quasar | efd9a7be1fa561c725501a50eb692b8a59c0b7cce6332205782aa85475dce237

Analysis

max time kernel
1s
max time network
2s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
02-05-2024 08:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Discord pronuke.exe
Size

534KB
MD5

482c6ea5b1672d4447c5f6b32f07615f
SHA1

60308524ff9ced8796f6f8287a793427e9a167a9
SHA256

38d5caeb7f6e8a77103481b4510dcfe5ece6e4b7f74ec543204a3b7ce1448aa2
SHA512

a7190024f7b17514f6ba8b48a0dbf9460f05e2c3f8889091c97850cc7c5615fd0bdb32800dc01aca989cc8bdcfbdc0a39150aac14ead6becdc31d9f32ef8a829
SSDEEP

12288:k+xLZf8sMEk/v+TV19BlG3lo0cnHyA7tgwGy:kG58sMtH57qHysf

Score

10^/10

quasar venomrat office04 rat rootkit spyware stealer trojan

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

Office04

BOSSIX-41718.portmap.host:4000

BOSSIX-41718.portmap.host:41718

Mutex

VNM_MUTEX_VzF5UQyFwcYIcCbWFq

Attributes

encryption_key
3wMtwLAsuOIKsB6yumla
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Venom Client Startup
subdirectory
SubDir

Signatures

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
behavioral1/memory/2468-1-0x00000000000C0000-0x000000000014C000-memory.dmp	disable_win_def

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2468-1-0x00000000000C0000-0x000000000014C000-memory.dmp	family_quasar

VenomRAT
VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
rat rootkit stealer venomrat

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
2	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Discord pronuke.exe

description	pid	Process
Token: SeDebugPrivilege	2468	Discord pronuke.exe
Token: SeDebugPrivilege	2468	Discord pronuke.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

Discord pronuke.exe

description	pid	Process	procid_target
PID 2468 wrote to memory of 2592	2468	Discord pronuke.exe	29
PID 2468 wrote to memory of 2592	2468	Discord pronuke.exe	29
PID 2468 wrote to memory of 2592	2468	Discord pronuke.exe	29
PID 2468 wrote to memory of 2592	2468	Discord pronuke.exe	29

C:\Users\Admin\AppData\Local\Temp\Discord pronuke.exe
"C:\Users\Admin\AppData\Local\Temp\Discord pronuke.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2468
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\bmzAqVvogmdd.bat" "
  2⤵
  PID:2592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bmzAqVvogmdd.bat

Filesize
212B

MD5
aa43f0e46493e4ef67d37ccb11f782ac

SHA1
7aac57578cdf1e2e7049c1cecbad1a9fbd8c7531

SHA256
0b869909a535430d5123f1e4464ca4f0e7e0a169f0b0ef49b8ef2c5252479594

SHA512
deed569d68c9e789bf90dc155dd7cd4d14b4dd55e73b22ae07b9b1be5a7dfd5386281fda398e19b9ba0a95a7c206af16b8023e45a0b33776aa83d19bd48c7aa1

Download Submit
memory/2468-0-0x000000007468E000-0x000000007468F000-memory.dmp

Filesize
4KB

Download
memory/2468-1-0x00000000000C0000-0x000000000014C000-memory.dmp

Filesize
560KB

Download
memory/2468-2-0x0000000074680000-0x0000000074D6E000-memory.dmp

Filesize
6.9MB

Download