quasar | 4e07acab1178209379b2f3926e63da1a3002c9640667907db610216bd6e02e72

General

Target

4e07acab1178209379b2f3926e63da1a3002c9640667907db610216bd6e02e72.exe
Size

606KB
MD5

c23863e0d7186334ca69903c6653ae06
SHA1

6040256f4dabd5ee5dee6560e04c56f699532db6
SHA256

4e07acab1178209379b2f3926e63da1a3002c9640667907db610216bd6e02e72
SHA512

b9a7ffaa9a01a488efd29a9f9162c95a8c50f25d2183679f4783ce900319d81f4d375518667959b89bf8df002a869736a2c47bccae3b8ec5844f8f31c2fa7759
SSDEEP

12288:HDNN+IaAFB0OLrdd5xSx8G3cK6TsrId6dd4WCWd9nNxtSR9UcN+Pjv:HDr+FqVvL5x4RcKYd83CWd9+UPv

Score

10^/10

quasar venomrat hacked persistence rat rootkit spyware stealer trojan

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

hacked

C2

23.105.131.178:7812

Mutex

VNM_MUTEX_cFzA15c8rYLW8gVTCh

Attributes

encryption_key
VGvtyILUmmcgl2gY0sSm
install_name
Windows Security Health Service.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Windows Update
subdirectory
SubDir

Signatures

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
behavioral2/memory/332-137-0x0000000000400000-0x000000000048C000-memory.dmp	disable_win_def

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/332-137-0x0000000000400000-0x000000000048C000-memory.dmp	family_quasar

VenomRAT
VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
rat rootkit stealer venomrat

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

4e07acab1178209379b2f3926e63da1a3002c9640667907db610216bd6e02e72.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Windows Services = "C:\\Users\\Admin\\AppData\\Roaming\\Windows Update Folder\\Windows Update.exe"	4e07acab1178209379b2f3926e63da1a3002c9640667907db610216bd6e02e72.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

61 ip-api.com

flow	ioc
61	ip-api.com

Suspicious use of SetThreadContext 1 IoCs

Processes:

4e07acab1178209379b2f3926e63da1a3002c9640667907db610216bd6e02e72.exe

description	pid	process	target process
PID 2840 set thread context of 332	2840	4e07acab1178209379b2f3926e63da1a3002c9640667907db610216bd6e02e72.exe	4e07acab1178209379b2f3926e63da1a3002c9640667907db610216bd6e02e72.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2160 schtasks.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

4e07acab1178209379b2f3926e63da1a3002c9640667907db610216bd6e02e72.exe

description pid process

Token: SeDebugPrivilege 332 4e07acab1178209379b2f3926e63da1a3002c9640667907db610216bd6e02e72.exe

pid	process
2160	schtasks.exe

description	pid	process
Token: SeDebugPrivilege	332	4e07acab1178209379b2f3926e63da1a3002c9640667907db610216bd6e02e72.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

4e07acab1178209379b2f3926e63da1a3002c9640667907db610216bd6e02e72.exe4e07acab1178209379b2f3926e63da1a3002c9640667907db610216bd6e02e72.exe

description	pid	process	target process
PID 2840 wrote to memory of 332	2840	4e07acab1178209379b2f3926e63da1a3002c9640667907db610216bd6e02e72.exe	4e07acab1178209379b2f3926e63da1a3002c9640667907db610216bd6e02e72.exe
PID 2840 wrote to memory of 332	2840	4e07acab1178209379b2f3926e63da1a3002c9640667907db610216bd6e02e72.exe	4e07acab1178209379b2f3926e63da1a3002c9640667907db610216bd6e02e72.exe
PID 2840 wrote to memory of 332	2840	4e07acab1178209379b2f3926e63da1a3002c9640667907db610216bd6e02e72.exe	4e07acab1178209379b2f3926e63da1a3002c9640667907db610216bd6e02e72.exe
PID 2840 wrote to memory of 332	2840	4e07acab1178209379b2f3926e63da1a3002c9640667907db610216bd6e02e72.exe	4e07acab1178209379b2f3926e63da1a3002c9640667907db610216bd6e02e72.exe
PID 2840 wrote to memory of 332	2840	4e07acab1178209379b2f3926e63da1a3002c9640667907db610216bd6e02e72.exe	4e07acab1178209379b2f3926e63da1a3002c9640667907db610216bd6e02e72.exe
PID 2840 wrote to memory of 332	2840	4e07acab1178209379b2f3926e63da1a3002c9640667907db610216bd6e02e72.exe	4e07acab1178209379b2f3926e63da1a3002c9640667907db610216bd6e02e72.exe
PID 2840 wrote to memory of 332	2840	4e07acab1178209379b2f3926e63da1a3002c9640667907db610216bd6e02e72.exe	4e07acab1178209379b2f3926e63da1a3002c9640667907db610216bd6e02e72.exe
PID 2840 wrote to memory of 332	2840	4e07acab1178209379b2f3926e63da1a3002c9640667907db610216bd6e02e72.exe	4e07acab1178209379b2f3926e63da1a3002c9640667907db610216bd6e02e72.exe
PID 332 wrote to memory of 2160	332	4e07acab1178209379b2f3926e63da1a3002c9640667907db610216bd6e02e72.exe	schtasks.exe
PID 332 wrote to memory of 2160	332	4e07acab1178209379b2f3926e63da1a3002c9640667907db610216bd6e02e72.exe	schtasks.exe
PID 332 wrote to memory of 2160	332	4e07acab1178209379b2f3926e63da1a3002c9640667907db610216bd6e02e72.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\4e07acab1178209379b2f3926e63da1a3002c9640667907db610216bd6e02e72.exe
"C:\Users\Admin\AppData\Local\Temp\4e07acab1178209379b2f3926e63da1a3002c9640667907db610216bd6e02e72.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2840

C:\Users\Admin\AppData\Local\Temp\4e07acab1178209379b2f3926e63da1a3002c9640667907db610216bd6e02e72.exe
"C:\Users\Admin\AppData\Local\Temp\4e07acab1178209379b2f3926e63da1a3002c9640667907db610216bd6e02e72.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:332

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\4e07acab1178209379b2f3926e63da1a3002c9640667907db610216bd6e02e72.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:2160

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/332-136-0x0000000000000000-mapping.dmp

Download
memory/332-137-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/332-138-0x0000000005480000-0x00000000054E6000-memory.dmp

Filesize
408KB

Download
memory/332-139-0x00000000063C0000-0x00000000063D2000-memory.dmp

Filesize
72KB

Download
memory/332-140-0x0000000006930000-0x000000000696C000-memory.dmp

Filesize
240KB

Download
memory/2160-141-0x0000000000000000-mapping.dmp

Download
memory/2840-132-0x0000000000490000-0x000000000052E000-memory.dmp

Filesize
632KB

Download
memory/2840-133-0x0000000005580000-0x0000000005B24000-memory.dmp

Filesize
5.6MB

Download
memory/2840-134-0x0000000004F00000-0x0000000004F92000-memory.dmp

Filesize
584KB

Download
memory/2840-135-0x0000000004FD0000-0x000000000506C000-memory.dmp

Filesize
624KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads