quasar | 8349f7ac2a0e0f0b8da7bf7121cc0a4f6c235136ec0a491972aaacb5803bc8a2

General

Target

8349f7ac2a0e0f0b8da7bf7121cc0a4f6c235136ec0a491972aaacb5803bc8a2.exe
Size

618KB
MD5

b4a017055a4928d2c8d7261285f9bda9
SHA1

4987b49f51a86f302d77f48c542e270952242b13
SHA256

8349f7ac2a0e0f0b8da7bf7121cc0a4f6c235136ec0a491972aaacb5803bc8a2
SHA512

c75306c8514ebe0ccb10c2d31c0323d4c1d0cce98f3e20c30bf18e965bf040c0237c9d1afee38f79ee8d62b16839c6b67dfe35753a77ae046211eadc808dad2c

Score

10^/10

quasar venomrat windows defender security host persistence rat rootkit spyware stealer suricata trojan

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

Windows Defender Security Host

C2

vilvaraj-32652.portmap.io:32652

Mutex

VNM_MUTEX_s1ArJSYbui8dt0HUpJ

Attributes

encryption_key
8gl4TCjsLQUmqCIxalku
install_name
Windows Defender Security Host.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Windows Defender Security Host
subdirectory
SubDir

Signatures

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral2/memory/4608-137-0x0000000000400000-0x000000000048C000-memory.dmp	disable_win_def

Quasar Payload 1 IoCs

resource	yara_rule
behavioral2/memory/4608-137-0x0000000000400000-0x000000000048C000-memory.dmp	family_quasar

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
VenomRAT
VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
rat rootkit stealer venomrat
suricata: ET MALWARE Common RAT Connectivity Check Observed
suricata: ET MALWARE Common RAT Connectivity Check Observed
suricata
suricata: ET MALWARE W32/Quasar 1.3/Venom RAT Connectivity Check 3
suricata: ET MALWARE W32/Quasar 1.3/Venom RAT Connectivity Check 3
suricata

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\zHRMiXKHpW = "C:\\Users\\Admin\\AppData\\Roaming\\LbFPJdQtDA\\ZmFSAqsNCM.exe"	8349f7ac2a0e0f0b8da7bf7121cc0a4f6c235136ec0a491972aaacb5803bc8a2.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
8	ip-api.com
18	api.ipify.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2108 set thread context of 4608	2108	8349f7ac2a0e0f0b8da7bf7121cc0a4f6c235136ec0a491972aaacb5803bc8a2.exe	83

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2304	3036	WerFault.exe	90

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
2820	schtasks.exe
2360	schtasks.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2888	PING.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2108	8349f7ac2a0e0f0b8da7bf7121cc0a4f6c235136ec0a491972aaacb5803bc8a2.exe
2108	8349f7ac2a0e0f0b8da7bf7121cc0a4f6c235136ec0a491972aaacb5803bc8a2.exe
2108	8349f7ac2a0e0f0b8da7bf7121cc0a4f6c235136ec0a491972aaacb5803bc8a2.exe
2108	8349f7ac2a0e0f0b8da7bf7121cc0a4f6c235136ec0a491972aaacb5803bc8a2.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2108	8349f7ac2a0e0f0b8da7bf7121cc0a4f6c235136ec0a491972aaacb5803bc8a2.exe
Token: SeDebugPrivilege	4608	8349f7ac2a0e0f0b8da7bf7121cc0a4f6c235136ec0a491972aaacb5803bc8a2.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2108 wrote to memory of 4276	2108	8349f7ac2a0e0f0b8da7bf7121cc0a4f6c235136ec0a491972aaacb5803bc8a2.exe	82
PID 2108 wrote to memory of 4276	2108	8349f7ac2a0e0f0b8da7bf7121cc0a4f6c235136ec0a491972aaacb5803bc8a2.exe	82
PID 2108 wrote to memory of 4276	2108	8349f7ac2a0e0f0b8da7bf7121cc0a4f6c235136ec0a491972aaacb5803bc8a2.exe	82
PID 2108 wrote to memory of 456	2108	8349f7ac2a0e0f0b8da7bf7121cc0a4f6c235136ec0a491972aaacb5803bc8a2.exe	84
PID 2108 wrote to memory of 456	2108	8349f7ac2a0e0f0b8da7bf7121cc0a4f6c235136ec0a491972aaacb5803bc8a2.exe	84
PID 2108 wrote to memory of 456	2108	8349f7ac2a0e0f0b8da7bf7121cc0a4f6c235136ec0a491972aaacb5803bc8a2.exe	84
PID 2108 wrote to memory of 4608	2108	8349f7ac2a0e0f0b8da7bf7121cc0a4f6c235136ec0a491972aaacb5803bc8a2.exe	83
PID 2108 wrote to memory of 4608	2108	8349f7ac2a0e0f0b8da7bf7121cc0a4f6c235136ec0a491972aaacb5803bc8a2.exe	83
PID 2108 wrote to memory of 4608	2108	8349f7ac2a0e0f0b8da7bf7121cc0a4f6c235136ec0a491972aaacb5803bc8a2.exe	83
PID 2108 wrote to memory of 4608	2108	8349f7ac2a0e0f0b8da7bf7121cc0a4f6c235136ec0a491972aaacb5803bc8a2.exe	83
PID 2108 wrote to memory of 4608	2108	8349f7ac2a0e0f0b8da7bf7121cc0a4f6c235136ec0a491972aaacb5803bc8a2.exe	83
PID 2108 wrote to memory of 4608	2108	8349f7ac2a0e0f0b8da7bf7121cc0a4f6c235136ec0a491972aaacb5803bc8a2.exe	83
PID 2108 wrote to memory of 4608	2108	8349f7ac2a0e0f0b8da7bf7121cc0a4f6c235136ec0a491972aaacb5803bc8a2.exe	83
PID 2108 wrote to memory of 4608	2108	8349f7ac2a0e0f0b8da7bf7121cc0a4f6c235136ec0a491972aaacb5803bc8a2.exe	83

C:\Users\Admin\AppData\Local\Temp\8349f7ac2a0e0f0b8da7bf7121cc0a4f6c235136ec0a491972aaacb5803bc8a2.exe
"C:\Users\Admin\AppData\Local\Temp\8349f7ac2a0e0f0b8da7bf7121cc0a4f6c235136ec0a491972aaacb5803bc8a2.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2108
- C:\Users\Admin\AppData\Local\Temp\8349f7ac2a0e0f0b8da7bf7121cc0a4f6c235136ec0a491972aaacb5803bc8a2.exe
  "C:\Users\Admin\AppData\Local\Temp\8349f7ac2a0e0f0b8da7bf7121cc0a4f6c235136ec0a491972aaacb5803bc8a2.exe"
  2⤵
  PID:4276
- C:\Users\Admin\AppData\Local\Temp\8349f7ac2a0e0f0b8da7bf7121cc0a4f6c235136ec0a491972aaacb5803bc8a2.exe
  "C:\Users\Admin\AppData\Local\Temp\8349f7ac2a0e0f0b8da7bf7121cc0a4f6c235136ec0a491972aaacb5803bc8a2.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4608
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /create /tn "Windows Defender Security Host" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\8349f7ac2a0e0f0b8da7bf7121cc0a4f6c235136ec0a491972aaacb5803bc8a2.exe" /rl HIGHEST /f
    3⤵
    - Creates scheduled task(s)
    PID:2820
- - C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security Host.exe
    "C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security Host.exe"
    3⤵
    PID:4284
  - - C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security Host.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security Host.exe"
      4⤵
      PID:3036
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Security Host" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security Host.exe" /rl HIGHEST /f
        5⤵
        Creates scheduled task(s)
        
        PID:2360
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3036 -s 2276
        5⤵
        Program crash
        
        PID:2304
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CngIvNouabqu.bat" "
        5⤵
        
        PID:4360
  - - C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security Host.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security Host.exe"
      4⤵
      PID:4780
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" Get-MpPreference -verbose
    3⤵
    PID:3484
- C:\Users\Admin\AppData\Local\Temp\8349f7ac2a0e0f0b8da7bf7121cc0a4f6c235136ec0a491972aaacb5803bc8a2.exe
  "C:\Users\Admin\AppData\Local\Temp\8349f7ac2a0e0f0b8da7bf7121cc0a4f6c235136ec0a491972aaacb5803bc8a2.exe"
  2⤵
  PID:456

C:\Windows\SysWOW64\chcp.com
chcp 65001
1⤵
PID:4868

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
1⤵
- Runs ping.exe
PID:2888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3036 -ip 3036
1⤵
PID:5092

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CngIvNouabqu.bat

Filesize
231B

MD5
5684fa7b25d111a4a458e2d0ae50e717

SHA1
3fa018fcf85f5d5dc3636f91d986b93e89cc0edf

SHA256
b9e24a3efe411f80e8a392ec1a029f44b9bf9f301a5575518077e595efa10948

SHA512
ee6bc2b4c207094ba73cdcdcdb999d867b93883844ff346ec35f1f1315351ee6675c6e9fc08d352ec73895a07faf03ebeb680bc1874cdc7f74d71ad8065ecddf

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security Host.exe

Filesize
618KB

MD5
b4a017055a4928d2c8d7261285f9bda9

SHA1
4987b49f51a86f302d77f48c542e270952242b13

SHA256
8349f7ac2a0e0f0b8da7bf7121cc0a4f6c235136ec0a491972aaacb5803bc8a2

SHA512
c75306c8514ebe0ccb10c2d31c0323d4c1d0cce98f3e20c30bf18e965bf040c0237c9d1afee38f79ee8d62b16839c6b67dfe35753a77ae046211eadc808dad2c

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security Host.exe

Filesize
618KB

MD5
b4a017055a4928d2c8d7261285f9bda9

SHA1
4987b49f51a86f302d77f48c542e270952242b13

SHA256
8349f7ac2a0e0f0b8da7bf7121cc0a4f6c235136ec0a491972aaacb5803bc8a2

SHA512
c75306c8514ebe0ccb10c2d31c0323d4c1d0cce98f3e20c30bf18e965bf040c0237c9d1afee38f79ee8d62b16839c6b67dfe35753a77ae046211eadc808dad2c

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security Host.exe

Filesize
618KB

MD5
b4a017055a4928d2c8d7261285f9bda9

SHA1
4987b49f51a86f302d77f48c542e270952242b13

SHA256
8349f7ac2a0e0f0b8da7bf7121cc0a4f6c235136ec0a491972aaacb5803bc8a2

SHA512
c75306c8514ebe0ccb10c2d31c0323d4c1d0cce98f3e20c30bf18e965bf040c0237c9d1afee38f79ee8d62b16839c6b67dfe35753a77ae046211eadc808dad2c

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security Host.exe

Filesize
618KB

MD5
b4a017055a4928d2c8d7261285f9bda9

SHA1
4987b49f51a86f302d77f48c542e270952242b13

SHA256
8349f7ac2a0e0f0b8da7bf7121cc0a4f6c235136ec0a491972aaacb5803bc8a2

SHA512
c75306c8514ebe0ccb10c2d31c0323d4c1d0cce98f3e20c30bf18e965bf040c0237c9d1afee38f79ee8d62b16839c6b67dfe35753a77ae046211eadc808dad2c

Download Submit
memory/2108-131-0x0000000005AA0000-0x0000000006044000-memory.dmp

Filesize
5.6MB

Download
memory/2108-132-0x00000000054F0000-0x0000000005582000-memory.dmp

Filesize
584KB

Download
memory/2108-133-0x0000000005590000-0x000000000562C000-memory.dmp

Filesize
624KB

Download
memory/2108-130-0x00000000009A0000-0x0000000000A42000-memory.dmp

Filesize
648KB

Download
memory/3036-160-0x0000000006C80000-0x0000000006C8A000-memory.dmp

Filesize
40KB

Download
memory/3036-155-0x0000000006900000-0x000000000693C000-memory.dmp

Filesize
240KB

Download
memory/3484-145-0x0000000002C90000-0x0000000002CC6000-memory.dmp

Filesize
216KB

Download
memory/3484-151-0x00000000057E0000-0x0000000005E08000-memory.dmp

Filesize
6.2MB

Download
memory/3484-171-0x0000000007C70000-0x0000000007C78000-memory.dmp

Filesize
32KB

Download
memory/3484-170-0x0000000007C90000-0x0000000007CAA000-memory.dmp

Filesize
104KB

Download
memory/3484-169-0x0000000007B80000-0x0000000007B8E000-memory.dmp

Filesize
56KB

Download
memory/3484-165-0x0000000007BC0000-0x0000000007C56000-memory.dmp

Filesize
600KB

Download
memory/3484-154-0x0000000006640000-0x000000000665E000-memory.dmp

Filesize
120KB

Download
memory/3484-156-0x0000000006C00000-0x0000000006C32000-memory.dmp

Filesize
200KB

Download
memory/3484-152-0x00000000055F0000-0x0000000005612000-memory.dmp

Filesize
136KB

Download
memory/3484-159-0x0000000006BE0000-0x0000000006BFE000-memory.dmp

Filesize
120KB

Download
memory/3484-158-0x00000000706B0000-0x00000000706FC000-memory.dmp

Filesize
304KB

Download
memory/3484-163-0x00000000079B0000-0x00000000079BA000-memory.dmp

Filesize
40KB

Download
memory/3484-153-0x0000000005F10000-0x0000000005F76000-memory.dmp

Filesize
408KB

Download
memory/3484-162-0x0000000007940000-0x000000000795A000-memory.dmp

Filesize
104KB

Download
memory/3484-161-0x0000000007F80000-0x00000000085FA000-memory.dmp

Filesize
6.5MB

Download
memory/4608-137-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/4608-138-0x0000000005200000-0x0000000005266000-memory.dmp

Filesize
408KB

Download
memory/4608-139-0x0000000005DF0000-0x0000000005E02000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads