Overview

overview

10

Static

static

e74ca62366...73.exe

windows7_x64

10

e74ca62366...73.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    145s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    12-05-2022 11:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e74ca6236680178ea85d3dec5335bf054d5004d7810683cb1233f67ca3894c73.exe

  • Size

    491KB

  • MD5

    61052c513ec73fe0fe0cefe1f5a8d588

  • SHA1

    ec74c81f9ac11a02987788c3f5ae21c7702367cb

  • SHA256

    e74ca6236680178ea85d3dec5335bf054d5004d7810683cb1233f67ca3894c73

  • SHA512

    83e5b267dcb6ee461ce284150be7db62f7c9012d66336206c4ae30ec9a6d8bbe73c25927ca6491da1322ae7dade5a1e67253b1025abd58df8afed1fc40614a74

Score
10/10
quasarvenomratsvhostratrootkitspywarestealersuricatatrojan

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

svhost

C2

myconect.ddns.net:6606

Mutex

VNM_MUTEX_ND6PULLW5ZVLwo1nwR

Attributes
  • encryption_key

    yaa63tXY4j55os5llHHd

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Venom Client Startup

  • subdirectory

    SubDir

Signatures

  • Contains code to disable Windows Defender 4 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Quasar Payload 4 IoCs
  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • VenomRAT

    VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.

    ratrootkitstealervenomrat
  • suricata: ET MALWARE Common RAT Connectivity Check Observed

    suricata: ET MALWARE Common RAT Connectivity Check Observed

    suricata
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e74ca6236680178ea85d3dec5335bf054d5004d7810683cb1233f67ca3894c73.exe
    "C:\Users\Admin\AppData\Local\Temp\e74ca6236680178ea85d3dec5335bf054d5004d7810683cb1233f67ca3894c73.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:892
    • C:\Users\Admin\AppData\Roaming\$77-Venom.exe
      "C:\Users\Admin\AppData\Roaming\$77-Venom.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:1324
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Roaming\null (2).docx"
      2⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1996
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        3⤵
          PID:540

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\$77-Venom.exe
      Filesize

      534KB

      MD5

      84c1dc6b428904cc2a6746653849df0f

      SHA1

      5cce4078427481f4d7456b5a4f3930ae6e706fb4

      SHA256

      bc24e3c5408fea0b6f9aa0deb56a4636a8d0b9a6054ff1033efa6ccfe04ba44a

      SHA512

      3b7a7607c3409b5ded563f2e1fcc0fa489c4465ab764d14a647b474968a025a95fa8ceb549fc70482b7b1dd935f66a41ada7b4910059786aafc870c5847a9245

      Download Submit

    • C:\Users\Admin\AppData\Roaming\$77-Venom.exe
      Filesize

      534KB

      MD5

      84c1dc6b428904cc2a6746653849df0f

      SHA1

      5cce4078427481f4d7456b5a4f3930ae6e706fb4

      SHA256

      bc24e3c5408fea0b6f9aa0deb56a4636a8d0b9a6054ff1033efa6ccfe04ba44a

      SHA512

      3b7a7607c3409b5ded563f2e1fcc0fa489c4465ab764d14a647b474968a025a95fa8ceb549fc70482b7b1dd935f66a41ada7b4910059786aafc870c5847a9245

      Download Submit

    • C:\Users\Admin\AppData\Roaming\null (2).docx
      Filesize

      2KB

      MD5

      b73ace90e3fbada0e8baa0d47b2cbd6f

      SHA1

      2147bfa5d92cb0c3fd296e7c90befa08564240a6

      SHA256

      94f271283b679ee024724d1aee0f4ead90ce56fb67813b5e0cbc082091fbe364

      SHA512

      d1a9d73fca25a73782bd0170937225afdb402a354a7fb6ea308114e276aed7f77ef211c458dd03292d2e90cd1d61976340396540ac410d452bda363f6d2ee157

      Download Submit

    • \Users\Admin\AppData\Roaming\$77-Venom.exe
      Filesize

      534KB

      MD5

      84c1dc6b428904cc2a6746653849df0f

      SHA1

      5cce4078427481f4d7456b5a4f3930ae6e706fb4

      SHA256

      bc24e3c5408fea0b6f9aa0deb56a4636a8d0b9a6054ff1033efa6ccfe04ba44a

      SHA512

      3b7a7607c3409b5ded563f2e1fcc0fa489c4465ab764d14a647b474968a025a95fa8ceb549fc70482b7b1dd935f66a41ada7b4910059786aafc870c5847a9245

      Download Submit

    • memory/540-70-0x000007FEFBF11000-0x000007FEFBF13000-memory.dmp

      Filesize

      8KB

      Download

    • memory/892-54-0x0000000075801000-0x0000000075803000-memory.dmp

      Filesize

      8KB

      Download

    • memory/892-59-0x0000000074A30000-0x0000000074FDB000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/1324-60-0x0000000001130000-0x00000000011BC000-memory.dmp

      Filesize

      560KB

      Download

    • memory/1996-64-0x000000006BD61000-0x000000006BD63000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1996-65-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1996-67-0x000000006CD4D000-0x000000006CD58000-memory.dmp

      Filesize

      44KB

      Download

    • memory/1996-63-0x000000006E4C1000-0x000000006E4C4000-memory.dmp

      Filesize

      12KB

      Download

    • memory/1996-71-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download