quasar | ecbe1cbab7710a6b7c33166eeeb192b981047c7fa0989fe6e0e403f79cb1dc86

Analysis

max time kernel
184s
max time network
201s
platform
windows7_x64
resource
win7-20220414-en
submitted
20-05-2022 05:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ecbe1cbab7710a6b7c33166eeeb192b981047c7fa0989fe6e0e403f79cb1dc86.exe
Size

534KB
MD5

45d84deec92077d7fdbd7f56091ed5ef
SHA1

f6be7aa7a72ed5c03cf25312833dc19db1c9eb76
SHA256

ecbe1cbab7710a6b7c33166eeeb192b981047c7fa0989fe6e0e403f79cb1dc86
SHA512

3dc25114f43e73bd6fa8d8a06d41f2eebdfc55adffbfb1e4571f536f82b4677421400986e47883ca5a485aada4b61553a1e8b1b5bbbae1fe667205d3ea8769e8

Score

10^/10

quasar venomrat fadedrat evasion persistence rat rootkit spyware stealer suricata trojan

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

FadedRAT

66.191.218.42:6606

Mutex

VNM_MUTEX_vy60sMeB6q8c2CPqmk

Attributes

encryption_key
tI07nGR3B89O88FLmj05
install_name
zncodec.exe
log_directory
Logs
reconnect_delay
3000
startup_key
zncodec
subdirectory
rrcodex

Signatures

Contains code to disable Windows Defender 5 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral1/memory/900-54-0x0000000000F30000-0x0000000000FBC000-memory.dmp	disable_win_def
behavioral1/files/0x000a0000000122fb-57.dat	disable_win_def
behavioral1/files/0x000a0000000122fb-59.dat	disable_win_def
behavioral1/files/0x000a0000000122fb-60.dat	disable_win_def
behavioral1/memory/1708-62-0x0000000001260000-0x00000000012EC000-memory.dmp	disable_win_def

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089

Quasar Payload 5 IoCs

resource	yara_rule
behavioral1/memory/900-54-0x0000000000F30000-0x0000000000FBC000-memory.dmp	family_quasar
behavioral1/files/0x000a0000000122fb-57.dat	family_quasar
behavioral1/files/0x000a0000000122fb-59.dat	family_quasar
behavioral1/files/0x000a0000000122fb-60.dat	family_quasar
behavioral1/memory/1708-62-0x0000000001260000-0x00000000012EC000-memory.dmp	family_quasar

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
VenomRAT
VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
rat rootkit stealer venomrat
suricata: ET MALWARE Common RAT Connectivity Check Observed
suricata: ET MALWARE Common RAT Connectivity Check Observed
suricata

Executes dropped EXE 1 IoCs

pid	Process
1708	zncodec.exe

Loads dropped DLL 1 IoCs

pid	Process
900	ecbe1cbab7710a6b7c33166eeeb192b981047c7fa0989fe6e0e403f79cb1dc86.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	ecbe1cbab7710a6b7c33166eeeb192b981047c7fa0989fe6e0e403f79cb1dc86.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	ecbe1cbab7710a6b7c33166eeeb192b981047c7fa0989fe6e0e403f79cb1dc86.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\zncodec = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\ecbe1cbab7710a6b7c33166eeeb192b981047c7fa0989fe6e0e403f79cb1dc86.exe\""	ecbe1cbab7710a6b7c33166eeeb192b981047c7fa0989fe6e0e403f79cb1dc86.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\zncodec = "\"C:\\Windows\\SysWOW64\\rrcodex\\zncodec.exe\""	zncodec.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	ip-api.com

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\rrcodex\zncodec.exe	ecbe1cbab7710a6b7c33166eeeb192b981047c7fa0989fe6e0e403f79cb1dc86.exe
File opened for modification	C:\Windows\SysWOW64\rrcodex\zncodec.exe	ecbe1cbab7710a6b7c33166eeeb192b981047c7fa0989fe6e0e403f79cb1dc86.exe
File created	C:\Windows\SysWOW64\rrcodex\r77-x64.dll	ecbe1cbab7710a6b7c33166eeeb192b981047c7fa0989fe6e0e403f79cb1dc86.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1208	schtasks.exe
1000	schtasks.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	ecbe1cbab7710a6b7c33166eeeb192b981047c7fa0989fe6e0e403f79cb1dc86.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	ecbe1cbab7710a6b7c33166eeeb192b981047c7fa0989fe6e0e403f79cb1dc86.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
484	PING.EXE

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
1152	powershell.exe
900	ecbe1cbab7710a6b7c33166eeeb192b981047c7fa0989fe6e0e403f79cb1dc86.exe
900	ecbe1cbab7710a6b7c33166eeeb192b981047c7fa0989fe6e0e403f79cb1dc86.exe
900	ecbe1cbab7710a6b7c33166eeeb192b981047c7fa0989fe6e0e403f79cb1dc86.exe
900	ecbe1cbab7710a6b7c33166eeeb192b981047c7fa0989fe6e0e403f79cb1dc86.exe
900	ecbe1cbab7710a6b7c33166eeeb192b981047c7fa0989fe6e0e403f79cb1dc86.exe
900	ecbe1cbab7710a6b7c33166eeeb192b981047c7fa0989fe6e0e403f79cb1dc86.exe
900	ecbe1cbab7710a6b7c33166eeeb192b981047c7fa0989fe6e0e403f79cb1dc86.exe
1604	ecbe1cbab7710a6b7c33166eeeb192b981047c7fa0989fe6e0e403f79cb1dc86.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	900	ecbe1cbab7710a6b7c33166eeeb192b981047c7fa0989fe6e0e403f79cb1dc86.exe
Token: SeDebugPrivilege	1708	zncodec.exe
Token: SeDebugPrivilege	1708	zncodec.exe
Token: SeDebugPrivilege	1152	powershell.exe
Token: SeDebugPrivilege	1604	ecbe1cbab7710a6b7c33166eeeb192b981047c7fa0989fe6e0e403f79cb1dc86.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1708	zncodec.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 900 wrote to memory of 1208	900	ecbe1cbab7710a6b7c33166eeeb192b981047c7fa0989fe6e0e403f79cb1dc86.exe	29
PID 900 wrote to memory of 1208	900	ecbe1cbab7710a6b7c33166eeeb192b981047c7fa0989fe6e0e403f79cb1dc86.exe	29
PID 900 wrote to memory of 1208	900	ecbe1cbab7710a6b7c33166eeeb192b981047c7fa0989fe6e0e403f79cb1dc86.exe	29
PID 900 wrote to memory of 1208	900	ecbe1cbab7710a6b7c33166eeeb192b981047c7fa0989fe6e0e403f79cb1dc86.exe	29
PID 900 wrote to memory of 1708	900	ecbe1cbab7710a6b7c33166eeeb192b981047c7fa0989fe6e0e403f79cb1dc86.exe	31
PID 900 wrote to memory of 1708	900	ecbe1cbab7710a6b7c33166eeeb192b981047c7fa0989fe6e0e403f79cb1dc86.exe	31
PID 900 wrote to memory of 1708	900	ecbe1cbab7710a6b7c33166eeeb192b981047c7fa0989fe6e0e403f79cb1dc86.exe	31
PID 900 wrote to memory of 1708	900	ecbe1cbab7710a6b7c33166eeeb192b981047c7fa0989fe6e0e403f79cb1dc86.exe	31
PID 900 wrote to memory of 1152	900	ecbe1cbab7710a6b7c33166eeeb192b981047c7fa0989fe6e0e403f79cb1dc86.exe	32
PID 900 wrote to memory of 1152	900	ecbe1cbab7710a6b7c33166eeeb192b981047c7fa0989fe6e0e403f79cb1dc86.exe	32
PID 900 wrote to memory of 1152	900	ecbe1cbab7710a6b7c33166eeeb192b981047c7fa0989fe6e0e403f79cb1dc86.exe	32
PID 900 wrote to memory of 1152	900	ecbe1cbab7710a6b7c33166eeeb192b981047c7fa0989fe6e0e403f79cb1dc86.exe	32
PID 1708 wrote to memory of 1000	1708	zncodec.exe	34
PID 1708 wrote to memory of 1000	1708	zncodec.exe	34
PID 1708 wrote to memory of 1000	1708	zncodec.exe	34
PID 1708 wrote to memory of 1000	1708	zncodec.exe	34
PID 900 wrote to memory of 1508	900	ecbe1cbab7710a6b7c33166eeeb192b981047c7fa0989fe6e0e403f79cb1dc86.exe	36
PID 900 wrote to memory of 1508	900	ecbe1cbab7710a6b7c33166eeeb192b981047c7fa0989fe6e0e403f79cb1dc86.exe	36
PID 900 wrote to memory of 1508	900	ecbe1cbab7710a6b7c33166eeeb192b981047c7fa0989fe6e0e403f79cb1dc86.exe	36
PID 900 wrote to memory of 1508	900	ecbe1cbab7710a6b7c33166eeeb192b981047c7fa0989fe6e0e403f79cb1dc86.exe	36
PID 1508 wrote to memory of 1344	1508	cmd.exe	38
PID 1508 wrote to memory of 1344	1508	cmd.exe	38
PID 1508 wrote to memory of 1344	1508	cmd.exe	38
PID 1508 wrote to memory of 1344	1508	cmd.exe	38
PID 900 wrote to memory of 764	900	ecbe1cbab7710a6b7c33166eeeb192b981047c7fa0989fe6e0e403f79cb1dc86.exe	39
PID 900 wrote to memory of 764	900	ecbe1cbab7710a6b7c33166eeeb192b981047c7fa0989fe6e0e403f79cb1dc86.exe	39
PID 900 wrote to memory of 764	900	ecbe1cbab7710a6b7c33166eeeb192b981047c7fa0989fe6e0e403f79cb1dc86.exe	39
PID 900 wrote to memory of 764	900	ecbe1cbab7710a6b7c33166eeeb192b981047c7fa0989fe6e0e403f79cb1dc86.exe	39
PID 764 wrote to memory of 556	764	cmd.exe	41
PID 764 wrote to memory of 556	764	cmd.exe	41
PID 764 wrote to memory of 556	764	cmd.exe	41
PID 764 wrote to memory of 556	764	cmd.exe	41
PID 764 wrote to memory of 484	764	cmd.exe	42
PID 764 wrote to memory of 484	764	cmd.exe	42
PID 764 wrote to memory of 484	764	cmd.exe	42
PID 764 wrote to memory of 484	764	cmd.exe	42
PID 764 wrote to memory of 1604	764	cmd.exe	43
PID 764 wrote to memory of 1604	764	cmd.exe	43
PID 764 wrote to memory of 1604	764	cmd.exe	43
PID 764 wrote to memory of 1604	764	cmd.exe	43

C:\Users\Admin\AppData\Local\Temp\ecbe1cbab7710a6b7c33166eeeb192b981047c7fa0989fe6e0e403f79cb1dc86.exe
"C:\Users\Admin\AppData\Local\Temp\ecbe1cbab7710a6b7c33166eeeb192b981047c7fa0989fe6e0e403f79cb1dc86.exe"
1⤵
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Drops file in System32 directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:900
- C:\Windows\SysWOW64\schtasks.exe
  "schtasks" /create /tn "zncodec" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\ecbe1cbab7710a6b7c33166eeeb192b981047c7fa0989fe6e0e403f79cb1dc86.exe" /rl HIGHEST /f
  2⤵
  - Creates scheduled task(s)
  PID:1208
- C:\Windows\SysWOW64\rrcodex\zncodec.exe
  "C:\Windows\SysWOW64\rrcodex\zncodec.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1708
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /create /tn "zncodec" /sc ONLOGON /tr "C:\Windows\SysWOW64\rrcodex\zncodec.exe" /rl HIGHEST /f
    3⤵
    - Creates scheduled task(s)
    PID:1000
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell" Get-MpPreference -verbose
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1152
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b del /q/f/s %TEMP%\* & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1508
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /K del /q/f/s C:\Users\Admin\AppData\Local\Temp\*
    3⤵
    PID:1344
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\tVk4n00W3NWD.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:764
- - C:\Windows\SysWOW64\chcp.com
    chcp 65001
    3⤵
    PID:556
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 10 localhost
    3⤵
    - Runs ping.exe
    PID:484
- - C:\Users\Admin\AppData\Local\Temp\ecbe1cbab7710a6b7c33166eeeb192b981047c7fa0989fe6e0e403f79cb1dc86.exe
    "C:\Users\Admin\AppData\Local\Temp\ecbe1cbab7710a6b7c33166eeeb192b981047c7fa0989fe6e0e403f79cb1dc86.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1604

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tVk4n00W3NWD.bat

Filesize
261B

MD5
fadb58fc16c27cd34c719f821ea5a8dc

SHA1
88628c399263030c8cccb86412bf21977375001e

SHA256
2f9503117edb1e0288e8b7bc8fbd36d907ba0604d84d99befd69505e928b718f

SHA512
8bbb94033b7c0846281941c351e2e6ce3872e721efd52100a5472e31344213c9b41dd38d012f44c79e1777645e49ad0925ee5c28ce5166cbd9a3ef744a48336d

Download Submit
C:\Windows\SysWOW64\rrcodex\zncodec.exe

Filesize
534KB

MD5
45d84deec92077d7fdbd7f56091ed5ef

SHA1
f6be7aa7a72ed5c03cf25312833dc19db1c9eb76

SHA256
ecbe1cbab7710a6b7c33166eeeb192b981047c7fa0989fe6e0e403f79cb1dc86

SHA512
3dc25114f43e73bd6fa8d8a06d41f2eebdfc55adffbfb1e4571f536f82b4677421400986e47883ca5a485aada4b61553a1e8b1b5bbbae1fe667205d3ea8769e8

Download Submit
C:\Windows\SysWOW64\rrcodex\zncodec.exe

Filesize
534KB

MD5
45d84deec92077d7fdbd7f56091ed5ef

SHA1
f6be7aa7a72ed5c03cf25312833dc19db1c9eb76

SHA256
ecbe1cbab7710a6b7c33166eeeb192b981047c7fa0989fe6e0e403f79cb1dc86

SHA512
3dc25114f43e73bd6fa8d8a06d41f2eebdfc55adffbfb1e4571f536f82b4677421400986e47883ca5a485aada4b61553a1e8b1b5bbbae1fe667205d3ea8769e8

Download Submit
\Windows\SysWOW64\rrcodex\zncodec.exe

Filesize
534KB

MD5
45d84deec92077d7fdbd7f56091ed5ef

SHA1
f6be7aa7a72ed5c03cf25312833dc19db1c9eb76

SHA256
ecbe1cbab7710a6b7c33166eeeb192b981047c7fa0989fe6e0e403f79cb1dc86

SHA512
3dc25114f43e73bd6fa8d8a06d41f2eebdfc55adffbfb1e4571f536f82b4677421400986e47883ca5a485aada4b61553a1e8b1b5bbbae1fe667205d3ea8769e8

Download Submit
memory/900-54-0x0000000000F30000-0x0000000000FBC000-memory.dmp

Filesize
560KB

Download
memory/900-55-0x00000000759F1000-0x00000000759F3000-memory.dmp

Filesize
8KB

Download
memory/1152-66-0x000000006ECD0000-0x000000006F27B000-memory.dmp

Filesize
5.7MB

Download
memory/1708-62-0x0000000001260000-0x00000000012EC000-memory.dmp

Filesize
560KB

Download