Overview

overview

10

Static

static

5bfd4a2a53...04.exe

windows7_x64

10

5bfd4a2a53...04.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    149s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    12-05-2022 11:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5bfd4a2a53142c78b5ad8eb5ca2f14bb28fa648b2ce1d2169d837346f2673004.exe

  • Size

    538KB

  • MD5

    61eabb5f86336fe941185bf0a37a8472

  • SHA1

    c733162ee7b9c8622d06258f676c846e99689199

  • SHA256

    5bfd4a2a53142c78b5ad8eb5ca2f14bb28fa648b2ce1d2169d837346f2673004

  • SHA512

    b2d458c865ada84666405636c40a70724d433d1bc9bcdfc830ff9b9b05c1ee08cafd2bbb2e59cd8820c0c247bee2dec432493e6aade925c30ea00a6f9b33efdd

Score
10/10
quasarvenomratsvhostratrootkitspywarestealersuricatatrojan

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

svhost

C2

myconect.ddns.net:6606

Mutex

VNM_MUTEX_ND6PULLW5ZVLwo1nwR

Attributes
  • encryption_key

    yaa63tXY4j55os5llHHd

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Venom Client Startup

  • subdirectory

    SubDir

Signatures

  • Contains code to disable Windows Defender 3 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Quasar Payload 3 IoCs
  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • VenomRAT

    VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.

    ratrootkitstealervenomrat
  • suricata: ET MALWARE Common RAT Connectivity Check Observed

    suricata: ET MALWARE Common RAT Connectivity Check Observed

    suricata
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops desktop.ini file(s) 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5bfd4a2a53142c78b5ad8eb5ca2f14bb28fa648b2ce1d2169d837346f2673004.exe
    "C:\Users\Admin\AppData\Local\Temp\5bfd4a2a53142c78b5ad8eb5ca2f14bb28fa648b2ce1d2169d837346f2673004.exe"
    1⤵
    • Checks computer location settings
    • Drops desktop.ini file(s)
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1720
    • C:\Users\Admin\AppData\Roaming\$77-Venom.exe
      "C:\Users\Admin\AppData\Roaming\$77-Venom.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:4520
    • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Roaming\null (2).docx" /o ""
      2⤵
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:4448

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\$77-Venom.exe
    Filesize

    534KB

    MD5

    84c1dc6b428904cc2a6746653849df0f

    SHA1

    5cce4078427481f4d7456b5a4f3930ae6e706fb4

    SHA256

    bc24e3c5408fea0b6f9aa0deb56a4636a8d0b9a6054ff1033efa6ccfe04ba44a

    SHA512

    3b7a7607c3409b5ded563f2e1fcc0fa489c4465ab764d14a647b474968a025a95fa8ceb549fc70482b7b1dd935f66a41ada7b4910059786aafc870c5847a9245

    Download Submit

  • C:\Users\Admin\AppData\Roaming\$77-Venom.exe
    Filesize

    534KB

    MD5

    84c1dc6b428904cc2a6746653849df0f

    SHA1

    5cce4078427481f4d7456b5a4f3930ae6e706fb4

    SHA256

    bc24e3c5408fea0b6f9aa0deb56a4636a8d0b9a6054ff1033efa6ccfe04ba44a

    SHA512

    3b7a7607c3409b5ded563f2e1fcc0fa489c4465ab764d14a647b474968a025a95fa8ceb549fc70482b7b1dd935f66a41ada7b4910059786aafc870c5847a9245

    Download Submit

  • C:\Users\Admin\AppData\Roaming\null (2).docx
    Filesize

    2KB

    MD5

    b73ace90e3fbada0e8baa0d47b2cbd6f

    SHA1

    2147bfa5d92cb0c3fd296e7c90befa08564240a6

    SHA256

    94f271283b679ee024724d1aee0f4ead90ce56fb67813b5e0cbc082091fbe364

    SHA512

    d1a9d73fca25a73782bd0170937225afdb402a354a7fb6ea308114e276aed7f77ef211c458dd03292d2e90cd1d61976340396540ac410d452bda363f6d2ee157

    Download Submit

  • memory/1720-130-0x00000000753E0000-0x0000000075991000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4448-142-0x00007FFBB2A70000-0x00007FFBB2A80000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4448-151-0x00007FFBB2A70000-0x00007FFBB2A80000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4448-154-0x00007FFBB2A70000-0x00007FFBB2A80000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4448-153-0x00007FFBB2A70000-0x00007FFBB2A80000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4448-138-0x00007FFBB2A70000-0x00007FFBB2A80000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4448-139-0x00007FFBB2A70000-0x00007FFBB2A80000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4448-140-0x00007FFBB2A70000-0x00007FFBB2A80000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4448-141-0x00007FFBB2A70000-0x00007FFBB2A80000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4448-152-0x00007FFBB2A70000-0x00007FFBB2A80000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4448-144-0x00007FFBB08B0000-0x00007FFBB08C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4448-145-0x00007FFBB08B0000-0x00007FFBB08C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4520-143-0x00000000055E0000-0x0000000005646000-memory.dmp

    Filesize

    408KB

    Download

  • memory/4520-147-0x00000000065F0000-0x000000000662C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/4520-149-0x00000000068F0000-0x00000000068FA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4520-146-0x00000000061C0000-0x00000000061D2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4520-134-0x0000000000760000-0x00000000007EC000-memory.dmp

    Filesize

    560KB

    Download

  • memory/4520-137-0x0000000005240000-0x00000000052D2000-memory.dmp

    Filesize

    584KB

    Download

  • memory/4520-136-0x0000000005670000-0x0000000005C14000-memory.dmp

    Filesize

    5.6MB

    Download