quasar | fbc4fd5e3d3f2b5ccd26807e9e73498b3a3699e7efe35c624fbebcdc2c0c6314

Analysis

max time kernel
155s
max time network
161s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
12-05-2022 11:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fbc4fd5e3d3f2b5ccd26807e9e73498b3a3699e7efe35c624fbebcdc2c0c6314.exe
Size

757KB
MD5

2957c39376a38df6aefaee72674c92af
SHA1

f32007bbb1c99bda6e4c97b4a695e87913fd87b1
SHA256

fbc4fd5e3d3f2b5ccd26807e9e73498b3a3699e7efe35c624fbebcdc2c0c6314
SHA512

8cecae621972be05ab9be0071689fcf29028f63b1519c4698d531bc754af7363f7bc21dbfb1d97e75914d884ecf4e1264ff20b2903f7b11c45dc88a77ec5dcbc

Score

10^/10

quasar venomrat office04 persistence rat rootkit spyware stealer suricata trojan

Malware Config

Extracted

Family

quasar

Mutex

Attributes

encryption_key
install_name
log_directory
reconnect_delay
3000
startup_key
subdirectory

Extracted

Family

quasar

Version

2.1.0.0

Botnet

Office04

myconect.ddns.net:6606

Mutex

VNM_MUTEX_bW2Pm17MwUNvIYeCrf

Attributes

encryption_key
skMcIyTXgvAaYya6lzLD
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Venom Client Startup
subdirectory
SubDir

Signatures

Contains code to disable Windows Defender 4 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
behavioral2/memory/204-138-0x0000000000400000-0x000000000048E000-memory.dmp	disable_win_def
behavioral2/files/0x0007000000022ed3-149.dat	disable_win_def
behavioral2/files/0x0007000000022ed3-150.dat	disable_win_def
behavioral2/memory/5088-151-0x0000000000470000-0x00000000004FC000-memory.dmp	disable_win_def

Quasar Payload 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/204-138-0x0000000000400000-0x000000000048E000-memory.dmp	family_quasar
behavioral2/files/0x0007000000022ed3-149.dat	family_quasar
behavioral2/files/0x0007000000022ed3-150.dat	family_quasar
behavioral2/memory/5088-151-0x0000000000470000-0x00000000004FC000-memory.dmp	family_quasar

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
VenomRAT
VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
rat rootkit stealer venomrat
suricata: ET MALWARE Common RAT Connectivity Check Observed
suricata: ET MALWARE Common RAT Connectivity Check Observed
suricata

Executes dropped EXE 1 IoCs

Processes:

xmfvmhxj.exe

pid	Process
5088	xmfvmhxj.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

powershell.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lxxgldt snybyasm = "C:\\Users\\Admin\\AppData\\Roaming\\fdfhhuxv ssqavqkxj\\chome_exe.exe"	powershell.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
38	ip-api.com

Suspicious use of SetThreadContext 1 IoCs

Processes:

fbc4fd5e3d3f2b5ccd26807e9e73498b3a3699e7efe35c624fbebcdc2c0c6314.exe

description	pid	Process	procid_target
PID 4392 set thread context of 204	4392	fbc4fd5e3d3f2b5ccd26807e9e73498b3a3699e7efe35c624fbebcdc2c0c6314.exe	88

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 1 IoCs

evasion

Processes:

taskkill.exe

pid	Process
1748	taskkill.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

RegAsm.exepowershell.exe

pid	Process
204	RegAsm.exe
204	RegAsm.exe
204	RegAsm.exe
204	RegAsm.exe
204	RegAsm.exe
204	RegAsm.exe
204	RegAsm.exe
204	RegAsm.exe
204	RegAsm.exe
204	RegAsm.exe
204	RegAsm.exe
204	RegAsm.exe
204	RegAsm.exe
204	RegAsm.exe
204	RegAsm.exe
204	RegAsm.exe
204	RegAsm.exe
204	RegAsm.exe
204	RegAsm.exe
204	RegAsm.exe
204	RegAsm.exe
204	RegAsm.exe
204	RegAsm.exe
204	RegAsm.exe
204	RegAsm.exe
204	RegAsm.exe
204	RegAsm.exe
204	RegAsm.exe
204	RegAsm.exe
204	RegAsm.exe
204	RegAsm.exe
204	RegAsm.exe
204	RegAsm.exe
204	RegAsm.exe
204	RegAsm.exe
204	RegAsm.exe
204	RegAsm.exe
204	RegAsm.exe
204	RegAsm.exe
204	RegAsm.exe
204	RegAsm.exe
204	RegAsm.exe
204	RegAsm.exe
204	RegAsm.exe
204	RegAsm.exe
204	RegAsm.exe
204	RegAsm.exe
204	RegAsm.exe
204	RegAsm.exe
204	RegAsm.exe
204	RegAsm.exe
204	RegAsm.exe
204	RegAsm.exe
204	RegAsm.exe
204	RegAsm.exe
204	RegAsm.exe
204	RegAsm.exe
204	RegAsm.exe
204	RegAsm.exe
204	RegAsm.exe
3108	powershell.exe
204	RegAsm.exe
204	RegAsm.exe
204	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

RegAsm.exepowershell.exetaskkill.exexmfvmhxj.exe

description	pid	Process
Token: SeDebugPrivilege	204	RegAsm.exe
Token: SeDebugPrivilege	3108	powershell.exe
Token: SeDebugPrivilege	1748	taskkill.exe
Token: SeDebugPrivilege	5088	xmfvmhxj.exe
Token: SeDebugPrivilege	5088	xmfvmhxj.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

RegAsm.exe

pid	Process
204	RegAsm.exe
204	RegAsm.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

fbc4fd5e3d3f2b5ccd26807e9e73498b3a3699e7efe35c624fbebcdc2c0c6314.exeRegAsm.exeDllHost.execmd.exe

description	pid	Process	procid_target
PID 4392 wrote to memory of 3108	4392	fbc4fd5e3d3f2b5ccd26807e9e73498b3a3699e7efe35c624fbebcdc2c0c6314.exe	86
PID 4392 wrote to memory of 3108	4392	fbc4fd5e3d3f2b5ccd26807e9e73498b3a3699e7efe35c624fbebcdc2c0c6314.exe	86
PID 4392 wrote to memory of 3108	4392	fbc4fd5e3d3f2b5ccd26807e9e73498b3a3699e7efe35c624fbebcdc2c0c6314.exe	86
PID 4392 wrote to memory of 204	4392	fbc4fd5e3d3f2b5ccd26807e9e73498b3a3699e7efe35c624fbebcdc2c0c6314.exe	88
PID 4392 wrote to memory of 204	4392	fbc4fd5e3d3f2b5ccd26807e9e73498b3a3699e7efe35c624fbebcdc2c0c6314.exe	88
PID 4392 wrote to memory of 204	4392	fbc4fd5e3d3f2b5ccd26807e9e73498b3a3699e7efe35c624fbebcdc2c0c6314.exe	88
PID 4392 wrote to memory of 204	4392	fbc4fd5e3d3f2b5ccd26807e9e73498b3a3699e7efe35c624fbebcdc2c0c6314.exe	88
PID 4392 wrote to memory of 204	4392	fbc4fd5e3d3f2b5ccd26807e9e73498b3a3699e7efe35c624fbebcdc2c0c6314.exe	88
PID 4392 wrote to memory of 204	4392	fbc4fd5e3d3f2b5ccd26807e9e73498b3a3699e7efe35c624fbebcdc2c0c6314.exe	88
PID 4392 wrote to memory of 204	4392	fbc4fd5e3d3f2b5ccd26807e9e73498b3a3699e7efe35c624fbebcdc2c0c6314.exe	88
PID 4392 wrote to memory of 204	4392	fbc4fd5e3d3f2b5ccd26807e9e73498b3a3699e7efe35c624fbebcdc2c0c6314.exe	88
PID 204 wrote to memory of 3900	204	RegAsm.exe	89
PID 204 wrote to memory of 3900	204	RegAsm.exe	89
PID 204 wrote to memory of 3900	204	RegAsm.exe	89
PID 3176 wrote to memory of 4808	3176	DllHost.exe	91
PID 3176 wrote to memory of 4808	3176	DllHost.exe	91
PID 3176 wrote to memory of 4808	3176	DllHost.exe	91
PID 4808 wrote to memory of 5088	4808	cmd.exe	93
PID 4808 wrote to memory of 5088	4808	cmd.exe	93
PID 4808 wrote to memory of 5088	4808	cmd.exe	93
PID 3176 wrote to memory of 1748	3176	DllHost.exe	94
PID 3176 wrote to memory of 1748	3176	DllHost.exe	94
PID 3176 wrote to memory of 1748	3176	DllHost.exe	94

C:\Users\Admin\AppData\Local\Temp\fbc4fd5e3d3f2b5ccd26807e9e73498b3a3699e7efe35c624fbebcdc2c0c6314.exe
"C:\Users\Admin\AppData\Local\Temp\fbc4fd5e3d3f2b5ccd26807e9e73498b3a3699e7efe35c624fbebcdc2c0c6314.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4392
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'lxxgldt snybyasm';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'lxxgldt snybyasm' -Value '"C:\Users\Admin\AppData\Roaming\fdfhhuxv ssqavqkxj\chome_exe.exe"' -PropertyType 'String'
  2⤵
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3108
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:204
- - \??\c:\windows\SysWOW64\cmstp.exe
    "c:\windows\system32\cmstp.exe" /au C:\Windows\temp\lwk3u3ol.inf
    3⤵
    PID:3900

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}
1⤵
- Suspicious use of WriteProcessMemory
PID:3176
- C:\Windows\SysWOW64\cmd.exe
  cmd /c start C:\Windows\temp\xmfvmhxj.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4808
- - C:\Windows\temp\xmfvmhxj.exe
    C:\Windows\temp\xmfvmhxj.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:5088
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /IM cmstp.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1748

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Temp\xmfvmhxj.exe

Filesize
534KB

MD5
e4dc9cb250120aebeee969906d1a7a22

SHA1
c0f9d3a2531cc25e212d9adbf8614903d8a6247e

SHA256
14de179b37e9958b3a1d22f22b0bb545be1cb166aeaf5a4892ccd616ee7e544f

SHA512
21461e4fdc16ba99ae24a1f2fa39465678e851591d7402c762a04bf286b9ec8230a0acd147f0c9d54fb6a3428be1851c4d75f46b6cf917a44b3b399e8897667b

Download Submit
C:\Windows\temp\lwk3u3ol.inf

Filesize
606B

MD5
52b8a54e4e0ca636af8c4fb40180c645

SHA1
239358a217b57958b5167f1ebaf127a8f3f27e4a

SHA256
c92d552509f850d1159ddd0ebe52145a6100451af776d253a1d1aefc23e7fdc2

SHA512
46f37cd5423f23fc34f304bb9fe6ce7e8d33d6845067e6c7589269e7b6902a92e02d43c43d2a5a58df4640d46a3d3a0021acb6b4bc61c05e0a9e2f73d6d5e025

Download Submit
C:\Windows\temp\xmfvmhxj.exe

Filesize
534KB

MD5
e4dc9cb250120aebeee969906d1a7a22

SHA1
c0f9d3a2531cc25e212d9adbf8614903d8a6247e

SHA256
14de179b37e9958b3a1d22f22b0bb545be1cb166aeaf5a4892ccd616ee7e544f

SHA512
21461e4fdc16ba99ae24a1f2fa39465678e851591d7402c762a04bf286b9ec8230a0acd147f0c9d54fb6a3428be1851c4d75f46b6cf917a44b3b399e8897667b

Download Submit
memory/204-137-0x0000000000000000-mapping.dmp

Download
memory/204-138-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/1748-152-0x0000000000000000-mapping.dmp

Download
memory/3108-144-0x0000000005B60000-0x0000000005BC6000-memory.dmp

Filesize
408KB

Download
memory/3108-136-0x0000000000000000-mapping.dmp

Download
memory/3108-155-0x0000000006E40000-0x0000000006E62000-memory.dmp

Filesize
136KB

Download
memory/3108-139-0x0000000003010000-0x0000000003046000-memory.dmp

Filesize
216KB

Download
memory/3108-142-0x0000000005C30000-0x0000000006258000-memory.dmp

Filesize
6.2MB

Download
memory/3108-154-0x0000000006DF0000-0x0000000006E0A000-memory.dmp

Filesize
104KB

Download
memory/3108-143-0x0000000005930000-0x0000000005952000-memory.dmp

Filesize
136KB

Download
memory/3108-153-0x00000000078D0000-0x0000000007966000-memory.dmp

Filesize
600KB

Download
memory/3108-145-0x00000000062D0000-0x0000000006336000-memory.dmp

Filesize
408KB

Download
memory/3108-146-0x0000000006910000-0x000000000692E000-memory.dmp

Filesize
120KB

Download
memory/3900-140-0x0000000000000000-mapping.dmp

Download
memory/4392-131-0x0000000005AC0000-0x0000000006064000-memory.dmp

Filesize
5.6MB

Download
memory/4392-133-0x00000000055D0000-0x00000000055DA000-memory.dmp

Filesize
40KB

Download
memory/4392-132-0x00000000055F0000-0x0000000005682000-memory.dmp

Filesize
584KB

Download
memory/4392-130-0x0000000000A20000-0x0000000000AE4000-memory.dmp

Filesize
784KB

Download
memory/4392-134-0x0000000005820000-0x0000000005896000-memory.dmp

Filesize
472KB

Download
memory/4392-135-0x0000000005A30000-0x0000000005A4E000-memory.dmp

Filesize
120KB

Download
memory/4808-147-0x0000000000000000-mapping.dmp

Download
memory/5088-148-0x0000000000000000-mapping.dmp

Download
memory/5088-151-0x0000000000470000-0x00000000004FC000-memory.dmp

Filesize
560KB

Download
memory/5088-156-0x00000000053F0000-0x0000000005402000-memory.dmp

Filesize
72KB

Download
memory/5088-157-0x0000000005FF0000-0x000000000602C000-memory.dmp

Filesize
240KB

Download