quasar | cd5a8de963a29d07bb003a8d03fa7ba38e5004641fe8138885c967db46bef0fc

General

Target

4ef1927705d28faf8456c200397d0af6.exe
Size

792KB
MD5

4ef1927705d28faf8456c200397d0af6
SHA1

b92ab805e7c2884abcf371179b0d8989c4f90025
SHA256

cd5a8de963a29d07bb003a8d03fa7ba38e5004641fe8138885c967db46bef0fc
SHA512

fe7f2405a8beb2bd70cfc689ce5ea3fc2cc4e03c72c925db698ea0e56b269b3e66c20f88afc382ea734e39b25cf66b0bcf24d72dab12d1b791ef91c690af17ac
SSDEEP

6144:K8fGABIgrx8kFYLTiMkbmM28mA04ykdBbDqIJluHLmRZXqavbvmGaGy3V8/GV0j1:LPx7FYPiMq2fkdZ9JamPaaDvreg7

Score

10^/10

quasar venomrat office04 evasion rat rootkit spyware stealer trojan

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

Office04

C2

192.168.1.154:4782

Mutex

VNM_MUTEX_ph9lkMeWS6xgznetvP

Attributes

encryption_key
2ABr09PX2FCCobHek8sv
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Venom Client Startup
subdirectory
SubDir

Signatures

Contains code to disable Windows Defender 5 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
behavioral1/memory/2968-0-0x0000000000D40000-0x0000000000E0C000-memory.dmp	disable_win_def
behavioral1/memory/2760-9-0x0000000001090000-0x000000000115C000-memory.dmp	disable_win_def
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	disable_win_def
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	disable_win_def
behavioral1/memory/2880-16-0x0000000002680000-0x00000000026C0000-memory.dmp	disable_win_def

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

4ef1927705d28faf8456c200397d0af6.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	4ef1927705d28faf8456c200397d0af6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	4ef1927705d28faf8456c200397d0af6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	4ef1927705d28faf8456c200397d0af6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	4ef1927705d28faf8456c200397d0af6.exe

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2968-0-0x0000000000D40000-0x0000000000E0C000-memory.dmp	family_quasar
behavioral1/memory/2760-9-0x0000000001090000-0x000000000115C000-memory.dmp	family_quasar
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	family_quasar
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	family_quasar
behavioral1/memory/2880-16-0x0000000002680000-0x00000000026C0000-memory.dmp	family_quasar

VenomRAT
VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
rat rootkit stealer venomrat
Executes dropped EXE 1 IoCs

Processes:

Client.exe

pid process

2760 Client.exe
Loads dropped DLL 1 IoCs

Processes:

4ef1927705d28faf8456c200397d0af6.exe

pid process

2968 4ef1927705d28faf8456c200397d0af6.exe

pid	process
2760	Client.exe

pid	process
2968	4ef1927705d28faf8456c200397d0af6.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

4ef1927705d28faf8456c200397d0af6.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	4ef1927705d28faf8456c200397d0af6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	4ef1927705d28faf8456c200397d0af6.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

2 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

2736 schtasks.exe
1740 schtasks.exe

flow	ioc
2	ip-api.com

pid	process
2736	schtasks.exe
1740	schtasks.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

powershell.exe4ef1927705d28faf8456c200397d0af6.exe

pid	process
2880	powershell.exe
2968	4ef1927705d28faf8456c200397d0af6.exe
2968	4ef1927705d28faf8456c200397d0af6.exe
2968	4ef1927705d28faf8456c200397d0af6.exe
2968	4ef1927705d28faf8456c200397d0af6.exe
2968	4ef1927705d28faf8456c200397d0af6.exe
2968	4ef1927705d28faf8456c200397d0af6.exe
2968	4ef1927705d28faf8456c200397d0af6.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

4ef1927705d28faf8456c200397d0af6.exeClient.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2968	4ef1927705d28faf8456c200397d0af6.exe
Token: SeDebugPrivilege	2760	Client.exe
Token: SeDebugPrivilege	2880	powershell.exe
Token: SeDebugPrivilege	2760	Client.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Client.exe

pid process

2760 Client.exe

pid	process
2760	Client.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

4ef1927705d28faf8456c200397d0af6.exeClient.execmd.exe

description	pid	process	target process
PID 2968 wrote to memory of 2736	2968	4ef1927705d28faf8456c200397d0af6.exe	schtasks.exe
PID 2968 wrote to memory of 2736	2968	4ef1927705d28faf8456c200397d0af6.exe	schtasks.exe
PID 2968 wrote to memory of 2736	2968	4ef1927705d28faf8456c200397d0af6.exe	schtasks.exe
PID 2968 wrote to memory of 2736	2968	4ef1927705d28faf8456c200397d0af6.exe	schtasks.exe
PID 2968 wrote to memory of 2760	2968	4ef1927705d28faf8456c200397d0af6.exe	Client.exe
PID 2968 wrote to memory of 2760	2968	4ef1927705d28faf8456c200397d0af6.exe	Client.exe
PID 2968 wrote to memory of 2760	2968	4ef1927705d28faf8456c200397d0af6.exe	Client.exe
PID 2968 wrote to memory of 2760	2968	4ef1927705d28faf8456c200397d0af6.exe	Client.exe
PID 2968 wrote to memory of 2880	2968	4ef1927705d28faf8456c200397d0af6.exe	powershell.exe
PID 2968 wrote to memory of 2880	2968	4ef1927705d28faf8456c200397d0af6.exe	powershell.exe
PID 2968 wrote to memory of 2880	2968	4ef1927705d28faf8456c200397d0af6.exe	powershell.exe
PID 2968 wrote to memory of 2880	2968	4ef1927705d28faf8456c200397d0af6.exe	powershell.exe
PID 2760 wrote to memory of 1740	2760	Client.exe	schtasks.exe
PID 2760 wrote to memory of 1740	2760	Client.exe	schtasks.exe
PID 2760 wrote to memory of 1740	2760	Client.exe	schtasks.exe
PID 2760 wrote to memory of 1740	2760	Client.exe	schtasks.exe
PID 2968 wrote to memory of 2040	2968	4ef1927705d28faf8456c200397d0af6.exe	cmd.exe
PID 2968 wrote to memory of 2040	2968	4ef1927705d28faf8456c200397d0af6.exe	cmd.exe
PID 2968 wrote to memory of 2040	2968	4ef1927705d28faf8456c200397d0af6.exe	cmd.exe
PID 2968 wrote to memory of 2040	2968	4ef1927705d28faf8456c200397d0af6.exe	cmd.exe
PID 2040 wrote to memory of 1620	2040	cmd.exe	cmd.exe
PID 2040 wrote to memory of 1620	2040	cmd.exe	cmd.exe
PID 2040 wrote to memory of 1620	2040	cmd.exe	cmd.exe
PID 2040 wrote to memory of 1620	2040	cmd.exe	cmd.exe
PID 2968 wrote to memory of 2500	2968	4ef1927705d28faf8456c200397d0af6.exe	cmd.exe
PID 2968 wrote to memory of 2500	2968	4ef1927705d28faf8456c200397d0af6.exe	cmd.exe
PID 2968 wrote to memory of 2500	2968	4ef1927705d28faf8456c200397d0af6.exe	cmd.exe
PID 2968 wrote to memory of 2500	2968	4ef1927705d28faf8456c200397d0af6.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\4ef1927705d28faf8456c200397d0af6.exe
"C:\Users\Admin\AppData\Local\Temp\4ef1927705d28faf8456c200397d0af6.exe"
1⤵
- Modifies Windows Defender Real-time Protection settings
- Loads dropped DLL
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2968
- C:\Windows\SysWOW64\schtasks.exe
  "schtasks" /create /tn "Venom Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\4ef1927705d28faf8456c200397d0af6.exe" /rl HIGHEST /f
  2⤵
  - Creates scheduled task(s)
  PID:2736
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell" Get-MpPreference -verbose
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2880
- C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2760
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /create /tn "Venom Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Creates scheduled task(s)
    PID:1740
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b del /q/f/s %TEMP%\* & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2040
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /K del /q/f/s C:\Users\Admin\AppData\Local\Temp\*
    3⤵
    PID:1620
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\CgLJw9o8LT8O.bat" "
  2⤵
  PID:2500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Create or Modify System Process

1

T1543

Windows Service

Scheduled Task/Job

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

Scheduled Task/Job

Defense Evasion

Impair Defenses

2

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CgLJw9o8LT8O.bat

Filesize
229B

MD5
dea589bc4161de857dcbe9cf9da4e9d5

SHA1
94654da7fbdddd51bce9a7e549500e5f6b4b20af

SHA256
6c017aaa460bc4a9ecc44c3e9fdacd3e8441914e6d9bd343619036146c4d527d

SHA512
c18455893c66366f84da5a5393341c333ad93eaf8399b03f145f2f65ae9b944e7b3b367af5eda7a13faf9496dd096e848b1ec509c232ee93c84d021a8cd45a4a

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Filesize
431KB

MD5
8f619db3a05a7bd13b58035a9b1523dd

SHA1
e23ab92f7633274d000256750d1b47c05bc6ce43

SHA256
9054ad3200bbf73d95d397d2001b484d65a6a75897065107230867e7bc19ef25

SHA512
adc29542c495e72a0ed7dce3ad05495abeb8b8f1be3cc1d4e6e1b046cad54c2356f81a3dfe6921e04a49dfc44ac39b9a3abb9be8552903c94e7bd959855b95dc

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Filesize
792KB

MD5
4ef1927705d28faf8456c200397d0af6

SHA1
b92ab805e7c2884abcf371179b0d8989c4f90025

SHA256
cd5a8de963a29d07bb003a8d03fa7ba38e5004641fe8138885c967db46bef0fc

SHA512
fe7f2405a8beb2bd70cfc689ce5ea3fc2cc4e03c72c925db698ea0e56b269b3e66c20f88afc382ea734e39b25cf66b0bcf24d72dab12d1b791ef91c690af17ac

Download Submit
memory/2760-23-0x0000000074620000-0x0000000074D0E000-memory.dmp

Filesize
6.9MB

Download
memory/2760-24-0x00000000049B0000-0x00000000049F0000-memory.dmp

Filesize
256KB

Download
memory/2760-9-0x0000000001090000-0x000000000115C000-memory.dmp

Filesize
816KB

Download
memory/2760-10-0x0000000074620000-0x0000000074D0E000-memory.dmp

Filesize
6.9MB

Download
memory/2760-11-0x00000000049B0000-0x00000000049F0000-memory.dmp

Filesize
256KB

Download
memory/2880-15-0x000000006ED80000-0x000000006F32B000-memory.dmp

Filesize
5.7MB

Download
memory/2880-16-0x0000000002680000-0x00000000026C0000-memory.dmp

Filesize
256KB

Download
memory/2880-17-0x0000000002680000-0x00000000026C0000-memory.dmp

Filesize
256KB

Download
memory/2880-18-0x0000000002680000-0x00000000026C0000-memory.dmp

Filesize
256KB

Download
memory/2880-20-0x000000006ED80000-0x000000006F32B000-memory.dmp

Filesize
5.7MB

Download
memory/2880-14-0x000000006ED80000-0x000000006F32B000-memory.dmp

Filesize
5.7MB

Download
memory/2968-1-0x0000000074620000-0x0000000074D0E000-memory.dmp

Filesize
6.9MB

Download
memory/2968-21-0x0000000074620000-0x0000000074D0E000-memory.dmp

Filesize
6.9MB

Download
memory/2968-22-0x0000000004E10000-0x0000000004E50000-memory.dmp

Filesize
256KB

Download
memory/2968-2-0x0000000004E10000-0x0000000004E50000-memory.dmp

Filesize
256KB

Download
memory/2968-0-0x0000000000D40000-0x0000000000E0C000-memory.dmp

Filesize
816KB

Download
memory/2968-34-0x0000000074620000-0x0000000074D0E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads