quasar | af1d446bb3abc47b5eacb7a00ebb1992be1c464cac5b0e4283b12f0500c3ad4e

General

Target

17e6bffaff1ea223913deb1bc78e74ae.exe
Size

534KB
MD5

17e6bffaff1ea223913deb1bc78e74ae
SHA1

67daf17f3c8f6d2169b24f9a3698921991bbba2f
SHA256

af1d446bb3abc47b5eacb7a00ebb1992be1c464cac5b0e4283b12f0500c3ad4e
SHA512

72086bdd67ce5c778a625d37d7069200747b70193742afee986ec3d58b3a4a5c95b206c91997faf5d3e46e7ab379955db5f033a8b10a4a4899ff6e6068c60ab6
SSDEEP

6144:l8fGABIgrx8kFYLTiMkbMaOcXL/Tb88ASigvCcD+6cfsfiTDpxUKl3Gy3V8/GV0S:EPx7FYPiMNA/flvCcqTsfGpxLl+u

Score

10^/10

quasar venomrat asdf evasion rat rootkit spyware stealer trojan

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

asdf

C2

checkme12.freeddns.org:1604

Mutex

VNM_MUTEX_yidaALoSEROfTPWHwX

Attributes

encryption_key
TbfVFQWqb0uiZoBjJ9E9
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Venom Client Startup
subdirectory
UPX

Signatures

Contains code to disable Windows Defender 6 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
behavioral1/memory/1600-54-0x0000000000A70000-0x0000000000AFC000-memory.dmp	disable_win_def
\Users\Admin\AppData\Roaming\UPX\Client.exe	disable_win_def
C:\Users\Admin\AppData\Roaming\UPX\Client.exe	disable_win_def
C:\Users\Admin\AppData\Roaming\UPX\Client.exe	disable_win_def
behavioral1/memory/320-61-0x0000000001370000-0x00000000013FC000-memory.dmp	disable_win_def
behavioral1/memory/908-75-0x00000000011E0000-0x000000000126C000-memory.dmp	disable_win_def

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

17e6bffaff1ea223913deb1bc78e74ae.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	17e6bffaff1ea223913deb1bc78e74ae.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	17e6bffaff1ea223913deb1bc78e74ae.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	17e6bffaff1ea223913deb1bc78e74ae.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	17e6bffaff1ea223913deb1bc78e74ae.exe

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1600-54-0x0000000000A70000-0x0000000000AFC000-memory.dmp	family_quasar
\Users\Admin\AppData\Roaming\UPX\Client.exe	family_quasar
C:\Users\Admin\AppData\Roaming\UPX\Client.exe	family_quasar
C:\Users\Admin\AppData\Roaming\UPX\Client.exe	family_quasar
behavioral1/memory/320-61-0x0000000001370000-0x00000000013FC000-memory.dmp	family_quasar
behavioral1/memory/908-75-0x00000000011E0000-0x000000000126C000-memory.dmp	family_quasar

VenomRAT
VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
rat rootkit stealer venomrat
Executes dropped EXE 1 IoCs

Processes:

Client.exe

pid process

320 Client.exe
Loads dropped DLL 1 IoCs

Processes:

17e6bffaff1ea223913deb1bc78e74ae.exe

pid process

1600 17e6bffaff1ea223913deb1bc78e74ae.exe

pid	process
320	Client.exe

pid	process
1600	17e6bffaff1ea223913deb1bc78e74ae.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

17e6bffaff1ea223913deb1bc78e74ae.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	17e6bffaff1ea223913deb1bc78e74ae.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	17e6bffaff1ea223913deb1bc78e74ae.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

1 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

680 schtasks.exe
1088 schtasks.exe

flow	ioc
1	ip-api.com

pid	process
680	schtasks.exe
1088	schtasks.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

17e6bffaff1ea223913deb1bc78e74ae.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	17e6bffaff1ea223913deb1bc78e74ae.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	17e6bffaff1ea223913deb1bc78e74ae.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1000 PING.EXE

pid	process
1000	PING.EXE

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

powershell.exe17e6bffaff1ea223913deb1bc78e74ae.exe17e6bffaff1ea223913deb1bc78e74ae.exe

pid	process
1716	powershell.exe
1600	17e6bffaff1ea223913deb1bc78e74ae.exe
1600	17e6bffaff1ea223913deb1bc78e74ae.exe
1600	17e6bffaff1ea223913deb1bc78e74ae.exe
1600	17e6bffaff1ea223913deb1bc78e74ae.exe
1600	17e6bffaff1ea223913deb1bc78e74ae.exe
1600	17e6bffaff1ea223913deb1bc78e74ae.exe
1600	17e6bffaff1ea223913deb1bc78e74ae.exe
908	17e6bffaff1ea223913deb1bc78e74ae.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

17e6bffaff1ea223913deb1bc78e74ae.exepowershell.exeClient.exe17e6bffaff1ea223913deb1bc78e74ae.exe

description	pid	process
Token: SeDebugPrivilege	1600	17e6bffaff1ea223913deb1bc78e74ae.exe
Token: SeDebugPrivilege	1716	powershell.exe
Token: SeDebugPrivilege	320	Client.exe
Token: SeDebugPrivilege	320	Client.exe
Token: SeDebugPrivilege	908	17e6bffaff1ea223913deb1bc78e74ae.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Client.exe

pid process

320 Client.exe

pid	process
320	Client.exe

Suspicious use of WriteProcessMemory 40 IoCs

Processes:

17e6bffaff1ea223913deb1bc78e74ae.exeClient.execmd.execmd.exe

description	pid	process	target process
PID 1600 wrote to memory of 680	1600	17e6bffaff1ea223913deb1bc78e74ae.exe	schtasks.exe
PID 1600 wrote to memory of 680	1600	17e6bffaff1ea223913deb1bc78e74ae.exe	schtasks.exe
PID 1600 wrote to memory of 680	1600	17e6bffaff1ea223913deb1bc78e74ae.exe	schtasks.exe
PID 1600 wrote to memory of 680	1600	17e6bffaff1ea223913deb1bc78e74ae.exe	schtasks.exe
PID 1600 wrote to memory of 320	1600	17e6bffaff1ea223913deb1bc78e74ae.exe	Client.exe
PID 1600 wrote to memory of 320	1600	17e6bffaff1ea223913deb1bc78e74ae.exe	Client.exe
PID 1600 wrote to memory of 320	1600	17e6bffaff1ea223913deb1bc78e74ae.exe	Client.exe
PID 1600 wrote to memory of 320	1600	17e6bffaff1ea223913deb1bc78e74ae.exe	Client.exe
PID 1600 wrote to memory of 1716	1600	17e6bffaff1ea223913deb1bc78e74ae.exe	powershell.exe
PID 1600 wrote to memory of 1716	1600	17e6bffaff1ea223913deb1bc78e74ae.exe	powershell.exe
PID 1600 wrote to memory of 1716	1600	17e6bffaff1ea223913deb1bc78e74ae.exe	powershell.exe
PID 1600 wrote to memory of 1716	1600	17e6bffaff1ea223913deb1bc78e74ae.exe	powershell.exe
PID 320 wrote to memory of 1088	320	Client.exe	schtasks.exe
PID 320 wrote to memory of 1088	320	Client.exe	schtasks.exe
PID 320 wrote to memory of 1088	320	Client.exe	schtasks.exe
PID 320 wrote to memory of 1088	320	Client.exe	schtasks.exe
PID 1600 wrote to memory of 1964	1600	17e6bffaff1ea223913deb1bc78e74ae.exe	cmd.exe
PID 1600 wrote to memory of 1964	1600	17e6bffaff1ea223913deb1bc78e74ae.exe	cmd.exe
PID 1600 wrote to memory of 1964	1600	17e6bffaff1ea223913deb1bc78e74ae.exe	cmd.exe
PID 1600 wrote to memory of 1964	1600	17e6bffaff1ea223913deb1bc78e74ae.exe	cmd.exe
PID 1964 wrote to memory of 616	1964	cmd.exe	cmd.exe
PID 1964 wrote to memory of 616	1964	cmd.exe	cmd.exe
PID 1964 wrote to memory of 616	1964	cmd.exe	cmd.exe
PID 1964 wrote to memory of 616	1964	cmd.exe	cmd.exe
PID 1600 wrote to memory of 1312	1600	17e6bffaff1ea223913deb1bc78e74ae.exe	cmd.exe
PID 1600 wrote to memory of 1312	1600	17e6bffaff1ea223913deb1bc78e74ae.exe	cmd.exe
PID 1600 wrote to memory of 1312	1600	17e6bffaff1ea223913deb1bc78e74ae.exe	cmd.exe
PID 1600 wrote to memory of 1312	1600	17e6bffaff1ea223913deb1bc78e74ae.exe	cmd.exe
PID 1312 wrote to memory of 792	1312	cmd.exe	chcp.com
PID 1312 wrote to memory of 792	1312	cmd.exe	chcp.com
PID 1312 wrote to memory of 792	1312	cmd.exe	chcp.com
PID 1312 wrote to memory of 792	1312	cmd.exe	chcp.com
PID 1312 wrote to memory of 1000	1312	cmd.exe	PING.EXE
PID 1312 wrote to memory of 1000	1312	cmd.exe	PING.EXE
PID 1312 wrote to memory of 1000	1312	cmd.exe	PING.EXE
PID 1312 wrote to memory of 1000	1312	cmd.exe	PING.EXE
PID 1312 wrote to memory of 908	1312	cmd.exe	17e6bffaff1ea223913deb1bc78e74ae.exe
PID 1312 wrote to memory of 908	1312	cmd.exe	17e6bffaff1ea223913deb1bc78e74ae.exe
PID 1312 wrote to memory of 908	1312	cmd.exe	17e6bffaff1ea223913deb1bc78e74ae.exe
PID 1312 wrote to memory of 908	1312	cmd.exe	17e6bffaff1ea223913deb1bc78e74ae.exe

C:\Users\Admin\AppData\Local\Temp\17e6bffaff1ea223913deb1bc78e74ae.exe
"C:\Users\Admin\AppData\Local\Temp\17e6bffaff1ea223913deb1bc78e74ae.exe"
1⤵
- Modifies Windows Defender Real-time Protection settings
- Loads dropped DLL
- Windows security modification
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1600
- C:\Windows\SysWOW64\schtasks.exe
  "schtasks" /create /tn "Venom Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\17e6bffaff1ea223913deb1bc78e74ae.exe" /rl HIGHEST /f
  2⤵
  - Creates scheduled task(s)
  PID:680
- C:\Users\Admin\AppData\Roaming\UPX\Client.exe
  "C:\Users\Admin\AppData\Roaming\UPX\Client.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:320
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /create /tn "Venom Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\UPX\Client.exe" /rl HIGHEST /f
    3⤵
    - Creates scheduled task(s)
    PID:1088
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell" Get-MpPreference -verbose
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1716
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b del /q/f/s %TEMP%\* & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1964
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /K del /q/f/s C:\Users\Admin\AppData\Local\Temp\*
    3⤵
    PID:616
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\qN7NRcg3Hkvg.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1312
- - C:\Windows\SysWOW64\chcp.com
    chcp 65001
    3⤵
    PID:792
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 10 localhost
    3⤵
    - Runs ping.exe
    PID:1000
- - C:\Users\Admin\AppData\Local\Temp\17e6bffaff1ea223913deb1bc78e74ae.exe
    "C:\Users\Admin\AppData\Local\Temp\17e6bffaff1ea223913deb1bc78e74ae.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:908

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Modify Existing Service

Scheduled Task

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Disabling Security Tools

2

T1089

Install Root Certificate

Modify Registry

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\qN7NRcg3Hkvg.bat

Filesize
229B

MD5
8cf8b542a0bf5cf916a2e0c499fba2e8

SHA1
38e5f6880c86f204fbdf5cd87333b17bffa1cce5

SHA256
712a6b7f8f3afc98d75b6c9d547f7a8a515dbba3084d205cd23a70a0afb4bb66

SHA512
b5e6dafe6e82b98fbd942eb4741e6582dbffd4395438534efa9da1ceb9889ad89840cea00ffda381105f187b78dd5a54dd270296a67f178521b487f16be78eab

Download Submit
C:\Users\Admin\AppData\Roaming\UPX\Client.exe

Filesize
534KB

MD5
17e6bffaff1ea223913deb1bc78e74ae

SHA1
67daf17f3c8f6d2169b24f9a3698921991bbba2f

SHA256
af1d446bb3abc47b5eacb7a00ebb1992be1c464cac5b0e4283b12f0500c3ad4e

SHA512
72086bdd67ce5c778a625d37d7069200747b70193742afee986ec3d58b3a4a5c95b206c91997faf5d3e46e7ab379955db5f033a8b10a4a4899ff6e6068c60ab6

Download Submit
C:\Users\Admin\AppData\Roaming\UPX\Client.exe

Filesize
534KB

MD5
17e6bffaff1ea223913deb1bc78e74ae

SHA1
67daf17f3c8f6d2169b24f9a3698921991bbba2f

SHA256
af1d446bb3abc47b5eacb7a00ebb1992be1c464cac5b0e4283b12f0500c3ad4e

SHA512
72086bdd67ce5c778a625d37d7069200747b70193742afee986ec3d58b3a4a5c95b206c91997faf5d3e46e7ab379955db5f033a8b10a4a4899ff6e6068c60ab6

Download Submit
\Users\Admin\AppData\Roaming\UPX\Client.exe

Filesize
534KB

MD5
17e6bffaff1ea223913deb1bc78e74ae

SHA1
67daf17f3c8f6d2169b24f9a3698921991bbba2f

SHA256
af1d446bb3abc47b5eacb7a00ebb1992be1c464cac5b0e4283b12f0500c3ad4e

SHA512
72086bdd67ce5c778a625d37d7069200747b70193742afee986ec3d58b3a4a5c95b206c91997faf5d3e46e7ab379955db5f033a8b10a4a4899ff6e6068c60ab6

Download Submit
memory/320-58-0x0000000000000000-mapping.dmp

Download
memory/320-61-0x0000000001370000-0x00000000013FC000-memory.dmp

Filesize
560KB

Download
memory/616-69-0x0000000000000000-mapping.dmp

Download
memory/680-56-0x0000000000000000-mapping.dmp

Download
memory/792-72-0x0000000000000000-mapping.dmp

Download
memory/908-75-0x00000000011E0000-0x000000000126C000-memory.dmp

Filesize
560KB

Download
memory/908-74-0x0000000000000000-mapping.dmp

Download
memory/1000-73-0x0000000000000000-mapping.dmp

Download
memory/1088-65-0x0000000000000000-mapping.dmp

Download
memory/1312-70-0x0000000000000000-mapping.dmp

Download
memory/1600-54-0x0000000000A70000-0x0000000000AFC000-memory.dmp

Filesize
560KB

Download
memory/1600-55-0x0000000076461000-0x0000000076463000-memory.dmp

Filesize
8KB

Download
memory/1716-63-0x0000000000000000-mapping.dmp

Download
memory/1716-67-0x000000006EC60000-0x000000006F20B000-memory.dmp

Filesize
5.7MB

Download
memory/1716-66-0x000000006EC60000-0x000000006F20B000-memory.dmp

Filesize
5.7MB

Download
memory/1964-68-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads