quasar | 2cb24e62607d1f4eef2ee22dca37a4eda7b97ea9b3d96443102548fe90c3edc3

Analysis

max time kernel
143s
max time network
148s
platform
windows7_x64
resource
win7-20220718-en
resource tags

arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system
submitted
19-07-2022 06:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

02962ce42a6b3910c33e9f9ace964bba.exe
Size

666KB
MD5

02962ce42a6b3910c33e9f9ace964bba
SHA1

565d1a5cc063503879c5bd0dffa2cfe4e5a2e627
SHA256

2cb24e62607d1f4eef2ee22dca37a4eda7b97ea9b3d96443102548fe90c3edc3
SHA512

96fd7e1a6cd7e2f87274af902c7c327d7f09b1c15861983691a6ddf6a44961175876f97cbf0e31e383a36037ebaac9350c0e96ac49b4940a5ef3cd24ce1a5969

Score

10^/10

quasar venomrat dcnitro01 rat rootkit spyware stealer suricata trojan

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

DCNITRO01

0.tcp.eu.ngrok.io:10352

Mutex

VNM_MUTEX_v9VGaskk4AIKeNY3U6

Attributes

encryption_key
UZHpvfEZMUzQVIJjvgWB
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
dc nitro(venom)
subdirectory
SubDir

Signatures

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
behavioral1/memory/1988-54-0x0000000000E40000-0x0000000000EEC000-memory.dmp	disable_win_def

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1988-54-0x0000000000E40000-0x0000000000EEC000-memory.dmp	family_quasar

VenomRAT
VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
rat rootkit stealer venomrat
suricata: ET MALWARE Common RAT Connectivity Check Observed
suricata: ET MALWARE Common RAT Connectivity Check Observed
suricata
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

1 ip-api.com
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1548 schtasks.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

02962ce42a6b3910c33e9f9ace964bba.exe

description pid process

Token: SeDebugPrivilege 1988 02962ce42a6b3910c33e9f9ace964bba.exe
Token: SeDebugPrivilege 1988 02962ce42a6b3910c33e9f9ace964bba.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

02962ce42a6b3910c33e9f9ace964bba.exe

pid process

1988 02962ce42a6b3910c33e9f9ace964bba.exe

flow	ioc
1	ip-api.com

pid	process
1548	schtasks.exe

description	pid	process
Token: SeDebugPrivilege	1988	02962ce42a6b3910c33e9f9ace964bba.exe
Token: SeDebugPrivilege	1988	02962ce42a6b3910c33e9f9ace964bba.exe

pid	process
1988	02962ce42a6b3910c33e9f9ace964bba.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

02962ce42a6b3910c33e9f9ace964bba.exe

description	pid	process	target process
PID 1988 wrote to memory of 1548	1988	02962ce42a6b3910c33e9f9ace964bba.exe	schtasks.exe
PID 1988 wrote to memory of 1548	1988	02962ce42a6b3910c33e9f9ace964bba.exe	schtasks.exe
PID 1988 wrote to memory of 1548	1988	02962ce42a6b3910c33e9f9ace964bba.exe	schtasks.exe
PID 1988 wrote to memory of 1548	1988	02962ce42a6b3910c33e9f9ace964bba.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\02962ce42a6b3910c33e9f9ace964bba.exe
"C:\Users\Admin\AppData\Local\Temp\02962ce42a6b3910c33e9f9ace964bba.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1988
- C:\Windows\SysWOW64\schtasks.exe
  "schtasks" /create /tn "dc nitro(venom)" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\02962ce42a6b3910c33e9f9ace964bba.exe" /rl HIGHEST /f
  2⤵
  - Creates scheduled task(s)
  PID:1548

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1548-56-0x0000000000000000-mapping.dmp

Download
memory/1988-54-0x0000000000E40000-0x0000000000EEC000-memory.dmp

Filesize
688KB

Download
memory/1988-55-0x0000000075731000-0x0000000075733000-memory.dmp

Filesize
8KB

Download