quasar | 1e2ca810cc9233dc0350cafb6d52f0a9e5ccafe1b3b8c9d3f70ca406be970566

General

Target

d79a203caba18b6e1190b0022296d56f96253d4fb39b96aaaeaaa02241f28b16.exe
Size

1.0MB
MD5

7a98ca652a682ae96bc3f9ac6d554d82
SHA1

dbb6b1d490b64e9b1260d0ad55cd2fe1d776586f
SHA256

d79a203caba18b6e1190b0022296d56f96253d4fb39b96aaaeaaa02241f28b16
SHA512

6fd10b572f7c39fc2b33d57957f1c36102da158a22a5b4d855736dd5ed92a3ba5d945662d11ad2b69f845f16c48a9875258fa2cdc80089cd5863c7980d21ce9f
SSDEEP

24576:t+ynkc1ZzBvtrZHFjMKY2naU8elKA9eaZYZg+ryTh:4ynkc1ZzBvtrZHFjMKY2nb8elKAgaZXN

Score

10^/10

quasar venom client persistence spyware trojan

Malware Config

Extracted

Family

quasar

Version

2.7.0.0

Botnet

Venom Client

C2

markphoto.casacam.net:5000

Mutex

JlYM51eW4iZoFyLa2X

Attributes

encryption_key
BL7lZzIkUckEp2RCh8Q6
install_name
Venom.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Venom Client Startup

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1704-54-0x00000000010A0000-0x00000000011B0000-memory.dmp	family_quasar

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

WScript.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Venom Client Startup = "C:\\Users\\Admin\\AppData\\Roaming\\Venom.exe"	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	WScript.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

1 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

672 schtasks.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

d79a203caba18b6e1190b0022296d56f96253d4fb39b96aaaeaaa02241f28b16.exe

description pid process

Token: SeDebugPrivilege 1704 d79a203caba18b6e1190b0022296d56f96253d4fb39b96aaaeaaa02241f28b16.exe

flow	ioc
1	ip-api.com

pid	process
672	schtasks.exe

description	pid	process
Token: SeDebugPrivilege	1704	d79a203caba18b6e1190b0022296d56f96253d4fb39b96aaaeaaa02241f28b16.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

d79a203caba18b6e1190b0022296d56f96253d4fb39b96aaaeaaa02241f28b16.exeexplorer.exe

description	pid	process	target process
PID 1704 wrote to memory of 672	1704	d79a203caba18b6e1190b0022296d56f96253d4fb39b96aaaeaaa02241f28b16.exe	schtasks.exe
PID 1704 wrote to memory of 672	1704	d79a203caba18b6e1190b0022296d56f96253d4fb39b96aaaeaaa02241f28b16.exe	schtasks.exe
PID 1704 wrote to memory of 672	1704	d79a203caba18b6e1190b0022296d56f96253d4fb39b96aaaeaaa02241f28b16.exe	schtasks.exe
PID 1704 wrote to memory of 672	1704	d79a203caba18b6e1190b0022296d56f96253d4fb39b96aaaeaaa02241f28b16.exe	schtasks.exe
PID 1704 wrote to memory of 1884	1704	d79a203caba18b6e1190b0022296d56f96253d4fb39b96aaaeaaa02241f28b16.exe	explorer.exe
PID 1704 wrote to memory of 1884	1704	d79a203caba18b6e1190b0022296d56f96253d4fb39b96aaaeaaa02241f28b16.exe	explorer.exe
PID 1704 wrote to memory of 1884	1704	d79a203caba18b6e1190b0022296d56f96253d4fb39b96aaaeaaa02241f28b16.exe	explorer.exe
PID 1704 wrote to memory of 1884	1704	d79a203caba18b6e1190b0022296d56f96253d4fb39b96aaaeaaa02241f28b16.exe	explorer.exe
PID 656 wrote to memory of 1424	656	explorer.exe	WScript.exe
PID 656 wrote to memory of 1424	656	explorer.exe	WScript.exe
PID 656 wrote to memory of 1424	656	explorer.exe	WScript.exe

C:\Users\Admin\AppData\Local\Temp\d79a203caba18b6e1190b0022296d56f96253d4fb39b96aaaeaaa02241f28b16.exe
"C:\Users\Admin\AppData\Local\Temp\d79a203caba18b6e1190b0022296d56f96253d4fb39b96aaaeaaa02241f28b16.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1704

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Venom Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Venom.exe" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:672

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\System32\explorer.exe" C:\Users\Admin\AppData\Local\Execution.vbs
2⤵
PID:1884

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:656

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Execution.vbs"
2⤵
- Adds Run key to start application
PID:1424

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Execution.vbs
Filesize
487B

MD5
0bd2a48a7ea7bb9c3c6052f8689224d5

SHA1
f50e7e305926794d8b06b41037b824aacec8f19f

SHA256
c0d72c6c63c1db6caec20189d79fc208bc3891bd0a9e54fb62c272826a78f257

SHA512
a98c9eef6421002c14b3241173c9224db1826683b82fafcd4b0891d6b5dee4cfac0d2c47206d682c04bb83361d99da04eb6a6919d51f8142195bfc4030f4765e

Download Submit
memory/1704-54-0x00000000010A0000-0x00000000011B0000-memory.dmp

Filesize
1.1MB

Download
memory/1704-55-0x0000000004B50000-0x0000000004B90000-memory.dmp

Filesize
256KB

Download
memory/1704-59-0x0000000004B50000-0x0000000004B90000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads