quasar | 9f1b2d05b075d59a681cc69abc0bef2b5011cd86c0daf9ab2f20c019dfc594c0

General

Target

9f1b2d05b075d59a681cc69abc0bef2b5011cd86c0daf9ab2f20c019dfc594c0.exe
Size

745KB
MD5

0a588640568e7bd33dd2872290a6eb70
SHA1

5c0a792f29b5ef554610ba03e96aa5efb270be6b
SHA256

9f1b2d05b075d59a681cc69abc0bef2b5011cd86c0daf9ab2f20c019dfc594c0
SHA512

810921ec9f7b15ed8d078115135ed93e180584833b1a650126dcbc3161c7f304c4307dba31fde9cff63878407ca78652c7935d8c507bcd46c80cd796912d13e3

Score

10^/10

quasar venomrat office1 evasion rat rootkit spyware stealer suricata trojan

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

Office1

C2

87.106.127.109:3001

77.140.68.143:1505

Mutex

VNM_MUTEX_gTPFm8k25PBsfiiP7j

Attributes

encryption_key
aKWJnjdCvq0zlemCXxTu
install_name
serveur.exe
log_directory
Logs
reconnect_delay
3000
startup_key
serveur
subdirectory
serveur

Signatures

Contains code to disable Windows Defender 6 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\$77out0.exe	disable_win_def
C:\Users\Admin\AppData\Local\Temp\$77out0.exe	disable_win_def
behavioral2/memory/4320-133-0x00000000000D0000-0x000000000015C000-memory.dmp	disable_win_def
C:\Users\Admin\AppData\Roaming\serveur\serveur.exe	disable_win_def
C:\Users\Admin\AppData\Roaming\serveur\serveur.exe	disable_win_def
C:\Users\Admin\AppData\Local\Temp\$77out0.exe	disable_win_def

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089

Quasar Payload 6 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\$77out0.exe	family_quasar
C:\Users\Admin\AppData\Local\Temp\$77out0.exe	family_quasar
behavioral2/memory/4320-133-0x00000000000D0000-0x000000000015C000-memory.dmp	family_quasar
C:\Users\Admin\AppData\Roaming\serveur\serveur.exe	family_quasar
C:\Users\Admin\AppData\Roaming\serveur\serveur.exe	family_quasar
C:\Users\Admin\AppData\Local\Temp\$77out0.exe	family_quasar

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
VenomRAT
VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
rat rootkit stealer venomrat
suricata: ET MALWARE Common RAT Connectivity Check Observed
suricata: ET MALWARE Common RAT Connectivity Check Observed
suricata
Executes dropped EXE 3 IoCs

Processes:

$77out0.exeserveur.exe$77out0.exe

pid process

4320 $77out0.exe
4532 serveur.exe
4632 $77out0.exe

pid	process
4320	$77out0.exe
4532	serveur.exe
4632	$77out0.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

$77out0.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	$77out0.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

$77out0.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	$77out0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	$77out0.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

11 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

4964 schtasks.exe
3164 schtasks.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2456 PING.EXE

flow	ioc
11	ip-api.com

pid	process
4964	schtasks.exe
3164	schtasks.exe

pid	process
2456	PING.EXE

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

powershell.exe$77out0.exe$77out0.exe

pid	process
3200	powershell.exe
3200	powershell.exe
4320	$77out0.exe
4320	$77out0.exe
4320	$77out0.exe
4320	$77out0.exe
4320	$77out0.exe
4320	$77out0.exe
4320	$77out0.exe
4632	$77out0.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

$77out0.exepowershell.exeserveur.exe$77out0.exe

description	pid	process
Token: SeDebugPrivilege	4320	$77out0.exe
Token: SeDebugPrivilege	3200	powershell.exe
Token: SeDebugPrivilege	4532	serveur.exe
Token: SeDebugPrivilege	4532	serveur.exe
Token: SeDebugPrivilege	4632	$77out0.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

serveur.exe

pid process

4532 serveur.exe

pid	process
4532	serveur.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

9f1b2d05b075d59a681cc69abc0bef2b5011cd86c0daf9ab2f20c019dfc594c0.exe$77out0.exeserveur.execmd.execmd.exe

description	pid	process	target process
PID 3840 wrote to memory of 4320	3840	9f1b2d05b075d59a681cc69abc0bef2b5011cd86c0daf9ab2f20c019dfc594c0.exe	$77out0.exe
PID 3840 wrote to memory of 4320	3840	9f1b2d05b075d59a681cc69abc0bef2b5011cd86c0daf9ab2f20c019dfc594c0.exe	$77out0.exe
PID 3840 wrote to memory of 4320	3840	9f1b2d05b075d59a681cc69abc0bef2b5011cd86c0daf9ab2f20c019dfc594c0.exe	$77out0.exe
PID 4320 wrote to memory of 4964	4320	$77out0.exe	schtasks.exe
PID 4320 wrote to memory of 4964	4320	$77out0.exe	schtasks.exe
PID 4320 wrote to memory of 4964	4320	$77out0.exe	schtasks.exe
PID 4320 wrote to memory of 4532	4320	$77out0.exe	serveur.exe
PID 4320 wrote to memory of 4532	4320	$77out0.exe	serveur.exe
PID 4320 wrote to memory of 4532	4320	$77out0.exe	serveur.exe
PID 4320 wrote to memory of 3200	4320	$77out0.exe	powershell.exe
PID 4320 wrote to memory of 3200	4320	$77out0.exe	powershell.exe
PID 4320 wrote to memory of 3200	4320	$77out0.exe	powershell.exe
PID 4532 wrote to memory of 3164	4532	serveur.exe	schtasks.exe
PID 4532 wrote to memory of 3164	4532	serveur.exe	schtasks.exe
PID 4532 wrote to memory of 3164	4532	serveur.exe	schtasks.exe
PID 4320 wrote to memory of 1316	4320	$77out0.exe	cmd.exe
PID 4320 wrote to memory of 1316	4320	$77out0.exe	cmd.exe
PID 4320 wrote to memory of 1316	4320	$77out0.exe	cmd.exe
PID 1316 wrote to memory of 876	1316	cmd.exe	cmd.exe
PID 1316 wrote to memory of 876	1316	cmd.exe	cmd.exe
PID 1316 wrote to memory of 876	1316	cmd.exe	cmd.exe
PID 4320 wrote to memory of 3980	4320	$77out0.exe	cmd.exe
PID 4320 wrote to memory of 3980	4320	$77out0.exe	cmd.exe
PID 4320 wrote to memory of 3980	4320	$77out0.exe	cmd.exe
PID 3980 wrote to memory of 448	3980	cmd.exe	chcp.com
PID 3980 wrote to memory of 448	3980	cmd.exe	chcp.com
PID 3980 wrote to memory of 448	3980	cmd.exe	chcp.com
PID 3980 wrote to memory of 2456	3980	cmd.exe	PING.EXE
PID 3980 wrote to memory of 2456	3980	cmd.exe	PING.EXE
PID 3980 wrote to memory of 2456	3980	cmd.exe	PING.EXE
PID 3980 wrote to memory of 4632	3980	cmd.exe	$77out0.exe
PID 3980 wrote to memory of 4632	3980	cmd.exe	$77out0.exe
PID 3980 wrote to memory of 4632	3980	cmd.exe	$77out0.exe

C:\Users\Admin\AppData\Local\Temp\9f1b2d05b075d59a681cc69abc0bef2b5011cd86c0daf9ab2f20c019dfc594c0.exe
"C:\Users\Admin\AppData\Local\Temp\9f1b2d05b075d59a681cc69abc0bef2b5011cd86c0daf9ab2f20c019dfc594c0.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3840
- C:\Users\Admin\AppData\Local\Temp\$77out0.exe
  "C:\Users\Admin\AppData\Local\Temp\$77out0.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Windows security modification
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4320
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /create /tn "serveur" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\$77out0.exe" /rl HIGHEST /f
    3⤵
    - Creates scheduled task(s)
    PID:4964
- - C:\Users\Admin\AppData\Roaming\serveur\serveur.exe
    "C:\Users\Admin\AppData\Roaming\serveur\serveur.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4532
  - - C:\Windows\SysWOW64\schtasks.exe
      "schtasks" /create /tn "serveur" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\serveur\serveur.exe" /rl HIGHEST /f
      4⤵
      Creates scheduled task(s)
      PID:3164
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" Get-MpPreference -verbose
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3200
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k start /b del /q/f/s %TEMP%\* & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1316
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K del /q/f/s C:\Users\Admin\AppData\Local\Temp\*
      4⤵
      PID:876
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zEzjKho1Ml1c.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3980
  - - C:\Windows\SysWOW64\chcp.com
      chcp 65001
      4⤵
      PID:448
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 10 localhost
      4⤵
      Runs ping.exe
      PID:2456
  - - C:\Users\Admin\AppData\Local\Temp\$77out0.exe
      "C:\Users\Admin\AppData\Local\Temp\$77out0.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4632

