quasar | 0d5e2eae0c67083409f56b1b0da8a3ed755241f3c571c28fae7f6a8ba383ff72

General

Target

0d5e2eae0c67083409f56b1b0da8a3ed755241f3c571c28fae7f6a8ba383ff72.exe
Size

555KB
MD5

ccf59a9ca800d77f057cdc4f521495c1
SHA1

7cdab49311072b2de9adc80c44bb60c323367321
SHA256

0d5e2eae0c67083409f56b1b0da8a3ed755241f3c571c28fae7f6a8ba383ff72
SHA512

7ba18a18d3af162ea408746b362d6d56027b76c3f3208e87cea43aa9023ac39e1fa000c95d8e02c45e974674dc327f26f3d6a4ce0b36b1ccb226036ed104596a

Score

10^/10

quasar venomrat office04 rat rootkit spyware stealer suricata trojan

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

Office04

C2

Mju-49682.portmap.io:49682

Mutex

VNM_MUTEX_c2q7y2ayYutZ2XaYe7

Attributes

encryption_key
SuO52LCbOLZpyY12QyzT
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Venom Client Startup
subdirectory
SubDir

Signatures

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
behavioral2/memory/4364-132-0x0000000000400000-0x000000000048C000-memory.dmp	disable_win_def

Quasar Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4364-132-0x0000000000400000-0x000000000048C000-memory.dmp	family_quasar

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
VenomRAT
VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
rat rootkit stealer venomrat
suricata: ET MALWARE Common RAT Connectivity Check Observed
suricata: ET MALWARE Common RAT Connectivity Check Observed
suricata

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

0d5e2eae0c67083409f56b1b0da8a3ed755241f3c571c28fae7f6a8ba383ff72.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	0d5e2eae0c67083409f56b1b0da8a3ed755241f3c571c28fae7f6a8ba383ff72.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

21 ip-api.com

flow	ioc
21	ip-api.com

Suspicious use of SetThreadContext 1 IoCs

Processes:

0d5e2eae0c67083409f56b1b0da8a3ed755241f3c571c28fae7f6a8ba383ff72.exe

description	pid	process	target process
PID 688 set thread context of 4364	688	0d5e2eae0c67083409f56b1b0da8a3ed755241f3c571c28fae7f6a8ba383ff72.exe	0d5e2eae0c67083409f56b1b0da8a3ed755241f3c571c28fae7f6a8ba383ff72.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

808 4364 WerFault.exe 0d5e2eae0c67083409f56b1b0da8a3ed755241f3c571c28fae7f6a8ba383ff72.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

4728 PING.EXE

pid	pid_target	process	target process
808	4364	WerFault.exe	0d5e2eae0c67083409f56b1b0da8a3ed755241f3c571c28fae7f6a8ba383ff72.exe

pid	process
4728	PING.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

0d5e2eae0c67083409f56b1b0da8a3ed755241f3c571c28fae7f6a8ba383ff72.exe

description	pid	process
Token: SeDebugPrivilege	4364	0d5e2eae0c67083409f56b1b0da8a3ed755241f3c571c28fae7f6a8ba383ff72.exe
Token: SeDebugPrivilege	4364	0d5e2eae0c67083409f56b1b0da8a3ed755241f3c571c28fae7f6a8ba383ff72.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

0d5e2eae0c67083409f56b1b0da8a3ed755241f3c571c28fae7f6a8ba383ff72.exe

pid process

4364 0d5e2eae0c67083409f56b1b0da8a3ed755241f3c571c28fae7f6a8ba383ff72.exe

pid	process
4364	0d5e2eae0c67083409f56b1b0da8a3ed755241f3c571c28fae7f6a8ba383ff72.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

0d5e2eae0c67083409f56b1b0da8a3ed755241f3c571c28fae7f6a8ba383ff72.exe0d5e2eae0c67083409f56b1b0da8a3ed755241f3c571c28fae7f6a8ba383ff72.execmd.exe

description	pid	process	target process
PID 688 wrote to memory of 4364	688	0d5e2eae0c67083409f56b1b0da8a3ed755241f3c571c28fae7f6a8ba383ff72.exe	0d5e2eae0c67083409f56b1b0da8a3ed755241f3c571c28fae7f6a8ba383ff72.exe
PID 688 wrote to memory of 4364	688	0d5e2eae0c67083409f56b1b0da8a3ed755241f3c571c28fae7f6a8ba383ff72.exe	0d5e2eae0c67083409f56b1b0da8a3ed755241f3c571c28fae7f6a8ba383ff72.exe
PID 688 wrote to memory of 4364	688	0d5e2eae0c67083409f56b1b0da8a3ed755241f3c571c28fae7f6a8ba383ff72.exe	0d5e2eae0c67083409f56b1b0da8a3ed755241f3c571c28fae7f6a8ba383ff72.exe
PID 688 wrote to memory of 4364	688	0d5e2eae0c67083409f56b1b0da8a3ed755241f3c571c28fae7f6a8ba383ff72.exe	0d5e2eae0c67083409f56b1b0da8a3ed755241f3c571c28fae7f6a8ba383ff72.exe
PID 688 wrote to memory of 4364	688	0d5e2eae0c67083409f56b1b0da8a3ed755241f3c571c28fae7f6a8ba383ff72.exe	0d5e2eae0c67083409f56b1b0da8a3ed755241f3c571c28fae7f6a8ba383ff72.exe
PID 688 wrote to memory of 4364	688	0d5e2eae0c67083409f56b1b0da8a3ed755241f3c571c28fae7f6a8ba383ff72.exe	0d5e2eae0c67083409f56b1b0da8a3ed755241f3c571c28fae7f6a8ba383ff72.exe
PID 688 wrote to memory of 4364	688	0d5e2eae0c67083409f56b1b0da8a3ed755241f3c571c28fae7f6a8ba383ff72.exe	0d5e2eae0c67083409f56b1b0da8a3ed755241f3c571c28fae7f6a8ba383ff72.exe
PID 688 wrote to memory of 4364	688	0d5e2eae0c67083409f56b1b0da8a3ed755241f3c571c28fae7f6a8ba383ff72.exe	0d5e2eae0c67083409f56b1b0da8a3ed755241f3c571c28fae7f6a8ba383ff72.exe
PID 4364 wrote to memory of 1104	4364	0d5e2eae0c67083409f56b1b0da8a3ed755241f3c571c28fae7f6a8ba383ff72.exe	cmd.exe
PID 4364 wrote to memory of 1104	4364	0d5e2eae0c67083409f56b1b0da8a3ed755241f3c571c28fae7f6a8ba383ff72.exe	cmd.exe
PID 4364 wrote to memory of 1104	4364	0d5e2eae0c67083409f56b1b0da8a3ed755241f3c571c28fae7f6a8ba383ff72.exe	cmd.exe
PID 1104 wrote to memory of 4056	1104	cmd.exe	chcp.com
PID 1104 wrote to memory of 4056	1104	cmd.exe	chcp.com
PID 1104 wrote to memory of 4056	1104	cmd.exe	chcp.com
PID 1104 wrote to memory of 4728	1104	cmd.exe	PING.EXE
PID 1104 wrote to memory of 4728	1104	cmd.exe	PING.EXE
PID 1104 wrote to memory of 4728	1104	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\0d5e2eae0c67083409f56b1b0da8a3ed755241f3c571c28fae7f6a8ba383ff72.exe
"C:\Users\Admin\AppData\Local\Temp\0d5e2eae0c67083409f56b1b0da8a3ed755241f3c571c28fae7f6a8ba383ff72.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:688
- C:\Users\Admin\AppData\Local\Temp\0d5e2eae0c67083409f56b1b0da8a3ed755241f3c571c28fae7f6a8ba383ff72.exe
  "C:\Users\Admin\AppData\Local\Temp\0d5e2eae0c67083409f56b1b0da8a3ed755241f3c571c28fae7f6a8ba383ff72.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4364
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mMbWDKC2bibu.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1104
  - - C:\Windows\SysWOW64\chcp.com
      chcp 65001
      4⤵
      PID:4056
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 10 localhost
      4⤵
      Runs ping.exe
      PID:4728
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4364 -s 2216
    3⤵
    - Program crash
    PID:808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4364 -ip 4364
1⤵
PID:2000

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\0d5e2eae0c67083409f56b1b0da8a3ed755241f3c571c28fae7f6a8ba383ff72.exe.log

Filesize
226B

MD5
916851e072fbabc4796d8916c5131092

SHA1
d48a602229a690c512d5fdaf4c8d77547a88e7a2

SHA256
7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

SHA512
07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

Download Submit
C:\Users\Admin\AppData\Local\Temp\mMbWDKC2bibu.bat

Filesize
261B

MD5
0a6db92df5ea6a2e42454ed87dea03b2

SHA1
e615a001fecc8198065075c399e636796ba6e07e

SHA256
d4455e900b9695629e88ac6f51a3d4f939cbbba3be31a4dce5cba1780e96dd3b

SHA512
25ee50db7573782ab140c2094661d796d9cd2d4184dff862dc27d248adf068072bbe9a0e219f9c6b19bd8b8a0e0c816a77771c085a55cc791e94c552dac1be73

Download Submit
memory/688-130-0x0000000000D50000-0x0000000000DE2000-memory.dmp

Filesize
584KB

Download
memory/1104-140-0x0000000000000000-mapping.dmp

Download
memory/4056-142-0x0000000000000000-mapping.dmp

Download
memory/4364-136-0x0000000005A80000-0x0000000005AE6000-memory.dmp

Filesize
408KB

Download
memory/4364-135-0x0000000005660000-0x00000000056F2000-memory.dmp

Filesize
584KB

Download
memory/4364-137-0x0000000006680000-0x0000000006692000-memory.dmp

Filesize
72KB

Download
memory/4364-138-0x0000000006BE0000-0x0000000006C1C000-memory.dmp

Filesize
240KB

Download
memory/4364-139-0x0000000006F80000-0x0000000006F8A000-memory.dmp

Filesize
40KB

Download
memory/4364-134-0x0000000005CD0000-0x0000000006274000-memory.dmp

Filesize
5.6MB

Download
memory/4364-131-0x0000000000000000-mapping.dmp

Download
memory/4364-132-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/4728-143-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads