quasar | f43704733fbb8efbc457bb922c529df7e358cd26f7d99f0ec4c4cbb748d816d1

General

Target

f43704733fbb8efbc457bb922c529df7e358cd26f7d99f0ec4c4cbb748d816d1.exe
Size

557KB
MD5

f84217da36243f2f84ac59ef8b7a335c
SHA1

0db32208d2c6c43caa2c5f7030812521a749e91f
SHA256

f43704733fbb8efbc457bb922c529df7e358cd26f7d99f0ec4c4cbb748d816d1
SHA512

d247f517e8cf1cc93170b8c38c9a95e1797669478f7f7d65f9e13f3ff66b5995557ab86abb763a7208517a8033e4a708fca241d2f1ef257fadcedd6a73c7edd4

Score

10^/10

quasar venomrat office04 persistence rat rootkit spyware stealer suricata trojan

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

Office04

C2

127.0.0.1:4782

Mutex

VNM_MUTEX_iRne81OIv7xHkBnmxo

Attributes

encryption_key
btGyLN1mMyjkKPSibgiM
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Venom Client Startup
subdirectory
SubDir

Signatures

Contains code to disable Windows Defender 3 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
behavioral2/files/0x000200000001e697-136.dat	disable_win_def
behavioral2/files/0x000200000001e697-135.dat	disable_win_def
behavioral2/memory/4636-137-0x00000000005A0000-0x0000000000656000-memory.dmp	disable_win_def

Quasar Payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/files/0x000200000001e697-136.dat	family_quasar
behavioral2/files/0x000200000001e697-135.dat	family_quasar
behavioral2/memory/4636-137-0x00000000005A0000-0x0000000000656000-memory.dmp	family_quasar

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
VenomRAT
VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
rat rootkit stealer venomrat
suricata: ET MALWARE Common RAT Connectivity Check Observed
suricata: ET MALWARE Common RAT Connectivity Check Observed
suricata

Executes dropped EXE 1 IoCs

Processes:

Qparrgldtgy.exe

pid	Process
4636	Qparrgldtgy.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

f43704733fbb8efbc457bb922c529df7e358cd26f7d99f0ec4c4cbb748d816d1.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	f43704733fbb8efbc457bb922c529df7e358cd26f7d99f0ec4c4cbb748d816d1.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Qparrgldtgy.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Venom Client Startup = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Qparrgldtgy.exe\""	Qparrgldtgy.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
72	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exe

pid	Process
2488	schtasks.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Qparrgldtgy.exe

description	pid	Process
Token: SeDebugPrivilege	4636	Qparrgldtgy.exe
Token: SeDebugPrivilege	4636	Qparrgldtgy.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Qparrgldtgy.exe

pid	Process
4636	Qparrgldtgy.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

f43704733fbb8efbc457bb922c529df7e358cd26f7d99f0ec4c4cbb748d816d1.exeQparrgldtgy.exe

description	pid	Process	procid_target
PID 4144 wrote to memory of 4636	4144	f43704733fbb8efbc457bb922c529df7e358cd26f7d99f0ec4c4cbb748d816d1.exe	87
PID 4144 wrote to memory of 4636	4144	f43704733fbb8efbc457bb922c529df7e358cd26f7d99f0ec4c4cbb748d816d1.exe	87
PID 4144 wrote to memory of 4636	4144	f43704733fbb8efbc457bb922c529df7e358cd26f7d99f0ec4c4cbb748d816d1.exe	87
PID 4636 wrote to memory of 2488	4636	Qparrgldtgy.exe	94
PID 4636 wrote to memory of 2488	4636	Qparrgldtgy.exe	94
PID 4636 wrote to memory of 2488	4636	Qparrgldtgy.exe	94

C:\Users\Admin\AppData\Local\Temp\f43704733fbb8efbc457bb922c529df7e358cd26f7d99f0ec4c4cbb748d816d1.exe
"C:\Users\Admin\AppData\Local\Temp\f43704733fbb8efbc457bb922c529df7e358cd26f7d99f0ec4c4cbb748d816d1.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4144
- C:\Users\Admin\AppData\Local\Temp\Qparrgldtgy.exe
  "C:\Users\Admin\AppData\Local\Temp\Qparrgldtgy.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4636
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /create /tn "Venom Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Qparrgldtgy.exe" /rl HIGHEST /f
    3⤵
    - Creates scheduled task(s)
    PID:2488

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Qparrgldtgy.exe

Filesize
702KB

MD5
228c70c1f3f7931565e579dfa23c9d16

SHA1
36b022abebcf57a83a1984d824e3d1046dc7bf31

SHA256
f853198fd10c73b320de1723a25dd35d17f61a0afde46f8e3a9a85efde306656

SHA512
a35a7168426d882a3f1e27948d2854ddfaa9f9fdc91c6cafeef7defbb74b608ce3d21dacf9fe3013483efe3fd861202a6c4f275f051604bd92d52cd588961097

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qparrgldtgy.exe

Filesize
702KB

MD5
228c70c1f3f7931565e579dfa23c9d16

SHA1
36b022abebcf57a83a1984d824e3d1046dc7bf31

SHA256
f853198fd10c73b320de1723a25dd35d17f61a0afde46f8e3a9a85efde306656

SHA512
a35a7168426d882a3f1e27948d2854ddfaa9f9fdc91c6cafeef7defbb74b608ce3d21dacf9fe3013483efe3fd861202a6c4f275f051604bd92d52cd588961097

Download Submit
memory/2488-141-0x0000000000000000-mapping.dmp

Download
memory/4144-130-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/4144-131-0x0000000004B50000-0x00000000050F4000-memory.dmp

Filesize
5.6MB

Download
memory/4144-132-0x00000000049B0000-0x0000000004A42000-memory.dmp

Filesize
584KB

Download
memory/4144-133-0x0000000004AF0000-0x0000000004AFA000-memory.dmp

Filesize
40KB

Download
memory/4636-134-0x0000000000000000-mapping.dmp

Download
memory/4636-137-0x00000000005A0000-0x0000000000656000-memory.dmp

Filesize
728KB

Download
memory/4636-138-0x00000000050D0000-0x0000000005136000-memory.dmp

Filesize
408KB

Download
memory/4636-139-0x0000000005CF0000-0x0000000005D02000-memory.dmp

Filesize
72KB

Download
memory/4636-140-0x0000000006120000-0x000000000615C000-memory.dmp

Filesize
240KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads