quasar | 19f0abf0648c4c993b02b50b4e35224b64ff45b9748dd9dc36c68cf1b42dcbdd

General

Target

19f0abf0648c4c993b02b50b4e35224b64ff45b9748dd9dc36c68cf1b42dcbdd.exe
Size

610KB
MD5

783dde94a3c4fdad4663bc9e370e9de8
SHA1

262fa6fe51d779ae988d6b99ac8ee37d71c75064
SHA256

19f0abf0648c4c993b02b50b4e35224b64ff45b9748dd9dc36c68cf1b42dcbdd
SHA512

a41f2f23272e55d9b275f868439758618f96c30fe47fd433431b07322f135fcbba3c43be199aba86160abe5e362e44ce9aa862bbf48cd0a33b716b278ec565b8

Score

10^/10

quasar venomrat svhost evasion persistence rat rootkit spyware stealer suricata trojan

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

svhost

C2

myconect.ddns.net:6606

Mutex

VNM_MUTEX_rHOHbrAQKctPD4d68w

Attributes

encryption_key
rDFwhCyuKMqXO7llDpB2
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Venom Client Startup
subdirectory
SubDir

Signatures

Contains code to disable Windows Defender 4 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Pnabmtbcti.exe	disable_win_def
C:\Users\Admin\AppData\Local\Temp\Pnabmtbcti.exe	disable_win_def
behavioral2/memory/1184-138-0x0000000000CB0000-0x0000000000D5A000-memory.dmp	disable_win_def
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	disable_win_def

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089

Quasar Payload 4 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Pnabmtbcti.exe	family_quasar
C:\Users\Admin\AppData\Local\Temp\Pnabmtbcti.exe	family_quasar
behavioral2/memory/1184-138-0x0000000000CB0000-0x0000000000D5A000-memory.dmp	family_quasar
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	family_quasar

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
VenomRAT
VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
rat rootkit stealer venomrat
suricata: ET MALWARE W32/Quasar 1.3/Venom RAT Connectivity Check 3
suricata: ET MALWARE W32/Quasar 1.3/Venom RAT Connectivity Check 3
suricata
Executes dropped EXE 2 IoCs

Processes:

Pnabmtbcti.exeClient.exe

pid process

1184 Pnabmtbcti.exe
4868 Client.exe

pid	process
1184	Pnabmtbcti.exe
4868	Client.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

19f0abf0648c4c993b02b50b4e35224b64ff45b9748dd9dc36c68cf1b42dcbdd.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	19f0abf0648c4c993b02b50b4e35224b64ff45b9748dd9dc36c68cf1b42dcbdd.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

Pnabmtbcti.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	Pnabmtbcti.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	Pnabmtbcti.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Pnabmtbcti.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Venom Client Startup = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Pnabmtbcti.exe\""	Pnabmtbcti.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

58 api.ipify.org
48 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3628 schtasks.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Pnabmtbcti.exe

description pid process

Token: SeDebugPrivilege 1184 Pnabmtbcti.exe

flow	ioc
58	api.ipify.org
48	ip-api.com

pid	process
3628	schtasks.exe

description	pid	process
Token: SeDebugPrivilege	1184	Pnabmtbcti.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

19f0abf0648c4c993b02b50b4e35224b64ff45b9748dd9dc36c68cf1b42dcbdd.exePnabmtbcti.exe

description	pid	process	target process
PID 4932 wrote to memory of 1184	4932	19f0abf0648c4c993b02b50b4e35224b64ff45b9748dd9dc36c68cf1b42dcbdd.exe	Pnabmtbcti.exe
PID 4932 wrote to memory of 1184	4932	19f0abf0648c4c993b02b50b4e35224b64ff45b9748dd9dc36c68cf1b42dcbdd.exe	Pnabmtbcti.exe
PID 4932 wrote to memory of 1184	4932	19f0abf0648c4c993b02b50b4e35224b64ff45b9748dd9dc36c68cf1b42dcbdd.exe	Pnabmtbcti.exe
PID 1184 wrote to memory of 3628	1184	Pnabmtbcti.exe	schtasks.exe
PID 1184 wrote to memory of 3628	1184	Pnabmtbcti.exe	schtasks.exe
PID 1184 wrote to memory of 3628	1184	Pnabmtbcti.exe	schtasks.exe
PID 1184 wrote to memory of 4868	1184	Pnabmtbcti.exe	Client.exe
PID 1184 wrote to memory of 4868	1184	Pnabmtbcti.exe	Client.exe
PID 1184 wrote to memory of 4868	1184	Pnabmtbcti.exe	Client.exe

C:\Users\Admin\AppData\Local\Temp\19f0abf0648c4c993b02b50b4e35224b64ff45b9748dd9dc36c68cf1b42dcbdd.exe
"C:\Users\Admin\AppData\Local\Temp\19f0abf0648c4c993b02b50b4e35224b64ff45b9748dd9dc36c68cf1b42dcbdd.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4932
- C:\Users\Admin\AppData\Local\Temp\Pnabmtbcti.exe
  "C:\Users\Admin\AppData\Local\Temp\Pnabmtbcti.exe"
  2⤵
  - Executes dropped EXE
  - Windows security modification
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1184
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /create /tn "Venom Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Pnabmtbcti.exe" /rl HIGHEST /f
    3⤵
    - Creates scheduled task(s)
    PID:3628
- - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
    "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
    3⤵
    - Executes dropped EXE
    PID:4868

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Pnabmtbcti.exe

Filesize
655KB

MD5
43e5556cab3ba9cd353b0c6cf1548d75

SHA1
64cf51c0d612cb6276e59639071406c1d2e86702

SHA256
286ea33997e28cad2651bc27c091e45c3502c4c7f69e4f28965bf846cf9528b8

SHA512
edde4a5af40e65afbe4e212e356879277f9641e4b8d46950fed33397754fe87ff81a337623e6c5202776e1636cefcd58f0ed94a212e8dd25ba427a017fcb2bdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pnabmtbcti.exe

Filesize
655KB

MD5
43e5556cab3ba9cd353b0c6cf1548d75

SHA1
64cf51c0d612cb6276e59639071406c1d2e86702

SHA256
286ea33997e28cad2651bc27c091e45c3502c4c7f69e4f28965bf846cf9528b8

SHA512
edde4a5af40e65afbe4e212e356879277f9641e4b8d46950fed33397754fe87ff81a337623e6c5202776e1636cefcd58f0ed94a212e8dd25ba427a017fcb2bdf

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Filesize
655KB

MD5
43e5556cab3ba9cd353b0c6cf1548d75

SHA1
64cf51c0d612cb6276e59639071406c1d2e86702

SHA256
286ea33997e28cad2651bc27c091e45c3502c4c7f69e4f28965bf846cf9528b8

SHA512
edde4a5af40e65afbe4e212e356879277f9641e4b8d46950fed33397754fe87ff81a337623e6c5202776e1636cefcd58f0ed94a212e8dd25ba427a017fcb2bdf

Download Submit
memory/1184-140-0x00000000065F0000-0x0000000006602000-memory.dmp

Filesize
72KB

Download
memory/1184-135-0x0000000000000000-mapping.dmp

Download
memory/1184-138-0x0000000000CB0000-0x0000000000D5A000-memory.dmp

Filesize
680KB

Download
memory/1184-139-0x00000000059A0000-0x0000000005A06000-memory.dmp

Filesize
408KB

Download
memory/3628-141-0x0000000000000000-mapping.dmp

Download
memory/4868-142-0x0000000000000000-mapping.dmp

Download
memory/4932-134-0x0000000004F60000-0x0000000004F6A000-memory.dmp

Filesize
40KB

Download
memory/4932-133-0x0000000004890000-0x0000000004922000-memory.dmp

Filesize
584KB

Download
memory/4932-131-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/4932-132-0x0000000004980000-0x0000000004F24000-memory.dmp

Filesize
5.6MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads