quasar | e14fe9800b600ce61b06794233aa47d6fbbc20d18dbb1e531c5deaac995bbca8

General

Target

e14fe9800b600ce61b06794233aa47d6fbbc20d18dbb1e531c5deaac995bbca8.exe
Size

590KB
MD5

f7d70adb404cf63562d6541fce16ee94
SHA1

7c855ae562c54c6747c682f9403ff902308deeb1
SHA256

e14fe9800b600ce61b06794233aa47d6fbbc20d18dbb1e531c5deaac995bbca8
SHA512

aed0a69aa45018197f04eec259ab4954f0ecd6f0e309a745346282cc46efd4e6567f920a3cfa39326082abff40de6ad932150ae5f6207e1a580d87343410d519
SSDEEP

6144:kU9/iRCAm9wyitWVSIyIXQR3YQJrjYPUotecWo7vMyYp5lQj64cmX3Hrv9Otawza:i3ynm3RsPj7WYUxp+TvotLzAFLBz8LS

Score

10^/10

quasar venomrat rat evasion persistence rat rootkit spyware stealer trojan

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

RAT

C2

23.105.131.178:7812

Mutex

VNM_MUTEX_gdy9bWxR0te3WgTRnI

Attributes

encryption_key
MDXzdQumRqZGIeya7nG9
install_name
Windows Defender Security.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Windows Update
subdirectory
Microsoft

Signatures

Contains code to disable Windows Defender 6 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Windows Defender Security.exe	disable_win_def
C:\Users\Admin\AppData\Roaming\Windows Defender Security.exe	disable_win_def
behavioral2/memory/3016-137-0x00000000004A0000-0x000000000052C000-memory.dmp	disable_win_def
C:\Users\Admin\AppData\Roaming\Microsoft\Windows Defender Security.exe	disable_win_def
C:\Users\Admin\AppData\Roaming\Microsoft\Windows Defender Security.exe	disable_win_def
C:\Users\Admin\AppData\Roaming\Windows Defender Security.exe	disable_win_def

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

Windows Defender Security.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	Windows Defender Security.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	Windows Defender Security.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	Windows Defender Security.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	Windows Defender Security.exe

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 6 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Windows Defender Security.exe	family_quasar
C:\Users\Admin\AppData\Roaming\Windows Defender Security.exe	family_quasar
behavioral2/memory/3016-137-0x00000000004A0000-0x000000000052C000-memory.dmp	family_quasar
C:\Users\Admin\AppData\Roaming\Microsoft\Windows Defender Security.exe	family_quasar
C:\Users\Admin\AppData\Roaming\Microsoft\Windows Defender Security.exe	family_quasar
C:\Users\Admin\AppData\Roaming\Windows Defender Security.exe	family_quasar

VenomRAT
VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
rat rootkit stealer venomrat
Executes dropped EXE 3 IoCs

Processes:

Windows Defender Security.exeWindows Defender Security.exeWindows Defender Security.exe

pid process

3016 Windows Defender Security.exe
4840 Windows Defender Security.exe
3944 Windows Defender Security.exe

pid	process
3016	Windows Defender Security.exe
4840	Windows Defender Security.exe
3944	Windows Defender Security.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

e14fe9800b600ce61b06794233aa47d6fbbc20d18dbb1e531c5deaac995bbca8.exeWindows Defender Security.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	e14fe9800b600ce61b06794233aa47d6fbbc20d18dbb1e531c5deaac995bbca8.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Windows Defender Security.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

Windows Defender Security.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	Windows Defender Security.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	Windows Defender Security.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Windows Defender Security.exeWindows Defender Security.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Defender Security.exe\""	Windows Defender Security.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows Defender Security.exe\""	Windows Defender Security.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

5 ip-api.com
17 api.ipify.org
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

5056 schtasks.exe
2284 schtasks.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1848 PING.EXE

flow	ioc
5	ip-api.com
17	api.ipify.org

pid	process
5056	schtasks.exe
2284	schtasks.exe

pid	process
1848	PING.EXE

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

powershell.exeWindows Defender Security.exeWindows Defender Security.exe

pid	process
4800	powershell.exe
4800	powershell.exe
3016	Windows Defender Security.exe
3016	Windows Defender Security.exe
3016	Windows Defender Security.exe
3016	Windows Defender Security.exe
3016	Windows Defender Security.exe
3016	Windows Defender Security.exe
3016	Windows Defender Security.exe
3944	Windows Defender Security.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

Windows Defender Security.exepowershell.exeWindows Defender Security.exeWindows Defender Security.exe

description	pid	process
Token: SeDebugPrivilege	3016	Windows Defender Security.exe
Token: SeDebugPrivilege	4800	powershell.exe
Token: SeDebugPrivilege	4840	Windows Defender Security.exe
Token: SeDebugPrivilege	4840	Windows Defender Security.exe
Token: SeDebugPrivilege	3944	Windows Defender Security.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Windows Defender Security.exe

pid process

4840 Windows Defender Security.exe

pid	process
4840	Windows Defender Security.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

e14fe9800b600ce61b06794233aa47d6fbbc20d18dbb1e531c5deaac995bbca8.exeWindows Defender Security.exeWindows Defender Security.execmd.execmd.exe

description	pid	process	target process
PID 1476 wrote to memory of 3016	1476	e14fe9800b600ce61b06794233aa47d6fbbc20d18dbb1e531c5deaac995bbca8.exe	Windows Defender Security.exe
PID 1476 wrote to memory of 3016	1476	e14fe9800b600ce61b06794233aa47d6fbbc20d18dbb1e531c5deaac995bbca8.exe	Windows Defender Security.exe
PID 1476 wrote to memory of 3016	1476	e14fe9800b600ce61b06794233aa47d6fbbc20d18dbb1e531c5deaac995bbca8.exe	Windows Defender Security.exe
PID 3016 wrote to memory of 5056	3016	Windows Defender Security.exe	schtasks.exe
PID 3016 wrote to memory of 5056	3016	Windows Defender Security.exe	schtasks.exe
PID 3016 wrote to memory of 5056	3016	Windows Defender Security.exe	schtasks.exe
PID 3016 wrote to memory of 4840	3016	Windows Defender Security.exe	Windows Defender Security.exe
PID 3016 wrote to memory of 4840	3016	Windows Defender Security.exe	Windows Defender Security.exe
PID 3016 wrote to memory of 4840	3016	Windows Defender Security.exe	Windows Defender Security.exe
PID 3016 wrote to memory of 4800	3016	Windows Defender Security.exe	powershell.exe
PID 3016 wrote to memory of 4800	3016	Windows Defender Security.exe	powershell.exe
PID 3016 wrote to memory of 4800	3016	Windows Defender Security.exe	powershell.exe
PID 4840 wrote to memory of 2284	4840	Windows Defender Security.exe	schtasks.exe
PID 4840 wrote to memory of 2284	4840	Windows Defender Security.exe	schtasks.exe
PID 4840 wrote to memory of 2284	4840	Windows Defender Security.exe	schtasks.exe
PID 3016 wrote to memory of 116	3016	Windows Defender Security.exe	cmd.exe
PID 3016 wrote to memory of 116	3016	Windows Defender Security.exe	cmd.exe
PID 3016 wrote to memory of 116	3016	Windows Defender Security.exe	cmd.exe
PID 116 wrote to memory of 3908	116	cmd.exe	cmd.exe
PID 116 wrote to memory of 3908	116	cmd.exe	cmd.exe
PID 116 wrote to memory of 3908	116	cmd.exe	cmd.exe
PID 3016 wrote to memory of 3456	3016	Windows Defender Security.exe	cmd.exe
PID 3016 wrote to memory of 3456	3016	Windows Defender Security.exe	cmd.exe
PID 3016 wrote to memory of 3456	3016	Windows Defender Security.exe	cmd.exe
PID 3456 wrote to memory of 4448	3456	cmd.exe	chcp.com
PID 3456 wrote to memory of 4448	3456	cmd.exe	chcp.com
PID 3456 wrote to memory of 4448	3456	cmd.exe	chcp.com
PID 3456 wrote to memory of 1848	3456	cmd.exe	PING.EXE
PID 3456 wrote to memory of 1848	3456	cmd.exe	PING.EXE
PID 3456 wrote to memory of 1848	3456	cmd.exe	PING.EXE
PID 3456 wrote to memory of 3944	3456	cmd.exe	Windows Defender Security.exe
PID 3456 wrote to memory of 3944	3456	cmd.exe	Windows Defender Security.exe
PID 3456 wrote to memory of 3944	3456	cmd.exe	Windows Defender Security.exe

C:\Users\Admin\AppData\Local\Temp\e14fe9800b600ce61b06794233aa47d6fbbc20d18dbb1e531c5deaac995bbca8.exe
"C:\Users\Admin\AppData\Local\Temp\e14fe9800b600ce61b06794233aa47d6fbbc20d18dbb1e531c5deaac995bbca8.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1476
- C:\Users\Admin\AppData\Roaming\Windows Defender Security.exe
  "C:\Users\Admin\AppData\Roaming\Windows Defender Security.exe"
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  - Executes dropped EXE
  - Checks computer location settings
  - Windows security modification
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3016
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Defender Security.exe" /rl HIGHEST /f
    3⤵
    - Creates scheduled task(s)
    PID:5056
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows Defender Security.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows Defender Security.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4840
  - - C:\Windows\SysWOW64\schtasks.exe
      "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows Defender Security.exe" /rl HIGHEST /f
      4⤵
      Creates scheduled task(s)
      PID:2284
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" Get-MpPreference -verbose
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4800
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k start /b del /q/f/s %TEMP%\* & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:116
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K del /q/f/s C:\Users\Admin\AppData\Local\Temp\*
      4⤵
      PID:3908
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YdfsId1tC3AT.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3456
  - - C:\Windows\SysWOW64\chcp.com
      chcp 65001
      4⤵
      PID:4448
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 10 localhost
      4⤵
      Runs ping.exe
      PID:1848
  - - C:\Users\Admin\AppData\Roaming\Windows Defender Security.exe
      "C:\Users\Admin\AppData\Roaming\Windows Defender Security.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3944

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Windows Defender Security.exe.log

Filesize
1KB

MD5
10eab9c2684febb5327b6976f2047587

SHA1
a12ed54146a7f5c4c580416aecb899549712449e

SHA256
f49dbd55029bfbc15134f7c6a4f967d6c39142c63f2e8f1f8c78fab108a2c928

SHA512
7e5fd90fffae723bd0c662a90e0730b507805f072771ee673d1d8c262dbf60c8a03ba5fe088f699a97c2e886380de158b2ccd59ee62e3d012dd6dd14ea9d0e50

Download Submit
C:\Users\Admin\AppData\Local\Temp\YdfsId1tC3AT.bat

Filesize
219B

MD5
fd2df7149a0c1f23863fa4b80149505c

SHA1
9e9188b329109d95349bc3d2dac40867aa9148c9

SHA256
87ffad653aca52daf9bfd37828e5135d246213dc790a7301178c50485e875912

SHA512
b30263a00f9ad641baee456b7c1cb9daa06a5caf2e8bbf2499bc63431858c60f91e7b640f60822c52e161cdb8a60f22c4260c7eb93fc2258a494871e87199c89

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows Defender Security.exe

Filesize
535KB

MD5
6f3b107a20b18244efb6473bae2544b1

SHA1
dc02ec107547c515bffeadcd87e6308c3bdfd390

SHA256
2b23c8f0299f92a4ba0f7d4eea26316cf2ffae2eaf41767ce452464c9951b2a0

SHA512
318b51a7bc6a37f9a4d2ee528d66124b541c9d3f2002ad7a15456071fe090cdb264f6439dbc3fa5471200d2faf5217d01af56b3eafa2830917480b080d31161c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows Defender Security.exe

Filesize
535KB

MD5
6f3b107a20b18244efb6473bae2544b1

SHA1
dc02ec107547c515bffeadcd87e6308c3bdfd390

SHA256
2b23c8f0299f92a4ba0f7d4eea26316cf2ffae2eaf41767ce452464c9951b2a0

SHA512
318b51a7bc6a37f9a4d2ee528d66124b541c9d3f2002ad7a15456071fe090cdb264f6439dbc3fa5471200d2faf5217d01af56b3eafa2830917480b080d31161c

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Defender Security.exe

Filesize
535KB

MD5
6f3b107a20b18244efb6473bae2544b1

SHA1
dc02ec107547c515bffeadcd87e6308c3bdfd390

SHA256
2b23c8f0299f92a4ba0f7d4eea26316cf2ffae2eaf41767ce452464c9951b2a0

SHA512
318b51a7bc6a37f9a4d2ee528d66124b541c9d3f2002ad7a15456071fe090cdb264f6439dbc3fa5471200d2faf5217d01af56b3eafa2830917480b080d31161c

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Defender Security.exe

Filesize
535KB

MD5
6f3b107a20b18244efb6473bae2544b1

SHA1
dc02ec107547c515bffeadcd87e6308c3bdfd390

SHA256
2b23c8f0299f92a4ba0f7d4eea26316cf2ffae2eaf41767ce452464c9951b2a0

SHA512
318b51a7bc6a37f9a4d2ee528d66124b541c9d3f2002ad7a15456071fe090cdb264f6439dbc3fa5471200d2faf5217d01af56b3eafa2830917480b080d31161c

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Defender Security.exe

Filesize
535KB

MD5
6f3b107a20b18244efb6473bae2544b1

SHA1
dc02ec107547c515bffeadcd87e6308c3bdfd390

SHA256
2b23c8f0299f92a4ba0f7d4eea26316cf2ffae2eaf41767ce452464c9951b2a0

SHA512
318b51a7bc6a37f9a4d2ee528d66124b541c9d3f2002ad7a15456071fe090cdb264f6439dbc3fa5471200d2faf5217d01af56b3eafa2830917480b080d31161c

Download Submit
memory/116-165-0x0000000000000000-mapping.dmp

Download
memory/1476-136-0x0000000074880000-0x0000000074E31000-memory.dmp

Filesize
5.7MB

Download
memory/1476-132-0x0000000074880000-0x0000000074E31000-memory.dmp

Filesize
5.7MB

Download
memory/1848-170-0x0000000000000000-mapping.dmp

Download
memory/2284-153-0x0000000000000000-mapping.dmp

Download
memory/3016-142-0x0000000006140000-0x000000000617C000-memory.dmp

Filesize
240KB

Download
memory/3016-141-0x0000000005D20000-0x0000000005D32000-memory.dmp

Filesize
72KB

Download
memory/3016-140-0x00000000050D0000-0x0000000005136000-memory.dmp

Filesize
408KB

Download
memory/3016-139-0x0000000004FC0000-0x0000000005052000-memory.dmp

Filesize
584KB

Download
memory/3016-138-0x0000000005570000-0x0000000005B14000-memory.dmp

Filesize
5.6MB

Download
memory/3016-137-0x00000000004A0000-0x000000000052C000-memory.dmp

Filesize
560KB

Download
memory/3016-133-0x0000000000000000-mapping.dmp

Download
memory/3456-167-0x0000000000000000-mapping.dmp

Download
memory/3908-166-0x0000000000000000-mapping.dmp

Download
memory/3944-171-0x0000000000000000-mapping.dmp

Download
memory/4448-169-0x0000000000000000-mapping.dmp

Download
memory/4800-152-0x0000000005F10000-0x0000000005F2E000-memory.dmp

Filesize
120KB

Download
memory/4800-164-0x0000000007B30000-0x0000000007B38000-memory.dmp

Filesize
32KB

Download
memory/4800-157-0x0000000006BB0000-0x0000000006BCE000-memory.dmp

Filesize
120KB

Download
memory/4800-158-0x0000000007F70000-0x00000000085EA000-memory.dmp

Filesize
6.5MB

Download
memory/4800-159-0x0000000007920000-0x000000000793A000-memory.dmp

Filesize
104KB

Download
memory/4800-160-0x0000000001190000-0x000000000119A000-memory.dmp

Filesize
40KB

Download
memory/4800-161-0x0000000007B40000-0x0000000007BD6000-memory.dmp

Filesize
600KB

Download
memory/4800-162-0x0000000007AF0000-0x0000000007AFE000-memory.dmp

Filesize
56KB

Download
memory/4800-163-0x0000000007BE0000-0x0000000007BFA000-memory.dmp

Filesize
104KB

Download
memory/4800-156-0x000000006FB30000-0x000000006FB7C000-memory.dmp

Filesize
304KB

Download
memory/4800-155-0x0000000006BD0000-0x0000000006C02000-memory.dmp

Filesize
200KB

Download
memory/4800-147-0x0000000000000000-mapping.dmp

Download
memory/4800-151-0x0000000005F50000-0x0000000005FB6000-memory.dmp

Filesize
408KB

Download
memory/4800-150-0x0000000005750000-0x0000000005772000-memory.dmp

Filesize
136KB

Download
memory/4800-149-0x0000000005830000-0x0000000005E58000-memory.dmp

Filesize
6.2MB

Download
memory/4800-148-0x0000000002CF0000-0x0000000002D26000-memory.dmp

Filesize
216KB

Download
memory/4840-154-0x00000000069D0000-0x00000000069DA000-memory.dmp

Filesize
40KB

Download
memory/4840-144-0x0000000000000000-mapping.dmp

Download
memory/5056-143-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads