quasar | 93361aea837c73c75f9067700572262e69d1cfbfa6634e7ea8f249701e1fdebb

Analysis

max time kernel
55s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
15-10-2022 06:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dac30ab400ec6be2daa29718ea6d0a3e.exe
Size

867KB
MD5

dac30ab400ec6be2daa29718ea6d0a3e
SHA1

06320ebc648623885645657fd2a72a728f2441cd
SHA256

93361aea837c73c75f9067700572262e69d1cfbfa6634e7ea8f249701e1fdebb
SHA512

67f360d49625822199c133981c4077d88d9ec2347386858f33d08d6b6f37c15af0c56cf9772e0fb819072ab4b63b13eb334237ccd727ce91cad9b68ab47ec58c
SSDEEP

12288:3ARp0gFW4q6AD9/Gz8hQOFPA/OcMowPzQvEXpqCctQHNM:2igFW4qbx/GY7Y/jw7tICct4a

Score

10^/10

quasar venomrat asdf evasion rat rootkit spyware stealer trojan

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

asdf

checkme12.freeddns.org:1604

Mutex

VNM_MUTEX_yidaALoSEROfTPWHwX

Attributes

encryption_key
TbfVFQWqb0uiZoBjJ9E9
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Venom Client Startup
subdirectory
UPX

Signatures

Contains code to disable Windows Defender 4 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
behavioral1/memory/524-58-0x0000000000486C3E-mapping.dmp	disable_win_def
behavioral1/memory/524-57-0x0000000000400000-0x000000000048C000-memory.dmp	disable_win_def
behavioral1/memory/524-60-0x0000000000400000-0x000000000048C000-memory.dmp	disable_win_def
behavioral1/memory/524-62-0x0000000000400000-0x000000000048C000-memory.dmp	disable_win_def

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

RegSvcs.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	RegSvcs.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	RegSvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	RegSvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	RegSvcs.exe

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/524-58-0x0000000000486C3E-mapping.dmp	family_quasar
behavioral1/memory/524-57-0x0000000000400000-0x000000000048C000-memory.dmp	family_quasar
behavioral1/memory/524-60-0x0000000000400000-0x000000000048C000-memory.dmp	family_quasar
behavioral1/memory/524-62-0x0000000000400000-0x000000000048C000-memory.dmp	family_quasar

VenomRAT
VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
rat rootkit stealer venomrat

Executes dropped EXE 1 IoCs

Processes:

Client.exe

pid	Process
320	Client.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid	Process
1524	cmd.exe

Loads dropped DLL 1 IoCs

Processes:

RegSvcs.exe

pid	Process
524	RegSvcs.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
7	ip-api.com

Suspicious use of SetThreadContext 1 IoCs

Processes:

dac30ab400ec6be2daa29718ea6d0a3e.exe

description	pid	Process	procid_target
PID 536 set thread context of 524	536	dac30ab400ec6be2daa29718ea6d0a3e.exe	29

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exe

pid	Process
1592	schtasks.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

Processes:

PING.EXE

pid	Process
1588	PING.EXE

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

powershell.exeRegSvcs.exe

pid	Process
1156	powershell.exe
524	RegSvcs.exe
524	RegSvcs.exe
524	RegSvcs.exe
524	RegSvcs.exe
524	RegSvcs.exe
524	RegSvcs.exe
524	RegSvcs.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

RegSvcs.exepowershell.exe

description	pid	Process
Token: SeDebugPrivilege	524	RegSvcs.exe
Token: SeDebugPrivilege	1156	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

dac30ab400ec6be2daa29718ea6d0a3e.exe

pid	Process
536	dac30ab400ec6be2daa29718ea6d0a3e.exe

Suspicious use of WriteProcessMemory 54 IoCs

Processes:

dac30ab400ec6be2daa29718ea6d0a3e.exeRegSvcs.execmd.execmd.exe

description	pid	Process	procid_target
PID 536 wrote to memory of 524	536	dac30ab400ec6be2daa29718ea6d0a3e.exe	29
PID 536 wrote to memory of 524	536	dac30ab400ec6be2daa29718ea6d0a3e.exe	29
PID 536 wrote to memory of 524	536	dac30ab400ec6be2daa29718ea6d0a3e.exe	29
PID 536 wrote to memory of 524	536	dac30ab400ec6be2daa29718ea6d0a3e.exe	29
PID 536 wrote to memory of 524	536	dac30ab400ec6be2daa29718ea6d0a3e.exe	29
PID 536 wrote to memory of 524	536	dac30ab400ec6be2daa29718ea6d0a3e.exe	29
PID 536 wrote to memory of 524	536	dac30ab400ec6be2daa29718ea6d0a3e.exe	29
PID 536 wrote to memory of 524	536	dac30ab400ec6be2daa29718ea6d0a3e.exe	29
PID 536 wrote to memory of 524	536	dac30ab400ec6be2daa29718ea6d0a3e.exe	29
PID 536 wrote to memory of 524	536	dac30ab400ec6be2daa29718ea6d0a3e.exe	29
PID 536 wrote to memory of 524	536	dac30ab400ec6be2daa29718ea6d0a3e.exe	29
PID 536 wrote to memory of 524	536	dac30ab400ec6be2daa29718ea6d0a3e.exe	29
PID 524 wrote to memory of 1592	524	RegSvcs.exe	31
PID 524 wrote to memory of 1592	524	RegSvcs.exe	31
PID 524 wrote to memory of 1592	524	RegSvcs.exe	31
PID 524 wrote to memory of 1592	524	RegSvcs.exe	31
PID 524 wrote to memory of 320	524	RegSvcs.exe	33
PID 524 wrote to memory of 320	524	RegSvcs.exe	33
PID 524 wrote to memory of 320	524	RegSvcs.exe	33
PID 524 wrote to memory of 320	524	RegSvcs.exe	33
PID 524 wrote to memory of 320	524	RegSvcs.exe	33
PID 524 wrote to memory of 320	524	RegSvcs.exe	33
PID 524 wrote to memory of 320	524	RegSvcs.exe	33
PID 524 wrote to memory of 1156	524	RegSvcs.exe	35
PID 524 wrote to memory of 1156	524	RegSvcs.exe	35
PID 524 wrote to memory of 1156	524	RegSvcs.exe	35
PID 524 wrote to memory of 1156	524	RegSvcs.exe	35
PID 524 wrote to memory of 1596	524	RegSvcs.exe	37
PID 524 wrote to memory of 1596	524	RegSvcs.exe	37
PID 524 wrote to memory of 1596	524	RegSvcs.exe	37
PID 524 wrote to memory of 1596	524	RegSvcs.exe	37
PID 1596 wrote to memory of 1524	1596	cmd.exe	39
PID 1596 wrote to memory of 1524	1596	cmd.exe	39
PID 1596 wrote to memory of 1524	1596	cmd.exe	39
PID 1596 wrote to memory of 1524	1596	cmd.exe	39
PID 524 wrote to memory of 1656	524	RegSvcs.exe	40
PID 524 wrote to memory of 1656	524	RegSvcs.exe	40
PID 524 wrote to memory of 1656	524	RegSvcs.exe	40
PID 524 wrote to memory of 1656	524	RegSvcs.exe	40
PID 1656 wrote to memory of 1700	1656	cmd.exe	42
PID 1656 wrote to memory of 1700	1656	cmd.exe	42
PID 1656 wrote to memory of 1700	1656	cmd.exe	42
PID 1656 wrote to memory of 1700	1656	cmd.exe	42
PID 1656 wrote to memory of 1588	1656	cmd.exe	43
PID 1656 wrote to memory of 1588	1656	cmd.exe	43
PID 1656 wrote to memory of 1588	1656	cmd.exe	43
PID 1656 wrote to memory of 1588	1656	cmd.exe	43
PID 1656 wrote to memory of 1600	1656	cmd.exe	44
PID 1656 wrote to memory of 1600	1656	cmd.exe	44
PID 1656 wrote to memory of 1600	1656	cmd.exe	44
PID 1656 wrote to memory of 1600	1656	cmd.exe	44
PID 1656 wrote to memory of 1600	1656	cmd.exe	44
PID 1656 wrote to memory of 1600	1656	cmd.exe	44
PID 1656 wrote to memory of 1600	1656	cmd.exe	44

