Overview

overview

10

Static

static

e4b0894af3...1c.exe

windows7_x64

10

e4b0894af3...1c.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    169s
  • max time network
    183s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    12-05-2022 01:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e4b0894af3fb7948dd92288339cf2fda627c26ec25b4d37c1620f6c005c0c01c.exe

  • Size

    303KB

  • MD5

    a500424ebd54b1e006ccad65266562e3

  • SHA1

    18be3591da1c3d79aee29026c30c67567e3b2bad

  • SHA256

    e4b0894af3fb7948dd92288339cf2fda627c26ec25b4d37c1620f6c005c0c01c

  • SHA512

    c197f02534c15b82f81def7d60349fba1e72c0b82d8b11fe64856a7ae7833e9d9d70d723bac8e1809ceda2cc9c76eb87025199230ba08ebc89bde2f6b71931ec

Score
10/10
quasarvenomratoffice04ratrootkitspywarestealersuricatatrojan

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

Office04

C2

myconect.ddns.net:6606

Mutex

VNM_MUTEX_bW2Pm17MwUNvIYeCrf

Attributes
  • encryption_key

    skMcIyTXgvAaYya6lzLD

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Venom Client Startup

  • subdirectory

    SubDir

Signatures

  • Contains code to disable Windows Defender 3 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Quasar Payload 3 IoCs
  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • VenomRAT

    VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.

    ratrootkitstealervenomrat
  • suricata: ET MALWARE Common RAT Connectivity Check Observed

    suricata: ET MALWARE Common RAT Connectivity Check Observed

    suricata
  • Executes dropped EXE 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Kills process with taskkill 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e4b0894af3fb7948dd92288339cf2fda627c26ec25b4d37c1620f6c005c0c01c.exe
    "C:\Users\Admin\AppData\Local\Temp\e4b0894af3fb7948dd92288339cf2fda627c26ec25b4d37c1620f6c005c0c01c.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1276
    • \??\c:\windows\system32\cmstp.exe
      "c:\windows\system32\cmstp.exe" /au C:\Windows\temp\04pkxry1.inf
      2⤵
        PID:4704
    • C:\Windows\system32\cmd.exe
      cmd /c start C:\Windows\temp\uq1zr4nx.exe
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:3916
      • C:\Windows\temp\uq1zr4nx.exe
        C:\Windows\temp\uq1zr4nx.exe
        2⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:232
    • C:\Windows\system32\taskkill.exe
      taskkill /IM cmstp.exe /F
      1⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:216

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\Temp\uq1zr4nx.exe
      Filesize

      534KB

      MD5

      e4dc9cb250120aebeee969906d1a7a22

      SHA1

      c0f9d3a2531cc25e212d9adbf8614903d8a6247e

      SHA256

      14de179b37e9958b3a1d22f22b0bb545be1cb166aeaf5a4892ccd616ee7e544f

      SHA512

      21461e4fdc16ba99ae24a1f2fa39465678e851591d7402c762a04bf286b9ec8230a0acd147f0c9d54fb6a3428be1851c4d75f46b6cf917a44b3b399e8897667b

      Download Submit

    • C:\Windows\temp\04pkxry1.inf
      Filesize

      606B

      MD5

      b38d4204db95fc14008e54f741078a6e

      SHA1

      6b18b1c38b2b8c6a20899ff833ede43546863209

      SHA256

      22e14598fe5afb437da081712974bb3bd94f5e0dbfe6139384ae02d9b5afe3ae

      SHA512

      f07c836f543a5ef0c89a67499a38958bfa080c95dae8137bde4bfab5e4772fd0de508f6a9c3995f0dd9f4475c756ea86d4db8acb0af6df82ead06c0e8db410d8

      Download Submit

    • C:\Windows\temp\uq1zr4nx.exe
      Filesize

      534KB

      MD5

      e4dc9cb250120aebeee969906d1a7a22

      SHA1

      c0f9d3a2531cc25e212d9adbf8614903d8a6247e

      SHA256

      14de179b37e9958b3a1d22f22b0bb545be1cb166aeaf5a4892ccd616ee7e544f

      SHA512

      21461e4fdc16ba99ae24a1f2fa39465678e851591d7402c762a04bf286b9ec8230a0acd147f0c9d54fb6a3428be1851c4d75f46b6cf917a44b3b399e8897667b

      Download Submit

    • memory/232-139-0x0000000004FF0000-0x0000000005082000-memory.dmp

      Filesize

      584KB

      Download

    • memory/232-137-0x00000000006D0000-0x000000000075C000-memory.dmp

      Filesize

      560KB

      Download

    • memory/232-138-0x0000000005660000-0x0000000005C04000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/232-140-0x00000000051B0000-0x0000000005216000-memory.dmp

      Filesize

      408KB

      Download

    • memory/232-141-0x0000000005640000-0x0000000005652000-memory.dmp

      Filesize

      72KB

      Download

    • memory/232-142-0x0000000006220000-0x000000000625C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/232-143-0x0000000006520000-0x000000000652A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/1276-132-0x00007FFB7D060000-0x00007FFB7DB21000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1276-130-0x0000000000C70000-0x0000000000CC2000-memory.dmp

      Filesize

      328KB

      Download