quasar | 6542a4adb925c38ae9fd6ddd0d5f838ac60b90e2db1e71ed71916fd6a988feb6

General

Target

fpsFIX.exe
Size

534KB
MD5

68e20c59e6398f9fe522cc509d440698
SHA1

5259db943f684f654c66ca277b28c410877494ad
SHA256

6542a4adb925c38ae9fd6ddd0d5f838ac60b90e2db1e71ed71916fd6a988feb6
SHA512

c25860340c9fd2b60a61490837febbe87d7912487cf6fbed0d31bd943c561767302be89c0309bc6e19df391e25adff5c4f6186a1b7f7fd181732c95da9a1ad09
SSDEEP

6144:N8fGtiZAjx7ZgCUODKULTMMkbKGofLPRU9BZIbHtZLLLK1hI8MjXOZ3y7z2Qnp3Q:yexVgCUU5/MMdKB0Z/G1hyW3ApRa

Score

10^/10

quasar venomrat office04 evasion rat rootkit spyware stealer trojan

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

Office04

C2

127.0.0.1:4782

4.tcp.us-cal-1.ngrok.io:12688

Mutex

VNM_MUTEX_c2q7y2ayYutZ2XaYe7

Attributes

encryption_key
JuBNDSQCyglnSfq0cvJE
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Venom Client Startup
subdirectory
SubDir

Signatures

Contains code to disable Windows Defender 2 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
behavioral1/memory/308-0-0x0000000000010000-0x000000000009C000-memory.dmp	disable_win_def
behavioral1/files/0x000700000001ac01-10.dat	disable_win_def

Modifies Windows Defender Real-time Protection settings 3 TTPs 3 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

fpsFIX.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	fpsFIX.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	fpsFIX.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	fpsFIX.exe

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/308-0-0x0000000000010000-0x000000000009C000-memory.dmp	family_quasar
behavioral1/files/0x000700000001ac01-10.dat	family_quasar

VenomRAT
VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
rat rootkit stealer venomrat

Executes dropped EXE 1 IoCs

Processes:

Client.exe

pid	Process
5116	Client.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

fpsFIX.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	fpsFIX.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	fpsFIX.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service

T1102

Processes:

flow	ioc
13	4.tcp.us-cal-1.ngrok.io

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
1	ip-api.com

Drops file in System32 directory 3 IoCs

Processes:

fpsFIX.exe

description	ioc	Process
File created	C:\Windows\SysWOW64\SubDir\Client.exe	fpsFIX.exe
File opened for modification	C:\Windows\SysWOW64\SubDir\Client.exe	fpsFIX.exe
File created	C:\Windows\SysWOW64\SubDir\r77-x64.dll	fpsFIX.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

powershell.exefpsFIX.exe

pid	Process
3332	powershell.exe
3332	powershell.exe
3332	powershell.exe
308	fpsFIX.exe
308	fpsFIX.exe
308	fpsFIX.exe
308	fpsFIX.exe
308	fpsFIX.exe
308	fpsFIX.exe
308	fpsFIX.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

fpsFIX.exepowershell.exeClient.exe

description	pid	Process
Token: SeDebugPrivilege	308	fpsFIX.exe
Token: SeDebugPrivilege	3332	powershell.exe
Token: SeDebugPrivilege	5116	Client.exe
Token: SeDebugPrivilege	5116	Client.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Client.exe

pid	Process
5116	Client.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

fpsFIX.execmd.exe

description	pid	Process	procid_target
PID 308 wrote to memory of 5116	308	fpsFIX.exe	75
PID 308 wrote to memory of 5116	308	fpsFIX.exe	75
PID 308 wrote to memory of 5116	308	fpsFIX.exe	75
PID 308 wrote to memory of 3332	308	fpsFIX.exe	76
PID 308 wrote to memory of 3332	308	fpsFIX.exe	76
PID 308 wrote to memory of 3332	308	fpsFIX.exe	76
PID 308 wrote to memory of 4900	308	fpsFIX.exe	78
PID 308 wrote to memory of 4900	308	fpsFIX.exe	78
PID 308 wrote to memory of 4900	308	fpsFIX.exe	78
PID 4900 wrote to memory of 2432	4900	cmd.exe	80
PID 4900 wrote to memory of 2432	4900	cmd.exe	80
PID 4900 wrote to memory of 2432	4900	cmd.exe	80
PID 308 wrote to memory of 2888	308	fpsFIX.exe	81
PID 308 wrote to memory of 2888	308	fpsFIX.exe	81
PID 308 wrote to memory of 2888	308	fpsFIX.exe	81

C:\Users\Admin\AppData\Local\Temp\fpsFIX.exe
"C:\Users\Admin\AppData\Local\Temp\fpsFIX.exe"
1⤵
- Modifies Windows Defender Real-time Protection settings
- Windows security modification
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:308
- C:\Windows\SysWOW64\SubDir\Client.exe
  "C:\Windows\SysWOW64\SubDir\Client.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:5116
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell" Get-MpPreference -verbose
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3332
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b del /q/f/s %TEMP%\* & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4900
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /K del /q/f/s C:\Users\Admin\AppData\Local\Temp\*
    3⤵
    PID:2432
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vY3Wj2jqdlG5.bat" "
  2⤵
  PID:2888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

2

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1uonchhs.jj2.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\vY3Wj2jqdlG5.bat

Filesize
203B

MD5
d932327cae7312e343c3395bc75e3954

SHA1
290a502b3cba4b76858660ba63bdba5057afe47d

SHA256
984b93f8d1b5fbbeeea2d52b1184aedcbaba5b8e587bf1ff51b72cfa4b054b2c

SHA512
b9956815f9f4c3ecf3060a0e85f62b4f4ea5b9296082d64d66670d6488f1f30fce6b4b4630911924148fa5bec96c3511126307f39701aae4e14d421b6ba1b11c

Download Submit
C:\Windows\SysWOW64\SubDir\Client.exe

Filesize
534KB

MD5
68e20c59e6398f9fe522cc509d440698

SHA1
5259db943f684f654c66ca277b28c410877494ad

SHA256
6542a4adb925c38ae9fd6ddd0d5f838ac60b90e2db1e71ed71916fd6a988feb6

SHA512
c25860340c9fd2b60a61490837febbe87d7912487cf6fbed0d31bd943c561767302be89c0309bc6e19df391e25adff5c4f6186a1b7f7fd181732c95da9a1ad09

Download Submit
memory/308-0-0x0000000000010000-0x000000000009C000-memory.dmp

Filesize
560KB

Download
memory/308-2-0x0000000004E70000-0x000000000536E000-memory.dmp

Filesize
5.0MB

Download
memory/308-3-0x0000000004A60000-0x0000000004AF2000-memory.dmp

Filesize
584KB

Download
memory/308-4-0x0000000004A50000-0x0000000004A60000-memory.dmp

Filesize
64KB

Download
memory/308-5-0x0000000004970000-0x00000000049D6000-memory.dmp

Filesize
408KB

Download
memory/308-6-0x0000000004E40000-0x0000000004E52000-memory.dmp

Filesize
72KB

Download
memory/308-7-0x0000000005980000-0x00000000059BE000-memory.dmp

Filesize
248KB

Download
memory/308-274-0x00000000737A0000-0x0000000073E8E000-memory.dmp

Filesize
6.9MB

Download
memory/308-1-0x00000000737A0000-0x0000000073E8E000-memory.dmp

Filesize
6.9MB

Download
memory/3332-52-0x0000000009310000-0x00000000093B5000-memory.dmp

Filesize
660KB

Download
memory/3332-46-0x000000006FA60000-0x000000006FAAB000-memory.dmp

Filesize
300KB

Download
memory/3332-19-0x0000000004700000-0x0000000004710000-memory.dmp

Filesize
64KB

Download
memory/3332-20-0x0000000007180000-0x00000000077A8000-memory.dmp

Filesize
6.2MB

Download
memory/3332-21-0x0000000007050000-0x0000000007072000-memory.dmp

Filesize
136KB

Download
memory/3332-22-0x0000000007920000-0x0000000007986000-memory.dmp

Filesize
408KB

Download
memory/3332-23-0x0000000007990000-0x0000000007CE0000-memory.dmp

Filesize
3.3MB

Download
memory/3332-24-0x0000000007CE0000-0x0000000007CFC000-memory.dmp

Filesize
112KB

Download
memory/3332-25-0x00000000082C0000-0x000000000830B000-memory.dmp

Filesize
300KB

Download
memory/3332-268-0x00000000737A0000-0x0000000073E8E000-memory.dmp

Filesize
6.9MB

Download
memory/3332-28-0x00000000080E0000-0x0000000008156000-memory.dmp

Filesize
472KB

Download
memory/3332-17-0x0000000004700000-0x0000000004710000-memory.dmp

Filesize
64KB

Download
memory/3332-45-0x00000000091E0000-0x0000000009213000-memory.dmp

Filesize
204KB

Download
memory/3332-18-0x00000000045D0000-0x0000000004606000-memory.dmp

Filesize
216KB

Download
memory/3332-47-0x00000000091A0000-0x00000000091BE000-memory.dmp

Filesize
120KB

Download
memory/3332-16-0x00000000737A0000-0x0000000073E8E000-memory.dmp

Filesize
6.9MB

Download
memory/3332-53-0x0000000004700000-0x0000000004710000-memory.dmp

Filesize
64KB

Download
memory/3332-54-0x0000000009530000-0x00000000095C4000-memory.dmp

Filesize
592KB

Download
memory/3332-247-0x0000000009490000-0x00000000094AA000-memory.dmp

Filesize
104KB

Download
memory/3332-252-0x0000000009470000-0x0000000009478000-memory.dmp

Filesize
32KB

Download
memory/5116-27-0x0000000006330000-0x000000000633A000-memory.dmp

Filesize
40KB

Download
memory/5116-12-0x00000000737A0000-0x0000000073E8E000-memory.dmp

Filesize
6.9MB

Download
memory/5116-13-0x0000000004EB0000-0x0000000004EC0000-memory.dmp

Filesize
64KB

Download
memory/5116-275-0x00000000737A0000-0x0000000073E8E000-memory.dmp

Filesize
6.9MB

Download
memory/5116-276-0x0000000004EB0000-0x0000000004EC0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads