quasar | 5b11f30be6e3bfb808c25d07b492cfa12840fd0efa795d8af397feba045d1c59

Analysis

max time kernel
1s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
07-01-2024 19:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4942e9c13479bc1a62bdb07b23474e3c.exe
Size

639KB
MD5

4942e9c13479bc1a62bdb07b23474e3c
SHA1

d7a7283939a2fa4506b47fa809431b9cc4d2559e
SHA256

5b11f30be6e3bfb808c25d07b492cfa12840fd0efa795d8af397feba045d1c59
SHA512

8c8edd299922fcfa100e3e725d1b09259a86e41546361273c386177a3e2a765ffc76169a5b9d142efb4c5335bee3805c1f908c7f4edae0f0a33f2631a037eb59
SSDEEP

12288:66bJhnrd2Qsm/+/dnGz7O0Y244sMYcoFMVyMg+Yy1Wcwemn58WgxWM:6kJhngpn9kNsMwbMgkK58WgQM

Score

10^/10

quasar venomrat sep05 persistence rat rootkit spyware stealer trojan

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

SEP05

23.105.131.187:7812

Mutex

VNM_MUTEX_ea14HLQ5adxyrFdD2X

Attributes

encryption_key
jUWfdDb1toPE0KAlGJWH
install_name
Windows Security.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Windows Update Service
subdirectory
Windows Security Update

Signatures

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
behavioral2/memory/4668-8-0x0000000000400000-0x000000000048C000-memory.dmp	disable_win_def

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4668-8-0x0000000000400000-0x000000000048C000-memory.dmp	family_quasar

VenomRAT
VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
rat rootkit stealer venomrat

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

4942e9c13479bc1a62bdb07b23474e3c.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\jEWDfCdAGM = "C:\\Users\\Admin\\AppData\\Roaming\\EcGASfXzFi\\SgBSNdRiPF.exe"	4942e9c13479bc1a62bdb07b23474e3c.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

7 ip-api.com
Suspicious use of SetThreadContext 1 IoCs

Processes:

4942e9c13479bc1a62bdb07b23474e3c.exe

description pid process target process

PID 1400 set thread context of 4668 1400 4942e9c13479bc1a62bdb07b23474e3c.exe 4942e9c13479bc1a62bdb07b23474e3c.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

2144 schtasks.exe
4376 schtasks.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

4552 PING.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

4942e9c13479bc1a62bdb07b23474e3c.exe

description pid process

Token: SeDebugPrivilege 4668 4942e9c13479bc1a62bdb07b23474e3c.exe

flow	ioc
7	ip-api.com

description	pid	process	target process
PID 1400 set thread context of 4668	1400	4942e9c13479bc1a62bdb07b23474e3c.exe	4942e9c13479bc1a62bdb07b23474e3c.exe

pid	process
2144	schtasks.exe
4376	schtasks.exe

pid	process
4552	PING.EXE

description	pid	process
Token: SeDebugPrivilege	4668	4942e9c13479bc1a62bdb07b23474e3c.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

4942e9c13479bc1a62bdb07b23474e3c.exe

description	pid	process	target process
PID 1400 wrote to memory of 4668	1400	4942e9c13479bc1a62bdb07b23474e3c.exe	4942e9c13479bc1a62bdb07b23474e3c.exe
PID 1400 wrote to memory of 4668	1400	4942e9c13479bc1a62bdb07b23474e3c.exe	4942e9c13479bc1a62bdb07b23474e3c.exe
PID 1400 wrote to memory of 4668	1400	4942e9c13479bc1a62bdb07b23474e3c.exe	4942e9c13479bc1a62bdb07b23474e3c.exe
PID 1400 wrote to memory of 4668	1400	4942e9c13479bc1a62bdb07b23474e3c.exe	4942e9c13479bc1a62bdb07b23474e3c.exe
PID 1400 wrote to memory of 4668	1400	4942e9c13479bc1a62bdb07b23474e3c.exe	4942e9c13479bc1a62bdb07b23474e3c.exe
PID 1400 wrote to memory of 4668	1400	4942e9c13479bc1a62bdb07b23474e3c.exe	4942e9c13479bc1a62bdb07b23474e3c.exe
PID 1400 wrote to memory of 4668	1400	4942e9c13479bc1a62bdb07b23474e3c.exe	4942e9c13479bc1a62bdb07b23474e3c.exe
PID 1400 wrote to memory of 4668	1400	4942e9c13479bc1a62bdb07b23474e3c.exe	4942e9c13479bc1a62bdb07b23474e3c.exe

C:\Users\Admin\AppData\Local\Temp\4942e9c13479bc1a62bdb07b23474e3c.exe
"C:\Users\Admin\AppData\Local\Temp\4942e9c13479bc1a62bdb07b23474e3c.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1400
- C:\Users\Admin\AppData\Local\Temp\4942e9c13479bc1a62bdb07b23474e3c.exe
  "C:\Users\Admin\AppData\Local\Temp\4942e9c13479bc1a62bdb07b23474e3c.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4668
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" Get-MpPreference -verbose
    3⤵
    PID:5056
- - C:\Users\Admin\AppData\Roaming\Windows Security Update\Windows Security.exe
    "C:\Users\Admin\AppData\Roaming\Windows Security Update\Windows Security.exe"
    3⤵
    PID:3704
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /create /tn "Windows Update Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\4942e9c13479bc1a62bdb07b23474e3c.exe" /rl HIGHEST /f
    3⤵
    - Creates scheduled task(s)
    PID:4376
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k start /b del /q/f/s %TEMP%\* & exit
    3⤵
    PID:740
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K del /q/f/s C:\Users\Admin\AppData\Local\Temp\*
      4⤵
      PID:3708
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lPnWM0uIR6gd.bat" "
    3⤵
    PID:4012
  - - C:\Users\Admin\AppData\Local\Temp\4942e9c13479bc1a62bdb07b23474e3c.exe
      "C:\Users\Admin\AppData\Local\Temp\4942e9c13479bc1a62bdb07b23474e3c.exe"
      4⤵
      PID:3736

C:\Users\Admin\AppData\Roaming\Windows Security Update\Windows Security.exe
"C:\Users\Admin\AppData\Roaming\Windows Security Update\Windows Security.exe"
1⤵
PID:3748
- C:\Windows\SysWOW64\schtasks.exe
  "schtasks" /create /tn "Windows Update Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Security Update\Windows Security.exe" /rl HIGHEST /f
  2⤵
  - Creates scheduled task(s)
  PID:2144

C:\Users\Admin\AppData\Roaming\Windows Security Update\Windows Security.exe
"C:\Users\Admin\AppData\Roaming\Windows Security Update\Windows Security.exe"
1⤵
PID:2796

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
1⤵
- Runs ping.exe
PID:4552

C:\Windows\SysWOW64\chcp.com
chcp 65001
1⤵
PID:4436

C:\Users\Admin\AppData\Local\Temp\4942e9c13479bc1a62bdb07b23474e3c.exe
"C:\Users\Admin\AppData\Local\Temp\4942e9c13479bc1a62bdb07b23474e3c.exe"
1⤵
PID:3452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1400-7-0x0000000005040000-0x000000000504A000-memory.dmp

Filesize
40KB

Download
memory/1400-2-0x0000000005070000-0x0000000005080000-memory.dmp

Filesize
64KB

Download
memory/1400-5-0x00000000051C0000-0x000000000525C000-memory.dmp

Filesize
624KB

Download
memory/1400-4-0x0000000005120000-0x00000000051B2000-memory.dmp

Filesize
584KB

Download
memory/1400-1-0x0000000074480000-0x0000000074C30000-memory.dmp

Filesize
7.7MB

Download
memory/1400-0-0x00000000005E0000-0x0000000000686000-memory.dmp

Filesize
664KB

Download
memory/1400-3-0x0000000005630000-0x0000000005BD4000-memory.dmp

Filesize
5.6MB

Download
memory/1400-11-0x0000000074480000-0x0000000074C30000-memory.dmp

Filesize
7.7MB

Download
memory/3452-94-0x0000000005370000-0x0000000005380000-memory.dmp

Filesize
64KB

Download
memory/3452-95-0x0000000074480000-0x0000000074C30000-memory.dmp

Filesize
7.7MB

Download
memory/3452-93-0x0000000074480000-0x0000000074C30000-memory.dmp

Filesize
7.7MB

Download
memory/3704-23-0x00000000057A0000-0x00000000057B0000-memory.dmp

Filesize
64KB

Download
memory/3704-35-0x0000000074480000-0x0000000074C30000-memory.dmp

Filesize
7.7MB

Download
memory/3704-22-0x0000000074480000-0x0000000074C30000-memory.dmp

Filesize
7.7MB

Download
memory/3736-92-0x0000000074480000-0x0000000074C30000-memory.dmp

Filesize
7.7MB

Download
memory/3736-89-0x0000000074480000-0x0000000074C30000-memory.dmp

Filesize
7.7MB

Download
memory/3736-90-0x00000000050C0000-0x00000000050D0000-memory.dmp

Filesize
64KB

Download
memory/3748-36-0x0000000005810000-0x0000000005820000-memory.dmp

Filesize
64KB

Download
memory/3748-33-0x0000000074480000-0x0000000074C30000-memory.dmp

Filesize
7.7MB

Download
memory/3748-87-0x0000000074480000-0x0000000074C30000-memory.dmp

Filesize
7.7MB

Download
memory/3748-88-0x0000000005810000-0x0000000005820000-memory.dmp

Filesize
64KB

Download
memory/3748-79-0x0000000006EF0000-0x0000000006EFA000-memory.dmp

Filesize
40KB

Download
memory/4668-12-0x0000000074480000-0x0000000074C30000-memory.dmp

Filesize
7.7MB

Download
memory/4668-15-0x0000000006580000-0x0000000006592000-memory.dmp

Filesize
72KB

Download
memory/4668-14-0x0000000005980000-0x00000000059E6000-memory.dmp

Filesize
408KB

Download
memory/4668-13-0x00000000058D0000-0x00000000058E0000-memory.dmp

Filesize
64KB

Download
memory/4668-86-0x0000000074480000-0x0000000074C30000-memory.dmp

Filesize
7.7MB

Download
memory/4668-8-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/4668-16-0x0000000006C00000-0x0000000006C3C000-memory.dmp

Filesize
240KB

Download
memory/4668-81-0x00000000058D0000-0x00000000058E0000-memory.dmp

Filesize
64KB

Download
memory/4668-80-0x0000000074480000-0x0000000074C30000-memory.dmp

Filesize
7.7MB

Download
memory/5056-26-0x0000000074480000-0x0000000074C30000-memory.dmp

Filesize
7.7MB

Download
memory/5056-67-0x00000000079A0000-0x00000000079BA000-memory.dmp

Filesize
104KB

Download
memory/5056-66-0x0000000007FE0000-0x000000000865A000-memory.dmp

Filesize
6.5MB

Download
memory/5056-68-0x0000000007A10000-0x0000000007A1A000-memory.dmp

Filesize
40KB

Download
memory/5056-53-0x000000006F920000-0x000000006F96C000-memory.dmp

Filesize
304KB

Download
memory/5056-69-0x0000000007C20000-0x0000000007CB6000-memory.dmp

Filesize
600KB

Download
memory/5056-70-0x0000000007BA0000-0x0000000007BB1000-memory.dmp

Filesize
68KB

Download
memory/5056-52-0x0000000007820000-0x0000000007852000-memory.dmp

Filesize
200KB

Download
memory/5056-51-0x000000007EFF0000-0x000000007F000000-memory.dmp

Filesize
64KB

Download
memory/5056-71-0x0000000007BD0000-0x0000000007BDE000-memory.dmp

Filesize
56KB

Download
memory/5056-72-0x0000000007BE0000-0x0000000007BF4000-memory.dmp

Filesize
80KB

Download
memory/5056-74-0x0000000007CC0000-0x0000000007CC8000-memory.dmp

Filesize
32KB

Download
memory/5056-73-0x0000000007CE0000-0x0000000007CFA000-memory.dmp

Filesize
104KB

Download
memory/5056-77-0x0000000074480000-0x0000000074C30000-memory.dmp

Filesize
7.7MB

Download
memory/5056-64-0x0000000002E10000-0x0000000002E20000-memory.dmp

Filesize
64KB

Download
memory/5056-65-0x0000000007860000-0x0000000007903000-memory.dmp

Filesize
652KB

Download
memory/5056-63-0x0000000006C20000-0x0000000006C3E000-memory.dmp

Filesize
120KB

Download
memory/5056-28-0x00000000057E0000-0x0000000005E08000-memory.dmp

Filesize
6.2MB

Download
memory/5056-34-0x0000000002E10000-0x0000000002E20000-memory.dmp

Filesize
64KB

Download
memory/5056-49-0x0000000006670000-0x000000000668E000-memory.dmp

Filesize
120KB

Download
memory/5056-50-0x00000000066A0000-0x00000000066EC000-memory.dmp

Filesize
304KB

Download
memory/5056-48-0x00000000061D0000-0x0000000006524000-memory.dmp

Filesize
3.3MB

Download
memory/5056-38-0x0000000005F80000-0x0000000005FE6000-memory.dmp

Filesize
408KB

Download
memory/5056-37-0x00000000057A0000-0x00000000057C2000-memory.dmp

Filesize
136KB

Download
memory/5056-32-0x0000000002E10000-0x0000000002E20000-memory.dmp

Filesize
64KB

Download
memory/5056-24-0x0000000002D60000-0x0000000002D96000-memory.dmp

Filesize
216KB

Download