quasar | d53df5b6b080ba24773ca16c7a8b70eeb783ead278712e0c5b44abc84805e60e

Reason

Machine shutdown

General

Target

WINDOWS SECURITY.EXE.exe
Size

534KB
MD5

9e14775490cee79c73cb45c2f24f7a73
SHA1

ddd6c7485a5e64a66a0a7598777abdafa7a63950
SHA256

d53df5b6b080ba24773ca16c7a8b70eeb783ead278712e0c5b44abc84805e60e
SHA512

1c0aec61a64400bcf18f6f0e5a950c68b7a25492b07290e3793a759f616c1b361ed6472d260d0f379b691567216a1f9e53af53b2dc89711df618a4463c8d0317
SSDEEP

12288:ijxIhDXIsMzz2ze1gejMd3mD88i2i3PdjfAag06:i9+IsM55O3glgPO

Score

10^/10

quasar venomrat windows security rat rootkit spyware stealer trojan

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

windows security

C2

quasarrat220-24487.portmap.io:24487

Mutex

VNM_MUTEX_mOPqShedZxvAqgLrWL

Attributes

encryption_key
7mvA2TfKjvMIY0zZeMKF
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Venom Client Startup
subdirectory
SubDir

Signatures

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
behavioral2/memory/2452-1-0x0000000000B20000-0x0000000000BAC000-memory.dmp	disable_win_def

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2452-1-0x0000000000B20000-0x0000000000BAC000-memory.dmp	family_quasar

VenomRAT
VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
rat rootkit stealer venomrat

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
2	ip-api.com
10	api.ipify.org

Program crash 1 IoCs

Processes:

WerFault.exe

pid	pid_target	Process	procid_target
3400	2452	WerFault.exe	90

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exe

pid	Process
4760	schtasks.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

Processes:

PING.EXE

pid	Process
2004	PING.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

WINDOWS SECURITY.EXE.exe

description	pid	Process
Token: SeDebugPrivilege	2452	WINDOWS SECURITY.EXE.exe
Token: SeDebugPrivilege	2452	WINDOWS SECURITY.EXE.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

WINDOWS SECURITY.EXE.exe

pid	Process
2452	WINDOWS SECURITY.EXE.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

WINDOWS SECURITY.EXE.exe

description	pid	Process	procid_target
PID 2452 wrote to memory of 4760	2452	WINDOWS SECURITY.EXE.exe	95
PID 2452 wrote to memory of 4760	2452	WINDOWS SECURITY.EXE.exe	95
PID 2452 wrote to memory of 4760	2452	WINDOWS SECURITY.EXE.exe	95

C:\Users\Admin\AppData\Local\Temp\WINDOWS SECURITY.EXE.exe
"C:\Users\Admin\AppData\Local\Temp\WINDOWS SECURITY.EXE.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2452
- C:\Windows\SysWOW64\schtasks.exe
  "schtasks" /create /tn "Venom Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\WINDOWS SECURITY.EXE.exe" /rl HIGHEST /f
  2⤵
  - Creates scheduled task(s)
  PID:4760
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0BMIFXNsvmKt.bat" "
  2⤵
  PID:2664
- - C:\Windows\SysWOW64\chcp.com
    chcp 65001
    3⤵
    PID:956
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 10 localhost
    3⤵
    - Runs ping.exe
    PID:2004
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2452 -s 1944
  2⤵
  - Program crash
  PID:3400

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4232,i,1067197275908310731,12785105794523264014,262144 --variations-seed-version --mojo-platform-channel-handle=4396 /prefetch:8
1⤵
PID:4564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2452 -ip 2452
1⤵
PID:3592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Remote System Discovery

1

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0BMIFXNsvmKt.bat

Filesize
217B

MD5
a773e28ed31b5e6aecc2b1241bfaa222

SHA1
2ffb35b2ee4b31209153b3c8e65527a6b671219d

SHA256
2964123688bd1df58baad106b533acba7ea05692828bf7bb7bbf329b5d5c1bf8

SHA512
41850aaac1c8fffb171a58c8a8fbb3a898b1398d4af56a8233bb3c7a9a918b1e49760d464223e53e9394e372e9fe9d4baacb878a2202ea115e7b28b2cbd4a264

Download Submit
memory/2452-0-0x0000000074A9E000-0x0000000074A9F000-memory.dmp

Filesize
4KB

Download
memory/2452-1-0x0000000000B20000-0x0000000000BAC000-memory.dmp

Filesize
560KB

Download
memory/2452-2-0x0000000005AD0000-0x0000000006074000-memory.dmp

Filesize
5.6MB

Download
memory/2452-3-0x0000000005520000-0x00000000055B2000-memory.dmp

Filesize
584KB

Download
memory/2452-4-0x0000000074A90000-0x0000000075240000-memory.dmp

Filesize
7.7MB

Download
memory/2452-5-0x0000000005470000-0x00000000054D6000-memory.dmp

Filesize
408KB

Download
memory/2452-6-0x00000000054E0000-0x00000000054F2000-memory.dmp

Filesize
72KB

Download
memory/2452-7-0x0000000074A9E000-0x0000000074A9F000-memory.dmp

Filesize
4KB

Download
memory/2452-8-0x0000000074A90000-0x0000000075240000-memory.dmp

Filesize
7.7MB

Download
memory/2452-10-0x0000000006C30000-0x0000000006C3A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads