

Filesize
617KB

MD5
7ca7553bd7447c208b5ef00e7374cb44

SHA1
2718e5d21d8f12748f8353cd5574554c654f82a0

SHA256
c3fc5c1cd66f7e367cd4194310500aead7341c0154e61111bd1031e262de5648

SHA512
472b6931e9e712b7c8f045efa99b5a4fd23e3aa14dab256a6690850e711f3263d27c85c6df222ab72f2f4ab120986080e96e1bca2b1d4e5c52a29dc26eaecb1c

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security Host.exe

Filesize
617KB

MD5
7ca7553bd7447c208b5ef00e7374cb44

SHA1
2718e5d21d8f12748f8353cd5574554c654f82a0

SHA256
c3fc5c1cd66f7e367cd4194310500aead7341c0154e61111bd1031e262de5648

SHA512
472b6931e9e712b7c8f045efa99b5a4fd23e3aa14dab256a6690850e711f3263d27c85c6df222ab72f2f4ab120986080e96e1bca2b1d4e5c52a29dc26eaecb1c

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security Host.exe

Filesize
617KB

MD5
7ca7553bd7447c208b5ef00e7374cb44

SHA1
2718e5d21d8f12748f8353cd5574554c654f82a0

SHA256
c3fc5c1cd66f7e367cd4194310500aead7341c0154e61111bd1031e262de5648

SHA512
472b6931e9e712b7c8f045efa99b5a4fd23e3aa14dab256a6690850e711f3263d27c85c6df222ab72f2f4ab120986080e96e1bca2b1d4e5c52a29dc26eaecb1c

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security Host.exe

Filesize
617KB

MD5
7ca7553bd7447c208b5ef00e7374cb44

SHA1
2718e5d21d8f12748f8353cd5574554c654f82a0

SHA256
c3fc5c1cd66f7e367cd4194310500aead7341c0154e61111bd1031e262de5648

SHA512
472b6931e9e712b7c8f045efa99b5a4fd23e3aa14dab256a6690850e711f3263d27c85c6df222ab72f2f4ab120986080e96e1bca2b1d4e5c52a29dc26eaecb1c

Download Submit
\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security Host.exe

Filesize
617KB

MD5
7ca7553bd7447c208b5ef00e7374cb44

SHA1
2718e5d21d8f12748f8353cd5574554c654f82a0

SHA256
c3fc5c1cd66f7e367cd4194310500aead7341c0154e61111bd1031e262de5648

SHA512
472b6931e9e712b7c8f045efa99b5a4fd23e3aa14dab256a6690850e711f3263d27c85c6df222ab72f2f4ab120986080e96e1bca2b1d4e5c52a29dc26eaecb1c

Download Submit
memory/984-60-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/984-58-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/984-65-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/984-67-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/984-57-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/984-62-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/984-61-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1468-74-0x0000000000AC0000-0x0000000000B62000-memory.dmp

Filesize
648KB

Download
memory/1660-54-0x0000000000890000-0x0000000000932000-memory.dmp

Filesize
648KB

Download
memory/1660-56-0x0000000000470000-0x000000000047A000-memory.dmp

Filesize
40KB

Download
memory/1660-55-0x0000000075F21000-0x0000000075F23000-memory.dmp

Filesize
8KB

Download