quasar | 6d00a6b8d581813e8af3114968274f89978b40d400c8eef2bf7e09192f5ec9e6

Analysis

max time kernel
146s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
resource tags

arch:x64arch:x86image:win10v2004-20220414-enlocale:en-usos:windows10-2004-x64system
submitted
18-07-2022 11:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bfaa90c6e3aacd9d9b83a4f8f0f74b0a.exe
Size

534KB
MD5

bfaa90c6e3aacd9d9b83a4f8f0f74b0a
SHA1

85cc249e2cbf60761fb6de586a442bfc81052e36
SHA256

6d00a6b8d581813e8af3114968274f89978b40d400c8eef2bf7e09192f5ec9e6
SHA512

29d83e5f0e82f94c75874c382dc0c002ed90627b8441066c2dc2575ec1f6aff3973bc72915b767d5e54688da6043a3bcd294d26445d865462a11ddb88f0912a5

Score

10^/10

quasar venomrat office04 rat rootkit spyware stealer suricata trojan

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

Office04

127.0.0.1:4782

Mutex

VNM_MUTEX_c2q7y2ayYutZ2XaYe7

Attributes

encryption_key
NTih4UsOfv91J9azm70k
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Venom Client Startup
subdirectory
SubDir

Signatures

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
behavioral2/memory/2288-130-0x0000000000360000-0x00000000003EC000-memory.dmp	disable_win_def

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2288-130-0x0000000000360000-0x00000000003EC000-memory.dmp	family_quasar

VenomRAT
VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
rat rootkit stealer venomrat
suricata: ET MALWARE W32/Quasar 1.3/Venom RAT Connectivity Check 2
suricata: ET MALWARE W32/Quasar 1.3/Venom RAT Connectivity Check 2
suricata
suricata: ET MALWARE W32/Quasar 1.3/Venom RAT Connectivity Check 3
suricata: ET MALWARE W32/Quasar 1.3/Venom RAT Connectivity Check 3
suricata

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
10	ip-api.com
14	api.ipify.org

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

bfaa90c6e3aacd9d9b83a4f8f0f74b0a.exe

description	pid	Process
Token: SeDebugPrivilege	2288	bfaa90c6e3aacd9d9b83a4f8f0f74b0a.exe
Token: SeDebugPrivilege	2288	bfaa90c6e3aacd9d9b83a4f8f0f74b0a.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

bfaa90c6e3aacd9d9b83a4f8f0f74b0a.exe

pid	Process
2288	bfaa90c6e3aacd9d9b83a4f8f0f74b0a.exe

C:\Users\Admin\AppData\Local\Temp\bfaa90c6e3aacd9d9b83a4f8f0f74b0a.exe
"C:\Users\Admin\AppData\Local\Temp\bfaa90c6e3aacd9d9b83a4f8f0f74b0a.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2288

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2288-130-0x0000000000360000-0x00000000003EC000-memory.dmp

Filesize
560KB

Download
memory/2288-131-0x0000000005300000-0x00000000058A4000-memory.dmp

Filesize
5.6MB

Download
memory/2288-132-0x0000000004DF0000-0x0000000004E82000-memory.dmp

Filesize
584KB

Download
memory/2288-133-0x0000000005190000-0x00000000051F6000-memory.dmp

Filesize
408KB

Download
memory/2288-134-0x0000000005DC0000-0x0000000005DD2000-memory.dmp

Filesize
72KB

Download
memory/2288-135-0x0000000006820000-0x000000000682A000-memory.dmp

Filesize
40KB

Download