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Modify Existing Service

Scheduled Task

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\$77out0.exe.log

Filesize
1KB

MD5
10eab9c2684febb5327b6976f2047587

SHA1
a12ed54146a7f5c4c580416aecb899549712449e

SHA256
f49dbd55029bfbc15134f7c6a4f967d6c39142c63f2e8f1f8c78fab108a2c928

SHA512
7e5fd90fffae723bd0c662a90e0730b507805f072771ee673d1d8c262dbf60c8a03ba5fe088f699a97c2e886380de158b2ccd59ee62e3d012dd6dd14ea9d0e50

Download Submit
C:\Users\Admin\AppData\Local\Temp\$77out0.exe

Filesize
534KB

MD5
4dbbe9ca541651e5b3aa7cb6e4ba1952

SHA1
80b4d8be4452051df4fd94d3ba37ad2425320e8c

SHA256
3ef7951a6525ef9d36ec0673fb990c436872ecf6a76988ec17d62eadbcb52609

SHA512
e8959878ca4f7a0870991d524f08a8798556c4bf5b221757de1c41fc00e50fa2e2b88e840a99de9821626f2077360d1c40e7ba5779b84d24a873a861eabb0878

Download Submit
C:\Users\Admin\AppData\Local\Temp\$77out0.exe

Filesize
534KB

MD5
4dbbe9ca541651e5b3aa7cb6e4ba1952

SHA1
80b4d8be4452051df4fd94d3ba37ad2425320e8c

SHA256
3ef7951a6525ef9d36ec0673fb990c436872ecf6a76988ec17d62eadbcb52609

SHA512
e8959878ca4f7a0870991d524f08a8798556c4bf5b221757de1c41fc00e50fa2e2b88e840a99de9821626f2077360d1c40e7ba5779b84d24a873a861eabb0878

Download Submit
C:\Users\Admin\AppData\Local\Temp\$77out0.exe

Filesize
534KB

MD5
4dbbe9ca541651e5b3aa7cb6e4ba1952

SHA1
80b4d8be4452051df4fd94d3ba37ad2425320e8c

SHA256
3ef7951a6525ef9d36ec0673fb990c436872ecf6a76988ec17d62eadbcb52609

SHA512
e8959878ca4f7a0870991d524f08a8798556c4bf5b221757de1c41fc00e50fa2e2b88e840a99de9821626f2077360d1c40e7ba5779b84d24a873a861eabb0878

Download Submit
C:\Users\Admin\AppData\Local\Temp\zEzjKho1Ml1c.bat

Filesize
204B

MD5
ce1bea042a6c392c3cdc278c7a2b0930

SHA1
9188bbac6262a2e8024ebcbadf70b82b986fa827

SHA256
83ed4ac8d04a26bb69b2a28c1489b2c77a398ea7a006952f6d9c51d4865f746d

SHA512
d70b8a9079ab39880e97abd3781b0a5dc70e08dc3f9b71c3df8d4eb2cbe5d862892ecf47863d3982f2e6b4090eb3095634eb602878093ece94376b1a7f085787

Download Submit
C:\Users\Admin\AppData\Roaming\serveur\serveur.exe

Filesize
534KB

MD5
4dbbe9ca541651e5b3aa7cb6e4ba1952

SHA1
80b4d8be4452051df4fd94d3ba37ad2425320e8c

SHA256
3ef7951a6525ef9d36ec0673fb990c436872ecf6a76988ec17d62eadbcb52609

SHA512
e8959878ca4f7a0870991d524f08a8798556c4bf5b221757de1c41fc00e50fa2e2b88e840a99de9821626f2077360d1c40e7ba5779b84d24a873a861eabb0878

Download Submit
C:\Users\Admin\AppData\Roaming\serveur\serveur.exe

Filesize
534KB

MD5
4dbbe9ca541651e5b3aa7cb6e4ba1952

SHA1
80b4d8be4452051df4fd94d3ba37ad2425320e8c

SHA256
3ef7951a6525ef9d36ec0673fb990c436872ecf6a76988ec17d62eadbcb52609

SHA512
e8959878ca4f7a0870991d524f08a8798556c4bf5b221757de1c41fc00e50fa2e2b88e840a99de9821626f2077360d1c40e7ba5779b84d24a873a861eabb0878

Download Submit
memory/448-165-0x0000000000000000-mapping.dmp

Download
memory/876-162-0x0000000000000000-mapping.dmp

Download
memory/1316-161-0x0000000000000000-mapping.dmp

Download
memory/2456-166-0x0000000000000000-mapping.dmp

Download
memory/3164-149-0x0000000000000000-mapping.dmp

Download
memory/3200-147-0x00000000055E0000-0x0000000005646000-memory.dmp

Filesize
408KB

Download
memory/3200-158-0x00000000079C0000-0x00000000079CE000-memory.dmp

Filesize
56KB

Download
memory/3200-144-0x0000000002AF0000-0x0000000002B26000-memory.dmp

Filesize
216KB

Download
memory/3200-145-0x0000000005670000-0x0000000005C98000-memory.dmp

Filesize
6.2MB

Download
memory/3200-146-0x0000000005440000-0x0000000005462000-memory.dmp

Filesize
136KB

Download
memory/3200-148-0x0000000006480000-0x000000000649E000-memory.dmp

Filesize
120KB

Download
memory/3200-160-0x0000000007AB0000-0x0000000007AB8000-memory.dmp

Filesize
32KB

Download
memory/3200-159-0x0000000007AD0000-0x0000000007AEA000-memory.dmp

Filesize
104KB

Download
memory/3200-143-0x0000000000000000-mapping.dmp

Download
memory/3200-151-0x0000000006A70000-0x0000000006AA2000-memory.dmp

Filesize
200KB

Download
memory/3200-152-0x000000006FFA0000-0x000000006FFEC000-memory.dmp

Filesize
304KB

Download
memory/3200-153-0x0000000006A30000-0x0000000006A4E000-memory.dmp

Filesize
120KB

Download
memory/3200-154-0x0000000007DD0000-0x000000000844A000-memory.dmp

Filesize
6.5MB

Download
memory/3200-155-0x0000000007780000-0x000000000779A000-memory.dmp

Filesize
104KB

Download
memory/3200-156-0x0000000007800000-0x000000000780A000-memory.dmp

Filesize
40KB

Download
memory/3200-157-0x0000000007A10000-0x0000000007AA6000-memory.dmp

Filesize
600KB

Download
memory/3980-163-0x0000000000000000-mapping.dmp

Download
memory/4320-134-0x0000000005160000-0x0000000005704000-memory.dmp

Filesize
5.6MB

Download
memory/4320-135-0x0000000004BB0000-0x0000000004C42000-memory.dmp

Filesize
584KB

Download
memory/4320-130-0x0000000000000000-mapping.dmp

Download
memory/4320-138-0x0000000005F60000-0x0000000005F9C000-memory.dmp

Filesize
240KB

Download
memory/4320-137-0x0000000005B30000-0x0000000005B42000-memory.dmp

Filesize
72KB

Download
memory/4320-133-0x00000000000D0000-0x000000000015C000-memory.dmp

Filesize
560KB

Download
memory/4320-136-0x0000000004B20000-0x0000000004B86000-memory.dmp

Filesize
408KB

Download
memory/4532-140-0x0000000000000000-mapping.dmp

Download
memory/4532-150-0x0000000006C20000-0x0000000006C2A000-memory.dmp

Filesize
40KB

Download
memory/4632-167-0x0000000000000000-mapping.dmp

Download
memory/4964-139-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads