quasar | 7c5919ffcd3234d3c520120fbbeb9204e11ca3adfbfc175175a1e087492cbbba

General

Target

7c5919ffcd3234d3c520120fbbeb9204e11ca3adfbfc175175a1e087492cbbba.exe
Size

5.9MB
MD5

12f9b68ed66fed9a1e3c1c2319c837c6
SHA1

e423cbd003c718b6fa268de83806dae6a9fe88c3
SHA256

7c5919ffcd3234d3c520120fbbeb9204e11ca3adfbfc175175a1e087492cbbba
SHA512

b649639d2363f135f694f8d5968a6b7adabd76ef793a3fb9313b1c142a0e749be33a5831c4d0cbc32ea170a2100f693755b378280f252dd50bd1ddf008b1ba53
SSDEEP

98304:pMI+LjNr86mjj/UYviu26bbyKS2myX0rPgIh:p8Vmj72wblTmyEgG

Score

10^/10

quasar venomrat windows security rat rootkit spyware stealer trojan

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

windows security

C2

quasarrat220-24487.portmap.io:24487

Mutex

VNM_MUTEX_mOPqShedZxvAqgLrWL

Attributes

encryption_key
7mvA2TfKjvMIY0zZeMKF
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Venom Client Startup
subdirectory
SubDir

Signatures

Contains code to disable Windows Defender 2 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\WINDOWS SECURITY.EXE	disable_win_def
behavioral1/memory/3044-16-0x0000000000A00000-0x0000000000A8C000-memory.dmp	disable_win_def

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\WINDOWS SECURITY.EXE	family_quasar
behavioral1/memory/3044-16-0x0000000000A00000-0x0000000000A8C000-memory.dmp	family_quasar

VenomRAT
VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
rat rootkit stealer venomrat

Detects Windows executables referencing non-Windows User-Agents 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\WINDOWS SECURITY.EXE	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/3044-16-0x0000000000A00000-0x0000000000A8C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\WINDOWS SECURITY.EXE	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral1/memory/3044-16-0x0000000000A00000-0x0000000000A8C000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers

Detects executables containing artifacts associated with disabling Widnows Defender 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\WINDOWS SECURITY.EXE	INDICATOR_SUSPICIOUS_DisableWinDefender
behavioral1/memory/3044-16-0x0000000000A00000-0x0000000000A8C000-memory.dmp	INDICATOR_SUSPICIOUS_DisableWinDefender

Detects executables embedding registry key / value combination indicative of disabling Windows Defender features 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\WINDOWS SECURITY.EXE	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
behavioral1/memory/3044-16-0x0000000000A00000-0x0000000000A8C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender

Executes dropped EXE 3 IoCs

Processes:

PAYPAL.EXEWINDOWS SECURITY.EXEWINDOWS SECURITY.EXE

pid process

2384 PAYPAL.EXE
3044 WINDOWS SECURITY.EXE
1652 WINDOWS SECURITY.EXE

pid	process
2384	PAYPAL.EXE
3044	WINDOWS SECURITY.EXE
1652	WINDOWS SECURITY.EXE

Loads dropped DLL 8 IoCs

Processes:

7c5919ffcd3234d3c520120fbbeb9204e11ca3adfbfc175175a1e087492cbbba.exeWerFault.execmd.exe

pid	process
2188	7c5919ffcd3234d3c520120fbbeb9204e11ca3adfbfc175175a1e087492cbbba.exe
2188	7c5919ffcd3234d3c520120fbbeb9204e11ca3adfbfc175175a1e087492cbbba.exe
2536	WerFault.exe
2536	WerFault.exe
2536	WerFault.exe
2536	WerFault.exe
2536	WerFault.exe
2780	cmd.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

2 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2536 3044 WerFault.exe WINDOWS SECURITY.EXE
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2620 schtasks.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2628 PING.EXE
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

WINDOWS SECURITY.EXE

pid process

1652 WINDOWS SECURITY.EXE

flow	ioc
2	ip-api.com

pid	pid_target	process	target process
2536	3044	WerFault.exe	WINDOWS SECURITY.EXE

pid	process
2620	schtasks.exe

pid	process
2628	PING.EXE

pid	process
1652	WINDOWS SECURITY.EXE

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WINDOWS SECURITY.EXEWINDOWS SECURITY.EXE

description	pid	process
Token: SeDebugPrivilege	3044	WINDOWS SECURITY.EXE
Token: SeDebugPrivilege	3044	WINDOWS SECURITY.EXE
Token: SeDebugPrivilege	1652	WINDOWS SECURITY.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

PAYPAL.EXEWINDOWS SECURITY.EXE

pid process

2384 PAYPAL.EXE
3044 WINDOWS SECURITY.EXE

pid	process
2384	PAYPAL.EXE
3044	WINDOWS SECURITY.EXE

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

7c5919ffcd3234d3c520120fbbeb9204e11ca3adfbfc175175a1e087492cbbba.exeWINDOWS SECURITY.EXEcmd.exe

description	pid	process	target process
PID 2188 wrote to memory of 2384	2188	7c5919ffcd3234d3c520120fbbeb9204e11ca3adfbfc175175a1e087492cbbba.exe	PAYPAL.EXE
PID 2188 wrote to memory of 2384	2188	7c5919ffcd3234d3c520120fbbeb9204e11ca3adfbfc175175a1e087492cbbba.exe	PAYPAL.EXE
PID 2188 wrote to memory of 2384	2188	7c5919ffcd3234d3c520120fbbeb9204e11ca3adfbfc175175a1e087492cbbba.exe	PAYPAL.EXE
PID 2188 wrote to memory of 2384	2188	7c5919ffcd3234d3c520120fbbeb9204e11ca3adfbfc175175a1e087492cbbba.exe	PAYPAL.EXE
PID 2188 wrote to memory of 3044	2188	7c5919ffcd3234d3c520120fbbeb9204e11ca3adfbfc175175a1e087492cbbba.exe	WINDOWS SECURITY.EXE
PID 2188 wrote to memory of 3044	2188	7c5919ffcd3234d3c520120fbbeb9204e11ca3adfbfc175175a1e087492cbbba.exe	WINDOWS SECURITY.EXE
PID 2188 wrote to memory of 3044	2188	7c5919ffcd3234d3c520120fbbeb9204e11ca3adfbfc175175a1e087492cbbba.exe	WINDOWS SECURITY.EXE
PID 2188 wrote to memory of 3044	2188	7c5919ffcd3234d3c520120fbbeb9204e11ca3adfbfc175175a1e087492cbbba.exe	WINDOWS SECURITY.EXE
PID 3044 wrote to memory of 2620	3044	WINDOWS SECURITY.EXE	schtasks.exe
PID 3044 wrote to memory of 2620	3044	WINDOWS SECURITY.EXE	schtasks.exe
PID 3044 wrote to memory of 2620	3044	WINDOWS SECURITY.EXE	schtasks.exe
PID 3044 wrote to memory of 2620	3044	WINDOWS SECURITY.EXE	schtasks.exe
PID 3044 wrote to memory of 2780	3044	WINDOWS SECURITY.EXE	cmd.exe
PID 3044 wrote to memory of 2780	3044	WINDOWS SECURITY.EXE	cmd.exe
PID 3044 wrote to memory of 2780	3044	WINDOWS SECURITY.EXE	cmd.exe
PID 3044 wrote to memory of 2780	3044	WINDOWS SECURITY.EXE	cmd.exe
PID 3044 wrote to memory of 2536	3044	WINDOWS SECURITY.EXE	WerFault.exe
PID 3044 wrote to memory of 2536	3044	WINDOWS SECURITY.EXE	WerFault.exe
PID 3044 wrote to memory of 2536	3044	WINDOWS SECURITY.EXE	WerFault.exe
PID 3044 wrote to memory of 2536	3044	WINDOWS SECURITY.EXE	WerFault.exe
PID 2780 wrote to memory of 2652	2780	cmd.exe	chcp.com
PID 2780 wrote to memory of 2652	2780	cmd.exe	chcp.com
PID 2780 wrote to memory of 2652	2780	cmd.exe	chcp.com
PID 2780 wrote to memory of 2652	2780	cmd.exe	chcp.com
PID 2780 wrote to memory of 2628	2780	cmd.exe	PING.EXE
PID 2780 wrote to memory of 2628	2780	cmd.exe	PING.EXE
PID 2780 wrote to memory of 2628	2780	cmd.exe	PING.EXE
PID 2780 wrote to memory of 2628	2780	cmd.exe	PING.EXE
PID 2780 wrote to memory of 1652	2780	cmd.exe	WINDOWS SECURITY.EXE
PID 2780 wrote to memory of 1652	2780	cmd.exe	WINDOWS SECURITY.EXE
PID 2780 wrote to memory of 1652	2780	cmd.exe	WINDOWS SECURITY.EXE
PID 2780 wrote to memory of 1652	2780	cmd.exe	WINDOWS SECURITY.EXE

C:\Users\Admin\AppData\Local\Temp\7c5919ffcd3234d3c520120fbbeb9204e11ca3adfbfc175175a1e087492cbbba.exe
"C:\Users\Admin\AppData\Local\Temp\7c5919ffcd3234d3c520120fbbeb9204e11ca3adfbfc175175a1e087492cbbba.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2188
- C:\Users\Admin\AppData\Local\Temp\PAYPAL.EXE
  "C:\Users\Admin\AppData\Local\Temp\PAYPAL.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2384
- C:\Users\Admin\AppData\Local\Temp\WINDOWS SECURITY.EXE
  "C:\Users\Admin\AppData\Local\Temp\WINDOWS SECURITY.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3044
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /create /tn "Venom Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\WINDOWS SECURITY.EXE" /rl HIGHEST /f
    3⤵
    - Creates scheduled task(s)
    PID:2620
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\NebKa4i1gnVv.bat" "
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2780
  - - C:\Windows\SysWOW64\chcp.com
      chcp 65001
      4⤵
      PID:2652
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 10 localhost
      4⤵
      Runs ping.exe
      PID:2628
  - - C:\Users\Admin\AppData\Local\Temp\WINDOWS SECURITY.EXE
      "C:\Users\Admin\AppData\Local\Temp\WINDOWS SECURITY.EXE"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1652
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3044 -s 1440
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\NebKa4i1gnVv.bat

Filesize
213B

MD5
3f18539ba6a1c2752c516b0ec37a5f3e

SHA1
a00637d91979a3afc0d1383eaf5e75ed404da35a

SHA256
8451600b500124d210f1a9f01f925539e9c01081ef7bb662cc3f03833eaa2c87

SHA512
3f30651a10f59362a60aabd7136e020eab7d9a67867a312a80ef1a6aa63bcd2604425b3a2897eb29fb9eff92feb547343bea427f524604f17319ca6b5a3522e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINDOWS SECURITY.EXE

Filesize
534KB

MD5
9e14775490cee79c73cb45c2f24f7a73

SHA1
ddd6c7485a5e64a66a0a7598777abdafa7a63950

SHA256
d53df5b6b080ba24773ca16c7a8b70eeb783ead278712e0c5b44abc84805e60e

SHA512
1c0aec61a64400bcf18f6f0e5a950c68b7a25492b07290e3793a759f616c1b361ed6472d260d0f379b691567216a1f9e53af53b2dc89711df618a4463c8d0317

Download Submit
\Users\Admin\AppData\Local\Temp\PAYPAL.EXE

Filesize
5.3MB

MD5
341b34b571af06277c2f3b4156bd86df

SHA1
ba120240400cc6dcf0e92e732d4f460f3763102b

SHA256
9a579053ee79c9ee45e29ac1887aba8cb87936c01026b5f3d830456547adc441

SHA512
2cbb482d2e087e18b7461c9a317aa249adf12821de17d6dd59f3c17e01394047df31e875a551d23d32a64a46f8db46003c2feced7e967dd159bc65d3bff76e66

Download Submit
memory/2188-8-0x0000000003150000-0x000000000387B000-memory.dmp

Filesize
7.2MB

Download
memory/2384-9-0x0000000000400000-0x0000000000B2B000-memory.dmp

Filesize
7.2MB

Download
memory/2384-15-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2384-34-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/3044-16-0x0000000000A00000-0x0000000000A8C000-memory.dmp

Filesize
560KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads