quasar | f2d6e1e9007b693c4ef5b7a8ee56c4bf24594620a43c16d752fe79dc60132270

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
08-02-2024 02:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$77-Venom.exe
Size

534KB
MD5

ac2e0dc8d409951c34e10105738c0819
SHA1

644f9ecf7dd774bcf0ebd551344866f3311b4ddb
SHA256

f2d6e1e9007b693c4ef5b7a8ee56c4bf24594620a43c16d752fe79dc60132270
SHA512

a0c2c24375db71dd7617f52c24824f760a80a9a2e77fe0f3bcc1518fbf0cefc11e41aa9af65231e9bb1d1d91a0653aefb1bb650e701922152fc8844f0b56535a
SSDEEP

12288:0kxfIayFM+jJ2vemr+mf7B+yVkzFBtFET:0wPyFMyEr+mFzyFs

Score

10^/10

quasar venomrat mariojudah evasion rat rootkit spyware stealer trojan

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

mariojudah

127.0.0.1:4782

Mutex

VNM_MUTEX_a2Jk7sW9n0PjTmaEMn

Attributes

encryption_key
1zzvalSEUSRsWGZTAdB5
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Venom Client Startup
subdirectory
SubDir

Signatures

Contains code to disable Windows Defender 3 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
behavioral2/memory/3592-0-0x0000000000C10000-0x0000000000C9C000-memory.dmp	disable_win_def
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	disable_win_def
behavioral2/memory/3212-13-0x0000000005110000-0x0000000005120000-memory.dmp	disable_win_def

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

$77-Venom.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	$77-Venom.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	$77-Venom.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	$77-Venom.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	$77-Venom.exe

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3592-0-0x0000000000C10000-0x0000000000C9C000-memory.dmp	family_quasar
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	family_quasar

VenomRAT
VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
rat rootkit stealer venomrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

$77-Venom.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	$77-Venom.exe

Executes dropped EXE 1 IoCs

Processes:

Client.exe

pid process

3212 Client.exe

pid	process
3212	Client.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

$77-Venom.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	$77-Venom.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	$77-Venom.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

16 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

2980 schtasks.exe
5624 schtasks.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

6012 PING.EXE

flow	ioc
16	ip-api.com

pid	process
2980	schtasks.exe
5624	schtasks.exe

pid	process
6012	PING.EXE

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

powershell.exe$77-Venom.exe$77-Venom.exe

pid	process
3436	powershell.exe
3436	powershell.exe
3592	$77-Venom.exe
3592	$77-Venom.exe
3592	$77-Venom.exe
3592	$77-Venom.exe
3592	$77-Venom.exe
3592	$77-Venom.exe
3592	$77-Venom.exe
4540	$77-Venom.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

$77-Venom.exepowershell.exeClient.exe$77-Venom.exe

description	pid	process
Token: SeDebugPrivilege	3592	$77-Venom.exe
Token: SeDebugPrivilege	3436	powershell.exe
Token: SeDebugPrivilege	3212	Client.exe
Token: SeDebugPrivilege	3212	Client.exe
Token: SeDebugPrivilege	4540	$77-Venom.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Client.exe

pid process

3212 Client.exe

pid	process
3212	Client.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

$77-Venom.exeClient.execmd.execmd.exe

description	pid	process	target process
PID 3592 wrote to memory of 2980	3592	$77-Venom.exe	schtasks.exe
PID 3592 wrote to memory of 2980	3592	$77-Venom.exe	schtasks.exe
PID 3592 wrote to memory of 2980	3592	$77-Venom.exe	schtasks.exe
PID 3592 wrote to memory of 3212	3592	$77-Venom.exe	Client.exe
PID 3592 wrote to memory of 3212	3592	$77-Venom.exe	Client.exe
PID 3592 wrote to memory of 3212	3592	$77-Venom.exe	Client.exe
PID 3592 wrote to memory of 3436	3592	$77-Venom.exe	powershell.exe
PID 3592 wrote to memory of 3436	3592	$77-Venom.exe	powershell.exe
PID 3592 wrote to memory of 3436	3592	$77-Venom.exe	powershell.exe
PID 3212 wrote to memory of 5624	3212	Client.exe	schtasks.exe
PID 3212 wrote to memory of 5624	3212	Client.exe	schtasks.exe
PID 3212 wrote to memory of 5624	3212	Client.exe	schtasks.exe
PID 3592 wrote to memory of 5152	3592	$77-Venom.exe	cmd.exe
PID 3592 wrote to memory of 5152	3592	$77-Venom.exe	cmd.exe
PID 3592 wrote to memory of 5152	3592	$77-Venom.exe	cmd.exe
PID 5152 wrote to memory of 3420	5152	cmd.exe	cmd.exe
PID 5152 wrote to memory of 3420	5152	cmd.exe	cmd.exe
PID 5152 wrote to memory of 3420	5152	cmd.exe	cmd.exe
PID 3592 wrote to memory of 4648	3592	$77-Venom.exe	cmd.exe
PID 3592 wrote to memory of 4648	3592	$77-Venom.exe	cmd.exe
PID 3592 wrote to memory of 4648	3592	$77-Venom.exe	cmd.exe
PID 4648 wrote to memory of 6088	4648	cmd.exe	chcp.com
PID 4648 wrote to memory of 6088	4648	cmd.exe	chcp.com
PID 4648 wrote to memory of 6088	4648	cmd.exe	chcp.com
PID 4648 wrote to memory of 6012	4648	cmd.exe	PING.EXE
PID 4648 wrote to memory of 6012	4648	cmd.exe	PING.EXE
PID 4648 wrote to memory of 6012	4648	cmd.exe	PING.EXE
PID 4648 wrote to memory of 4540	4648	cmd.exe	$77-Venom.exe
PID 4648 wrote to memory of 4540	4648	cmd.exe	$77-Venom.exe
PID 4648 wrote to memory of 4540	4648	cmd.exe	$77-Venom.exe

C:\Users\Admin\AppData\Local\Temp\$77-Venom.exe
"C:\Users\Admin\AppData\Local\Temp\$77-Venom.exe"
1⤵
- Modifies Windows Defender Real-time Protection settings
- Checks computer location settings
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3592
- C:\Windows\SysWOW64\schtasks.exe
  "schtasks" /create /tn "Venom Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\$77-Venom.exe" /rl HIGHEST /f
  2⤵
  - Creates scheduled task(s)
  PID:2980
- C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3212
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /create /tn "Venom Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Creates scheduled task(s)
    PID:5624
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell" Get-MpPreference -verbose
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3436
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b del /q/f/s %TEMP%\* & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5152
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /K del /q/f/s C:\Users\Admin\AppData\Local\Temp\*
    3⤵
    PID:3420
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ulEN9X6Yihqv.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4648
- - C:\Windows\SysWOW64\chcp.com
    chcp 65001
    3⤵
    PID:6088
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 10 localhost
    3⤵
    - Runs ping.exe
    PID:6012
- - C:\Users\Admin\AppData\Local\Temp\$77-Venom.exe
    "C:\Users\Admin\AppData\Local\Temp\$77-Venom.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\$77-Venom.exe.log

Filesize
1KB

MD5
10eab9c2684febb5327b6976f2047587

SHA1
a12ed54146a7f5c4c580416aecb899549712449e

SHA256
f49dbd55029bfbc15134f7c6a4f967d6c39142c63f2e8f1f8c78fab108a2c928

SHA512
7e5fd90fffae723bd0c662a90e0730b507805f072771ee673d1d8c262dbf60c8a03ba5fe088f699a97c2e886380de158b2ccd59ee62e3d012dd6dd14ea9d0e50

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zlgs54nn.3vg.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ulEN9X6Yihqv.bat

Filesize
206B

MD5
5c3e13a38ebca842979b013a8816fd77

SHA1
3795af370821b2595c225552b8d0733d88b360c3

SHA256
5bb32855abb729e0f4202400ea8a2d04b56475abb615bb89b3ac8836bd3464ea

SHA512
38866e40cf53d5824ac081ee5047c2d1fc61b701b3fd3e7c3148614acf5a941243502abcb71b9d059d9b937fb56a98c0283bb3e6eda6af353f78815eae7c1096

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Filesize
534KB

MD5
ac2e0dc8d409951c34e10105738c0819

SHA1
644f9ecf7dd774bcf0ebd551344866f3311b4ddb

SHA256
f2d6e1e9007b693c4ef5b7a8ee56c4bf24594620a43c16d752fe79dc60132270

SHA512
a0c2c24375db71dd7617f52c24824f760a80a9a2e77fe0f3bcc1518fbf0cefc11e41aa9af65231e9bb1d1d91a0653aefb1bb650e701922152fc8844f0b56535a

Download Submit
memory/3212-12-0x0000000075250000-0x0000000075A00000-memory.dmp

Filesize
7.7MB

Download
memory/3212-71-0x0000000005110000-0x0000000005120000-memory.dmp

Filesize
64KB

Download
memory/3212-69-0x0000000075250000-0x0000000075A00000-memory.dmp

Filesize
7.7MB

Download
memory/3212-34-0x0000000006780000-0x000000000678A000-memory.dmp

Filesize
40KB

Download
memory/3212-13-0x0000000005110000-0x0000000005120000-memory.dmp

Filesize
64KB

Download
memory/3436-36-0x00000000075A0000-0x00000000075D2000-memory.dmp

Filesize
200KB

Download
memory/3436-49-0x0000000002CF0000-0x0000000002D00000-memory.dmp

Filesize
64KB

Download
memory/3436-14-0x0000000002D00000-0x0000000002D36000-memory.dmp

Filesize
216KB

Download
memory/3436-15-0x0000000075250000-0x0000000075A00000-memory.dmp

Filesize
7.7MB

Download
memory/3436-16-0x0000000002CF0000-0x0000000002D00000-memory.dmp

Filesize
64KB

Download
memory/3436-17-0x0000000002CF0000-0x0000000002D00000-memory.dmp

Filesize
64KB

Download
memory/3436-18-0x0000000005730000-0x0000000005D58000-memory.dmp

Filesize
6.2MB

Download
memory/3436-19-0x0000000005E60000-0x0000000005E82000-memory.dmp

Filesize
136KB

Download
memory/3436-62-0x0000000075250000-0x0000000075A00000-memory.dmp

Filesize
7.7MB

Download
memory/3436-25-0x0000000005F00000-0x0000000005F66000-memory.dmp

Filesize
408KB

Download
memory/3436-30-0x0000000006290000-0x00000000065E4000-memory.dmp

Filesize
3.3MB

Download
memory/3436-32-0x0000000006640000-0x000000000668C000-memory.dmp

Filesize
304KB

Download
memory/3436-31-0x00000000065F0000-0x000000000660E000-memory.dmp

Filesize
120KB

Download
memory/3436-59-0x0000000007C40000-0x0000000007C48000-memory.dmp

Filesize
32KB

Download
memory/3436-35-0x000000007FAD0000-0x000000007FAE0000-memory.dmp

Filesize
64KB

Download
memory/3436-58-0x0000000007C60000-0x0000000007C7A000-memory.dmp

Filesize
104KB

Download
memory/3436-37-0x0000000070650000-0x000000007069C000-memory.dmp

Filesize
304KB

Download
memory/3436-47-0x0000000006BD0000-0x0000000006BEE000-memory.dmp

Filesize
120KB

Download
memory/3436-48-0x0000000002CF0000-0x0000000002D00000-memory.dmp

Filesize
64KB

Download
memory/3436-57-0x0000000007B60000-0x0000000007B74000-memory.dmp

Filesize
80KB

Download
memory/3436-50-0x00000000077F0000-0x0000000007893000-memory.dmp

Filesize
652KB

Download
memory/3436-51-0x0000000007F70000-0x00000000085EA000-memory.dmp

Filesize
6.5MB

Download
memory/3436-52-0x0000000007920000-0x000000000793A000-memory.dmp

Filesize
104KB

Download
memory/3436-53-0x0000000007990000-0x000000000799A000-memory.dmp

Filesize
40KB

Download
memory/3436-54-0x0000000007BA0000-0x0000000007C36000-memory.dmp

Filesize
600KB

Download
memory/3436-55-0x0000000007B20000-0x0000000007B31000-memory.dmp

Filesize
68KB

Download
memory/3436-56-0x0000000007B50000-0x0000000007B5E000-memory.dmp

Filesize
56KB

Download
memory/3592-7-0x0000000006920000-0x000000000695C000-memory.dmp

Filesize
240KB

Download
memory/3592-0-0x0000000000C10000-0x0000000000C9C000-memory.dmp

Filesize
560KB

Download
memory/3592-5-0x00000000056D0000-0x0000000005736000-memory.dmp

Filesize
408KB

Download
memory/3592-6-0x00000000063E0000-0x00000000063F2000-memory.dmp

Filesize
72KB

Download
memory/3592-67-0x0000000075250000-0x0000000075A00000-memory.dmp

Filesize
7.7MB

Download
memory/3592-4-0x0000000005650000-0x0000000005660000-memory.dmp

Filesize
64KB

Download
memory/3592-3-0x0000000005760000-0x00000000057F2000-memory.dmp

Filesize
584KB

Download
memory/3592-2-0x0000000005D10000-0x00000000062B4000-memory.dmp

Filesize
5.6MB

Download
memory/3592-1-0x0000000075250000-0x0000000075A00000-memory.dmp

Filesize
7.7MB

Download
memory/4540-72-0x0000000075250000-0x0000000075A00000-memory.dmp

Filesize
7.7MB

Download
memory/4540-73-0x0000000075250000-0x0000000075A00000-memory.dmp

Filesize
7.7MB

Download
memory/4540-74-0x0000000004E20000-0x0000000004E30000-memory.dmp

Filesize
64KB

Download