C:\Users\Admin\AppData\Local\Temp\dac30ab400ec6be2daa29718ea6d0a3e.exe
"C:\Users\Admin\AppData\Local\Temp\dac30ab400ec6be2daa29718ea6d0a3e.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:536
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:524
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /create /tn "Venom Client Startup" /sc ONLOGON /tr "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" /rl HIGHEST /f
    3⤵
    - Creates scheduled task(s)
    PID:1592
- - C:\Users\Admin\AppData\Roaming\UPX\Client.exe
    "C:\Users\Admin\AppData\Roaming\UPX\Client.exe"
    3⤵
    - Executes dropped EXE
    PID:320
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" Get-MpPreference -verbose
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1156
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k start /b del /q/f/s %TEMP%\* & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1596
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K del /q/f/s C:\Users\Admin\AppData\Local\Temp\*
      4⤵
      Deletes itself
      PID:1524
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\jLVus7MQF8Xs.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1656
  - - C:\Windows\SysWOW64\chcp.com
      chcp 65001
      4⤵
      PID:1700
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 10 localhost
      4⤵
      Runs ping.exe
      PID:1588
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      4⤵
      PID:1600

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\jLVus7MQF8Xs.bat

Filesize
216B

MD5
a7e22deac8c86a9cb3b89330aab27dc2

SHA1
e4f71de35de2067249afed2354e1a5e76d509840

SHA256
ba5633480f12081c01c852fdecf33d20cb4226af5633a4d325df3fb6fabad782

SHA512
934c0d4968047f912e5a96c65d1de6ec01043dc832f3fbedde0a4834407c72d9678f2e01844f374cb960fde6f466d370d46bfca7d7977ff79c6941b4dfb78aec

Download Submit
C:\Users\Admin\AppData\Roaming\UPX\Client.exe

Filesize
44KB

MD5
0e06054beb13192588e745ee63a84173

SHA1
30b7d4d1277bafd04a83779fd566a1f834a8d113

SHA256
c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

SHA512
251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

Download Submit
C:\Users\Admin\AppData\Roaming\UPX\Client.exe

Filesize
44KB

MD5
0e06054beb13192588e745ee63a84173

SHA1
30b7d4d1277bafd04a83779fd566a1f834a8d113

SHA256
c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

SHA512
251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

Download Submit
\Users\Admin\AppData\Roaming\UPX\Client.exe

Filesize
44KB

MD5
0e06054beb13192588e745ee63a84173

SHA1
30b7d4d1277bafd04a83779fd566a1f834a8d113

SHA256
c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

SHA512
251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

Download Submit
memory/320-72-0x0000000000220000-0x0000000000240000-memory.dmp

Filesize
128KB

Download
memory/320-66-0x0000000000000000-mapping.dmp

Download
memory/320-70-0x0000000000050000-0x000000000005E000-memory.dmp

Filesize
56KB

Download
memory/524-58-0x0000000000486C3E-mapping.dmp

Download
memory/524-60-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/524-57-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/524-62-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/536-56-0x0000000076831000-0x0000000076833000-memory.dmp

Filesize
8KB

Download
memory/1156-74-0x000000006F7F0000-0x000000006FD9B000-memory.dmp

Filesize
5.7MB

Download
memory/1156-73-0x000000006F7F0000-0x000000006FD9B000-memory.dmp

Filesize
5.7MB

Download
memory/1156-68-0x0000000000000000-mapping.dmp

Download
memory/1524-76-0x0000000000000000-mapping.dmp

Download
memory/1588-80-0x0000000000000000-mapping.dmp

Download
memory/1592-64-0x0000000000000000-mapping.dmp

Download
memory/1596-75-0x0000000000000000-mapping.dmp

Download
memory/1600-81-0x0000000000000000-mapping.dmp

Download
memory/1600-82-0x0000000000240000-0x000000000024E000-memory.dmp

Filesize
56KB

Download
memory/1600-83-0x0000000000210000-0x0000000000230000-memory.dmp

Filesize
128KB

Download
memory/1656-77-0x0000000000000000-mapping.dmp

Download
memory/1700-79-0x0000000000000000-mapping.dmp

Download