Overview

overview

10

Static

static

90e165246c...2f.exe

windows7_x64

10

90e165246c...2f.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    143s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    12-05-2022 11:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    90e165246c0518ce77a98adbe2cd589bdc75d162f23fde3e7f837882b8facd2f.exe

  • Size

    503KB

  • MD5

    3e5b3579e97745512e8766b9c89aba66

  • SHA1

    43a67810e5278a542f6a4d8eb86040b64e34fb35

  • SHA256

    90e165246c0518ce77a98adbe2cd589bdc75d162f23fde3e7f837882b8facd2f

  • SHA512

    d967309ba2e26e71c692850c04aae9a90880614848c021e332d06d4de123c02cf07768b42503d065cde9187e3d56b1637d16b775f2c755a7b1ae01632000dc6c

Score
10/10
quasarvenomratsvhostratrootkitspywarestealersuricatatrojan

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

svhost

C2

myconect.ddns.net:6606

Mutex

VNM_MUTEX_ND6PULLW5ZVLwo1nwR

Attributes
  • encryption_key

    yaa63tXY4j55os5llHHd

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Venom Client Startup

  • subdirectory

    SubDir

Signatures

  • Contains code to disable Windows Defender 3 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Quasar Payload 3 IoCs
  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • VenomRAT

    VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.

    ratrootkitstealervenomrat
  • suricata: ET MALWARE Common RAT Connectivity Check Observed

    suricata: ET MALWARE Common RAT Connectivity Check Observed

    suricata
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops desktop.ini file(s) 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\90e165246c0518ce77a98adbe2cd589bdc75d162f23fde3e7f837882b8facd2f.exe
    "C:\Users\Admin\AppData\Local\Temp\90e165246c0518ce77a98adbe2cd589bdc75d162f23fde3e7f837882b8facd2f.exe"
    1⤵
    • Checks computer location settings
    • Drops desktop.ini file(s)
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2760
    • C:\Users\Admin\AppData\Roaming\$77-Venom.exe
      "C:\Users\Admin\AppData\Roaming\$77-Venom.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:3488
    • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Roaming\null (2).docx" /o ""
      2⤵
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:4336

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\$77-Venom.exe
    Filesize

    534KB

    MD5

    84c1dc6b428904cc2a6746653849df0f

    SHA1

    5cce4078427481f4d7456b5a4f3930ae6e706fb4

    SHA256

    bc24e3c5408fea0b6f9aa0deb56a4636a8d0b9a6054ff1033efa6ccfe04ba44a

    SHA512

    3b7a7607c3409b5ded563f2e1fcc0fa489c4465ab764d14a647b474968a025a95fa8ceb549fc70482b7b1dd935f66a41ada7b4910059786aafc870c5847a9245

    Download Submit

  • C:\Users\Admin\AppData\Roaming\$77-Venom.exe
    Filesize

    534KB

    MD5

    84c1dc6b428904cc2a6746653849df0f

    SHA1

    5cce4078427481f4d7456b5a4f3930ae6e706fb4

    SHA256

    bc24e3c5408fea0b6f9aa0deb56a4636a8d0b9a6054ff1033efa6ccfe04ba44a

    SHA512

    3b7a7607c3409b5ded563f2e1fcc0fa489c4465ab764d14a647b474968a025a95fa8ceb549fc70482b7b1dd935f66a41ada7b4910059786aafc870c5847a9245

    Download Submit

  • C:\Users\Admin\AppData\Roaming\null (2).docx
    Filesize

    2KB

    MD5

    b73ace90e3fbada0e8baa0d47b2cbd6f

    SHA1

    2147bfa5d92cb0c3fd296e7c90befa08564240a6

    SHA256

    94f271283b679ee024724d1aee0f4ead90ce56fb67813b5e0cbc082091fbe364

    SHA512

    d1a9d73fca25a73782bd0170937225afdb402a354a7fb6ea308114e276aed7f77ef211c458dd03292d2e90cd1d61976340396540ac410d452bda363f6d2ee157

    Download Submit

  • memory/2760-130-0x0000000074AF0000-0x00000000750A1000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/3488-136-0x0000000005D60000-0x0000000006304000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/3488-143-0x00000000058A0000-0x0000000005906000-memory.dmp

    Filesize

    408KB

    Download

  • memory/3488-134-0x0000000000E50000-0x0000000000EDC000-memory.dmp

    Filesize

    560KB

    Download

  • memory/3488-137-0x0000000005930000-0x00000000059C2000-memory.dmp

    Filesize

    584KB

    Download

  • memory/3488-149-0x0000000006FE0000-0x0000000006FEA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/3488-131-0x0000000000000000-mapping.dmp

    Download

  • memory/3488-146-0x0000000006CE0000-0x0000000006D1C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/3488-144-0x00000000068B0000-0x00000000068C2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4336-139-0x00007FF9ED310000-0x00007FF9ED320000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4336-142-0x00007FF9ED310000-0x00007FF9ED320000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4336-141-0x00007FF9ED310000-0x00007FF9ED320000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4336-145-0x00007FF9EA9B0000-0x00007FF9EA9C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4336-140-0x00007FF9ED310000-0x00007FF9ED320000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4336-147-0x00007FF9EA9B0000-0x00007FF9EA9C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4336-135-0x0000000000000000-mapping.dmp

    Download

  • memory/4336-138-0x00007FF9ED310000-0x00007FF9ED320000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4336-151-0x00007FF9ED310000-0x00007FF9ED320000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4336-152-0x00007FF9ED310000-0x00007FF9ED320000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4336-153-0x00007FF9ED310000-0x00007FF9ED320000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4336-154-0x00007FF9ED310000-0x00007FF9ED320000-memory.dmp

    Filesize

    64KB

    Download