quasar | 9f1b2d05b075d59a681cc69abc0bef2b5011cd86c0daf9ab2f20c019dfc594c0

Analysis

max time kernel
146s
max time network
156s
platform
windows7_x64
resource
win7-20220414-en
submitted
20-05-2022 03:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9f1b2d05b075d59a681cc69abc0bef2b5011cd86c0daf9ab2f20c019dfc594c0.exe
Size

745KB
MD5

0a588640568e7bd33dd2872290a6eb70
SHA1

5c0a792f29b5ef554610ba03e96aa5efb270be6b
SHA256

9f1b2d05b075d59a681cc69abc0bef2b5011cd86c0daf9ab2f20c019dfc594c0
SHA512

810921ec9f7b15ed8d078115135ed93e180584833b1a650126dcbc3161c7f304c4307dba31fde9cff63878407ca78652c7935d8c507bcd46c80cd796912d13e3

Score

10^/10

quasar venomrat office1 evasion rat rootkit spyware stealer suricata trojan

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

Office1

87.106.127.109:3001

77.140.68.143:1505

Mutex

VNM_MUTEX_gTPFm8k25PBsfiiP7j

Attributes

encryption_key
aKWJnjdCvq0zlemCXxTu
install_name
serveur.exe
log_directory
Logs
reconnect_delay
3000
startup_key
serveur
subdirectory
serveur

Signatures

Contains code to disable Windows Defender 11 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
behavioral1/files/0x0005000000004ed7-55.dat	disable_win_def
behavioral1/files/0x0005000000004ed7-57.dat	disable_win_def
behavioral1/files/0x0005000000004ed7-58.dat	disable_win_def
behavioral1/memory/1648-59-0x0000000000080000-0x000000000010C000-memory.dmp	disable_win_def
behavioral1/files/0x00090000000142c4-62.dat	disable_win_def
behavioral1/files/0x00090000000142c4-64.dat	disable_win_def
behavioral1/files/0x00090000000142c4-65.dat	disable_win_def
behavioral1/memory/1328-66-0x0000000000100000-0x000000000018C000-memory.dmp	disable_win_def
behavioral1/files/0x0005000000004ed7-78.dat	disable_win_def
behavioral1/files/0x0005000000004ed7-80.dat	disable_win_def
behavioral1/memory/1800-81-0x00000000003D0000-0x000000000045C000-memory.dmp	disable_win_def

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089

Quasar Payload 11 IoCs

Processes:

resource	yara_rule
behavioral1/files/0x0005000000004ed7-55.dat	family_quasar
behavioral1/files/0x0005000000004ed7-57.dat	family_quasar
behavioral1/files/0x0005000000004ed7-58.dat	family_quasar
behavioral1/memory/1648-59-0x0000000000080000-0x000000000010C000-memory.dmp	family_quasar
behavioral1/files/0x00090000000142c4-62.dat	family_quasar
behavioral1/files/0x00090000000142c4-64.dat	family_quasar
behavioral1/files/0x00090000000142c4-65.dat	family_quasar
behavioral1/memory/1328-66-0x0000000000100000-0x000000000018C000-memory.dmp	family_quasar
behavioral1/files/0x0005000000004ed7-78.dat	family_quasar
behavioral1/files/0x0005000000004ed7-80.dat	family_quasar
behavioral1/memory/1800-81-0x00000000003D0000-0x000000000045C000-memory.dmp	family_quasar

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
VenomRAT
VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
rat rootkit stealer venomrat
suricata: ET MALWARE Common RAT Connectivity Check Observed
suricata: ET MALWARE Common RAT Connectivity Check Observed
suricata

Executes dropped EXE 3 IoCs

Processes:

$77out0.exeserveur.exe$77out0.exe

pid	Process
1648	$77out0.exe
1328	serveur.exe
1800	$77out0.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid	Process
1944	cmd.exe

Loads dropped DLL 3 IoCs

Processes:

9f1b2d05b075d59a681cc69abc0bef2b5011cd86c0daf9ab2f20c019dfc594c0.exe$77out0.execmd.exe

pid	Process
1480	9f1b2d05b075d59a681cc69abc0bef2b5011cd86c0daf9ab2f20c019dfc594c0.exe
1648	$77out0.exe
1428	cmd.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

$77out0.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	$77out0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	$77out0.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
1	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exe

pid	Process
2008	schtasks.exe
620	schtasks.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

Processes:

PING.EXE

pid	Process
1116	PING.EXE

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

powershell.exe$77out0.exe$77out0.exe

pid	Process
1684	powershell.exe
1648	$77out0.exe
1648	$77out0.exe
1648	$77out0.exe
1648	$77out0.exe
1648	$77out0.exe
1648	$77out0.exe
1648	$77out0.exe
1800	$77out0.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

$77out0.exeserveur.exepowershell.exe$77out0.exe

description	pid	Process
Token: SeDebugPrivilege	1648	$77out0.exe
Token: SeDebugPrivilege	1328	serveur.exe
Token: SeDebugPrivilege	1328	serveur.exe
Token: SeDebugPrivilege	1684	powershell.exe
Token: SeDebugPrivilege	1800	$77out0.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

serveur.exe

pid	Process
1328	serveur.exe

Suspicious use of WriteProcessMemory 44 IoCs

Processes:

9f1b2d05b075d59a681cc69abc0bef2b5011cd86c0daf9ab2f20c019dfc594c0.exe$77out0.exeserveur.execmd.execmd.exe

description	pid	Process	procid_target
PID 1480 wrote to memory of 1648	1480	9f1b2d05b075d59a681cc69abc0bef2b5011cd86c0daf9ab2f20c019dfc594c0.exe	26
PID 1480 wrote to memory of 1648	1480	9f1b2d05b075d59a681cc69abc0bef2b5011cd86c0daf9ab2f20c019dfc594c0.exe	26
PID 1480 wrote to memory of 1648	1480	9f1b2d05b075d59a681cc69abc0bef2b5011cd86c0daf9ab2f20c019dfc594c0.exe	26
PID 1480 wrote to memory of 1648	1480	9f1b2d05b075d59a681cc69abc0bef2b5011cd86c0daf9ab2f20c019dfc594c0.exe	26
PID 1648 wrote to memory of 2008	1648	$77out0.exe	28
PID 1648 wrote to memory of 2008	1648	$77out0.exe	28
PID 1648 wrote to memory of 2008	1648	$77out0.exe	28
PID 1648 wrote to memory of 2008	1648	$77out0.exe	28
PID 1648 wrote to memory of 1328	1648	$77out0.exe	30
PID 1648 wrote to memory of 1328	1648	$77out0.exe	30
PID 1648 wrote to memory of 1328	1648	$77out0.exe	30
PID 1648 wrote to memory of 1328	1648	$77out0.exe	30
PID 1648 wrote to memory of 1684	1648	$77out0.exe	31
PID 1648 wrote to memory of 1684	1648	$77out0.exe	31
PID 1648 wrote to memory of 1684	1648	$77out0.exe	31
PID 1648 wrote to memory of 1684	1648	$77out0.exe	31
PID 1328 wrote to memory of 620	1328	serveur.exe	33
PID 1328 wrote to memory of 620	1328	serveur.exe	33
PID 1328 wrote to memory of 620	1328	serveur.exe	33
PID 1328 wrote to memory of 620	1328	serveur.exe	33
PID 1648 wrote to memory of 580	1648	$77out0.exe	35
PID 1648 wrote to memory of 580	1648	$77out0.exe	35
PID 1648 wrote to memory of 580	1648	$77out0.exe	35
PID 1648 wrote to memory of 580	1648	$77out0.exe	35
PID 580 wrote to memory of 1944	580	cmd.exe	37
PID 580 wrote to memory of 1944	580	cmd.exe	37
PID 580 wrote to memory of 1944	580	cmd.exe	37
PID 580 wrote to memory of 1944	580	cmd.exe	37
PID 1648 wrote to memory of 1428	1648	$77out0.exe	38
PID 1648 wrote to memory of 1428	1648	$77out0.exe	38
PID 1648 wrote to memory of 1428	1648	$77out0.exe	38
PID 1648 wrote to memory of 1428	1648	$77out0.exe	38
PID 1428 wrote to memory of 960	1428	cmd.exe	40
PID 1428 wrote to memory of 960	1428	cmd.exe	40
PID 1428 wrote to memory of 960	1428	cmd.exe	40
PID 1428 wrote to memory of 960	1428	cmd.exe	40
PID 1428 wrote to memory of 1116	1428	cmd.exe	41
PID 1428 wrote to memory of 1116	1428	cmd.exe	41
PID 1428 wrote to memory of 1116	1428	cmd.exe	41
PID 1428 wrote to memory of 1116	1428	cmd.exe	41
PID 1428 wrote to memory of 1800	1428	cmd.exe	42
PID 1428 wrote to memory of 1800	1428	cmd.exe	42
PID 1428 wrote to memory of 1800	1428	cmd.exe	42
PID 1428 wrote to memory of 1800	1428	cmd.exe	42

C:\Users\Admin\AppData\Local\Temp\9f1b2d05b075d59a681cc69abc0bef2b5011cd86c0daf9ab2f20c019dfc594c0.exe
"C:\Users\Admin\AppData\Local\Temp\9f1b2d05b075d59a681cc69abc0bef2b5011cd86c0daf9ab2f20c019dfc594c0.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1480
- C:\Users\Admin\AppData\Local\Temp\$77out0.exe
  "C:\Users\Admin\AppData\Local\Temp\$77out0.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Windows security modification
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1648
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /create /tn "serveur" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\$77out0.exe" /rl HIGHEST /f
    3⤵
    - Creates scheduled task(s)
    PID:2008
- - C:\Users\Admin\AppData\Roaming\serveur\serveur.exe
    "C:\Users\Admin\AppData\Roaming\serveur\serveur.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1328
  - - C:\Windows\SysWOW64\schtasks.exe
      "schtasks" /create /tn "serveur" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\serveur\serveur.exe" /rl HIGHEST /f
      4⤵
      Creates scheduled task(s)
      PID:620
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" Get-MpPreference -verbose
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1684
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k start /b del /q/f/s %TEMP%\* & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:580
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K del /q/f/s C:\Users\Admin\AppData\Local\Temp\*
      4⤵
      Deletes itself
      PID:1944
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\63L6vR6XIlVq.bat" "
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1428
  - - C:\Windows\SysWOW64\chcp.com
      chcp 65001
      4⤵
      PID:960
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 10 localhost
      4⤵
      Runs ping.exe
      PID:1116
  - - C:\Users\Admin\AppData\Local\Temp\$77out0.exe
      "C:\Users\Admin\AppData\Local\Temp\$77out0.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1800

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\$77out0.exe

Filesize
534KB

MD5
4dbbe9ca541651e5b3aa7cb6e4ba1952

SHA1
80b4d8be4452051df4fd94d3ba37ad2425320e8c

SHA256
3ef7951a6525ef9d36ec0673fb990c436872ecf6a76988ec17d62eadbcb52609

SHA512
e8959878ca4f7a0870991d524f08a8798556c4bf5b221757de1c41fc00e50fa2e2b88e840a99de9821626f2077360d1c40e7ba5779b84d24a873a861eabb0878

Download Submit
C:\Users\Admin\AppData\Local\Temp\$77out0.exe

Filesize
534KB

MD5
4dbbe9ca541651e5b3aa7cb6e4ba1952

SHA1
80b4d8be4452051df4fd94d3ba37ad2425320e8c

SHA256
3ef7951a6525ef9d36ec0673fb990c436872ecf6a76988ec17d62eadbcb52609

SHA512
e8959878ca4f7a0870991d524f08a8798556c4bf5b221757de1c41fc00e50fa2e2b88e840a99de9821626f2077360d1c40e7ba5779b84d24a873a861eabb0878

Download Submit
C:\Users\Admin\AppData\Local\Temp\$77out0.exe

Filesize
534KB

MD5
4dbbe9ca541651e5b3aa7cb6e4ba1952

SHA1
80b4d8be4452051df4fd94d3ba37ad2425320e8c

SHA256
3ef7951a6525ef9d36ec0673fb990c436872ecf6a76988ec17d62eadbcb52609

SHA512
e8959878ca4f7a0870991d524f08a8798556c4bf5b221757de1c41fc00e50fa2e2b88e840a99de9821626f2077360d1c40e7ba5779b84d24a873a861eabb0878

Download Submit
C:\Users\Admin\AppData\Local\Temp\63L6vR6XIlVq.bat

Filesize
204B

MD5
7543c432931a1585fe7fa53fe1b7f80f

SHA1
244499bad968bb15314e56b872f19528d20def4b

SHA256
2e362bf1d11538c55cd964f1dd4da7b788a8674c89ef0c4b0060f27844f56c50

SHA512
0f290ccb8a03d21cd94913afe9bf15fc7b761fb1293b8ec8b334662f4c09e802237ef65310beaf366c6d8a995909b239ac4aba247e1d5196c4fd14ebf05045ca

Download Submit
C:\Users\Admin\AppData\Roaming\serveur\serveur.exe

Filesize
534KB

MD5
4dbbe9ca541651e5b3aa7cb6e4ba1952

SHA1
80b4d8be4452051df4fd94d3ba37ad2425320e8c

SHA256
3ef7951a6525ef9d36ec0673fb990c436872ecf6a76988ec17d62eadbcb52609

SHA512
e8959878ca4f7a0870991d524f08a8798556c4bf5b221757de1c41fc00e50fa2e2b88e840a99de9821626f2077360d1c40e7ba5779b84d24a873a861eabb0878

Download Submit
C:\Users\Admin\AppData\Roaming\serveur\serveur.exe

Filesize
534KB

MD5
4dbbe9ca541651e5b3aa7cb6e4ba1952

SHA1
80b4d8be4452051df4fd94d3ba37ad2425320e8c

SHA256
3ef7951a6525ef9d36ec0673fb990c436872ecf6a76988ec17d62eadbcb52609

SHA512
e8959878ca4f7a0870991d524f08a8798556c4bf5b221757de1c41fc00e50fa2e2b88e840a99de9821626f2077360d1c40e7ba5779b84d24a873a861eabb0878

Download Submit
\Users\Admin\AppData\Local\Temp\$77out0.exe

Filesize
534KB

MD5
4dbbe9ca541651e5b3aa7cb6e4ba1952

SHA1
80b4d8be4452051df4fd94d3ba37ad2425320e8c

SHA256
3ef7951a6525ef9d36ec0673fb990c436872ecf6a76988ec17d62eadbcb52609

SHA512
e8959878ca4f7a0870991d524f08a8798556c4bf5b221757de1c41fc00e50fa2e2b88e840a99de9821626f2077360d1c40e7ba5779b84d24a873a861eabb0878

Download Submit
\Users\Admin\AppData\Local\Temp\$77out0.exe

Filesize
534KB

MD5
4dbbe9ca541651e5b3aa7cb6e4ba1952

SHA1
80b4d8be4452051df4fd94d3ba37ad2425320e8c

SHA256
3ef7951a6525ef9d36ec0673fb990c436872ecf6a76988ec17d62eadbcb52609

SHA512
e8959878ca4f7a0870991d524f08a8798556c4bf5b221757de1c41fc00e50fa2e2b88e840a99de9821626f2077360d1c40e7ba5779b84d24a873a861eabb0878

Download Submit
\Users\Admin\AppData\Roaming\serveur\serveur.exe

Filesize
534KB

MD5
4dbbe9ca541651e5b3aa7cb6e4ba1952

SHA1
80b4d8be4452051df4fd94d3ba37ad2425320e8c

SHA256
3ef7951a6525ef9d36ec0673fb990c436872ecf6a76988ec17d62eadbcb52609

SHA512
e8959878ca4f7a0870991d524f08a8798556c4bf5b221757de1c41fc00e50fa2e2b88e840a99de9821626f2077360d1c40e7ba5779b84d24a873a861eabb0878

Download Submit
memory/580-72-0x0000000000000000-mapping.dmp

Download
memory/620-70-0x0000000000000000-mapping.dmp

Download
memory/960-76-0x0000000000000000-mapping.dmp

Download
memory/1116-77-0x0000000000000000-mapping.dmp

Download
memory/1328-63-0x0000000000000000-mapping.dmp

Download
memory/1328-66-0x0000000000100000-0x000000000018C000-memory.dmp

Filesize
560KB

Download
memory/1428-74-0x0000000000000000-mapping.dmp

Download
memory/1480-54-0x0000000075871000-0x0000000075873000-memory.dmp

Filesize
8KB

Download
memory/1648-59-0x0000000000080000-0x000000000010C000-memory.dmp

Filesize
560KB

Download
memory/1648-56-0x0000000000000000-mapping.dmp

Download
memory/1684-68-0x0000000000000000-mapping.dmp

Download
memory/1684-71-0x000000006E810000-0x000000006EDBB000-memory.dmp

Filesize
5.7MB

Download
memory/1800-79-0x0000000000000000-mapping.dmp

Download
memory/1800-81-0x00000000003D0000-0x000000000045C000-memory.dmp

Filesize
560KB

Download
memory/1944-73-0x0000000000000000-mapping.dmp

Download
memory/2008-61-0x0000000000000000-mapping.dmp

Download