Analysis
-
max time kernel
2s -
max time network
8s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
-
submitted
14-06-2024 02:02
Errors
General
-
Target
d53df5b6b080ba24773ca16c7a8b70eeb783ead278712e0c5b44abc84805e60e.exe
-
Size
534KB
-
MD5
9e14775490cee79c73cb45c2f24f7a73
-
SHA1
ddd6c7485a5e64a66a0a7598777abdafa7a63950
-
SHA256
d53df5b6b080ba24773ca16c7a8b70eeb783ead278712e0c5b44abc84805e60e
-
SHA512
1c0aec61a64400bcf18f6f0e5a950c68b7a25492b07290e3793a759f616c1b361ed6472d260d0f379b691567216a1f9e53af53b2dc89711df618a4463c8d0317
-
SSDEEP
12288:ijxIhDXIsMzz2ze1gejMd3mD88i2i3PdjfAag06:i9+IsM55O3glgPO
Malware Config
Extracted
quasar
2.1.0.0
windows security
quasarrat220-24487.portmap.io:24487
VNM_MUTEX_mOPqShedZxvAqgLrWL
-
encryption_key
7mvA2TfKjvMIY0zZeMKF
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Venom Client Startup
-
subdirectory
SubDir
Signatures
-
Contains code to disable Windows Defender 1 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar payload 1 IoCs
-
VenomRAT
VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
-
Detects Windows executables referencing non-Windows User-Agents 1 IoCs
-
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 1 IoCs
-
Detects executables containing artifacts associated with disabling Widnows Defender 1 IoCs
-
Detects executables embedding registry key / value combination indicative of disabling Windows Defender features 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\d53df5b6b080ba24773ca16c7a8b70eeb783ead278712e0c5b44abc84805e60e.exe"C:\Users\Admin\AppData\Local\Temp\d53df5b6b080ba24773ca16c7a8b70eeb783ead278712e0c5b44abc84805e60e.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Venom Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\d53df5b6b080ba24773ca16c7a8b70eeb783ead278712e0c5b44abc84805e60e.exe" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xWe02TGtX6sm.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650013⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost3⤵
- Runs ping.exe
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4760 -s 21362⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4760 -ip 47601⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
261B
MD5bd87eab8960314fc7f8f0a776a116980
SHA1820393d44c6841975d2b1242220174639eb9a4e6
SHA256f0bede6fae6327d4a7d74519c6f10d2e41ca895bf624e8636fcdbaae32bd8390
SHA512295b6895e5179072bb5974866b5db2c00cc425498e27f8ca4bf0aca4a93059ebd1628e230c71bf683de0aa78d1702689d72f810d4944528193bd4c227c096efd
-
Filesize
4KB
-
Filesize
560KB
-
Filesize
5.6MB
-
Filesize
584KB
-
Filesize
7.7MB
-
Filesize
408KB
-
Filesize
72KB
-
Filesize
240KB
-
Filesize
40KB