quasar | 7c5919ffcd3234d3c520120fbbeb9204e11ca3adfbfc175175a1e087492cbbba

Reason

Machine shutdown

General

Target

2lz.exe
Size

5.9MB
MD5

12f9b68ed66fed9a1e3c1c2319c837c6
SHA1

e423cbd003c718b6fa268de83806dae6a9fe88c3
SHA256

7c5919ffcd3234d3c520120fbbeb9204e11ca3adfbfc175175a1e087492cbbba
SHA512

b649639d2363f135f694f8d5968a6b7adabd76ef793a3fb9313b1c142a0e749be33a5831c4d0cbc32ea170a2100f693755b378280f252dd50bd1ddf008b1ba53
SSDEEP

98304:pMI+LjNr86mjj/UYviu26bbyKS2myX0rPgIh:p8Vmj72wblTmyEgG

Score

10^/10

quasar venomrat windows security rat rootkit spyware stealer trojan

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

windows security

C2

quasarrat220-24487.portmap.io:24487

Mutex

VNM_MUTEX_mOPqShedZxvAqgLrWL

Attributes

encryption_key
7mvA2TfKjvMIY0zZeMKF
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Venom Client Startup
subdirectory
SubDir

Signatures

Contains code to disable Windows Defender 2 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\WINDOWS SECURITY.EXE	disable_win_def
behavioral2/memory/752-24-0x0000000000720000-0x00000000007AC000-memory.dmp	disable_win_def

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\WINDOWS SECURITY.EXE	family_quasar
behavioral2/memory/752-24-0x0000000000720000-0x00000000007AC000-memory.dmp	family_quasar

VenomRAT
VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
rat rootkit stealer venomrat

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

2lz.exeWINDOWS SECURITY.EXE

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation	2lz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation	WINDOWS SECURITY.EXE

Executes dropped EXE 2 IoCs

Processes:

PAYPAL.EXEWINDOWS SECURITY.EXE

pid process

1256 PAYPAL.EXE
752 WINDOWS SECURITY.EXE
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

1 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2444 752 WerFault.exe WINDOWS SECURITY.EXE
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

440 schtasks.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2140 PING.EXE
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

WINDOWS SECURITY.EXE

description pid process

Token: SeDebugPrivilege 752 WINDOWS SECURITY.EXE
Token: SeDebugPrivilege 752 WINDOWS SECURITY.EXE
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

PAYPAL.EXEWINDOWS SECURITY.EXE

pid process

1256 PAYPAL.EXE
752 WINDOWS SECURITY.EXE

pid	process
1256	PAYPAL.EXE
752	WINDOWS SECURITY.EXE

flow	ioc
1	ip-api.com

pid	pid_target	process	target process
2444	752	WerFault.exe	WINDOWS SECURITY.EXE

pid	process
440	schtasks.exe

pid	process
2140	PING.EXE

description	pid	process
Token: SeDebugPrivilege	752	WINDOWS SECURITY.EXE
Token: SeDebugPrivilege	752	WINDOWS SECURITY.EXE

pid	process
1256	PAYPAL.EXE
752	WINDOWS SECURITY.EXE

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

2lz.exeWINDOWS SECURITY.EXEcmd.exe

description	pid	process	target process
PID 4788 wrote to memory of 1256	4788	2lz.exe	PAYPAL.EXE
PID 4788 wrote to memory of 1256	4788	2lz.exe	PAYPAL.EXE
PID 4788 wrote to memory of 1256	4788	2lz.exe	PAYPAL.EXE
PID 4788 wrote to memory of 752	4788	2lz.exe	WINDOWS SECURITY.EXE
PID 4788 wrote to memory of 752	4788	2lz.exe	WINDOWS SECURITY.EXE
PID 4788 wrote to memory of 752	4788	2lz.exe	WINDOWS SECURITY.EXE
PID 752 wrote to memory of 440	752	WINDOWS SECURITY.EXE	schtasks.exe
PID 752 wrote to memory of 440	752	WINDOWS SECURITY.EXE	schtasks.exe
PID 752 wrote to memory of 440	752	WINDOWS SECURITY.EXE	schtasks.exe
PID 752 wrote to memory of 4728	752	WINDOWS SECURITY.EXE	cmd.exe
PID 752 wrote to memory of 4728	752	WINDOWS SECURITY.EXE	cmd.exe
PID 752 wrote to memory of 4728	752	WINDOWS SECURITY.EXE	cmd.exe
PID 4728 wrote to memory of 3392	4728	cmd.exe	chcp.com
PID 4728 wrote to memory of 3392	4728	cmd.exe	chcp.com
PID 4728 wrote to memory of 3392	4728	cmd.exe	chcp.com
PID 4728 wrote to memory of 2140	4728	cmd.exe	PING.EXE
PID 4728 wrote to memory of 2140	4728	cmd.exe	PING.EXE
PID 4728 wrote to memory of 2140	4728	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\2lz.exe
"C:\Users\Admin\AppData\Local\Temp\2lz.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4788
- C:\Users\Admin\AppData\Local\Temp\PAYPAL.EXE
  "C:\Users\Admin\AppData\Local\Temp\PAYPAL.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1256
- C:\Users\Admin\AppData\Local\Temp\WINDOWS SECURITY.EXE
  "C:\Users\Admin\AppData\Local\Temp\WINDOWS SECURITY.EXE"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:752
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /create /tn "Venom Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\WINDOWS SECURITY.EXE" /rl HIGHEST /f
    3⤵
    - Creates scheduled task(s)
    PID:440
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lIrAszgooOKF.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4728
  - - C:\Windows\SysWOW64\chcp.com
      chcp 65001
      4⤵
      PID:3392
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 10 localhost
      4⤵
      Runs ping.exe
      PID:2140
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 752 -s 2216
    3⤵
    - Program crash
    PID:2444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 752 -ip 752
1⤵
PID:3312

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\PAYPAL.EXE

Filesize
5.3MB

MD5
341b34b571af06277c2f3b4156bd86df

SHA1
ba120240400cc6dcf0e92e732d4f460f3763102b

SHA256
9a579053ee79c9ee45e29ac1887aba8cb87936c01026b5f3d830456547adc441

SHA512
2cbb482d2e087e18b7461c9a317aa249adf12821de17d6dd59f3c17e01394047df31e875a551d23d32a64a46f8db46003c2feced7e967dd159bc65d3bff76e66

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINDOWS SECURITY.EXE

Filesize
534KB

MD5
9e14775490cee79c73cb45c2f24f7a73

SHA1
ddd6c7485a5e64a66a0a7598777abdafa7a63950

SHA256
d53df5b6b080ba24773ca16c7a8b70eeb783ead278712e0c5b44abc84805e60e

SHA512
1c0aec61a64400bcf18f6f0e5a950c68b7a25492b07290e3793a759f616c1b361ed6472d260d0f379b691567216a1f9e53af53b2dc89711df618a4463c8d0317

Download Submit
C:\Users\Admin\AppData\Local\Temp\lIrAszgooOKF.bat

Filesize
213B

MD5
622195b0d39ba14627e894525a3a3285

SHA1
f10d39eacf6fb130f0b096f9fa1fab3830779abf

SHA256
a283f47cf0f21adfa3c9cbf805572e2be4423ca3e1d5a23eb11ce1f6d1e9b537

SHA512
f3e49f28515c13c59a5eabb69589105cd60105c0da57404e96260d7877cec10587f01bc7709fc4c60828fefba4d49da0b10dd9be66b74ff7d3c2e26a7018aaf0

Download Submit
memory/752-31-0x00000000050E0000-0x00000000050F0000-memory.dmp

Filesize
64KB

Download
memory/752-22-0x00000000741CE000-0x00000000741CF000-memory.dmp

Filesize
4KB

Download
memory/752-36-0x0000000006740000-0x000000000674A000-memory.dmp

Filesize
40KB

Download
memory/752-34-0x00000000063D0000-0x000000000640C000-memory.dmp

Filesize
240KB

Download
memory/752-29-0x0000000005720000-0x0000000005CC4000-memory.dmp

Filesize
5.6MB

Download
memory/752-33-0x00000000056D0000-0x00000000056E2000-memory.dmp

Filesize
72KB

Download
memory/752-32-0x00000000052B0000-0x0000000005316000-memory.dmp

Filesize
408KB

Download
memory/752-24-0x0000000000720000-0x00000000007AC000-memory.dmp

Filesize
560KB

Download
memory/752-30-0x0000000005210000-0x00000000052A2000-memory.dmp

Filesize
584KB

Download
memory/1256-23-0x0000000002B60000-0x0000000002B61000-memory.dmp

Filesize
4KB

Download
memory/1256-25-0x0000000002CF0000-0x0000000002D43000-memory.dmp

Filesize
332KB

Download
memory/1256-26-0x0000000002D90000-0x0000000002DBD000-memory.dmp

Filesize
180KB

Download
memory/1256-27-0x0000000002DC0000-0x0000000002E2A000-memory.dmp

Filesize
424KB

Download
memory/1256-28-0x0000000002D60000-0x0000000002D82000-memory.dmp

Filesize
136KB

Download
memory/1256-20-0x0000000000400000-0x0000000000B2B000-memory.dmp

Filesize
7.2MB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads