quasar | f1f367c2bd3c1bc93a4c4a3081a3aa1072eb7a50d13927e3b5bc03c310248d3a

General

Target

dbdca8a3ffa33284e03a1a7bd57e12ad_JaffaCakes118.exe
Size

709KB
MD5

dbdca8a3ffa33284e03a1a7bd57e12ad
SHA1

facc92651a792c4c8abe606ca47424b4f042224b
SHA256

f1f367c2bd3c1bc93a4c4a3081a3aa1072eb7a50d13927e3b5bc03c310248d3a
SHA512

727cd27bfb0ffc7a9f76fd02417de92a34ef4a1ed341953b1f5c6f78f851c83d5de390d3168df89367196a3de25eb370be1c3867affc94ae6520dff22d36bd94
SSDEEP

12288:UJr8tk+8yQiFDmBhfyW8vXAo+bcRkkOHia0crMIsTX:Wx+5QhfP5x7Nm

Score

10^/10

quasar venomrat svhost discovery rat rootkit spyware stealer trojan

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

svhost

C2

myconect.ddns.net:6606

Mutex

VNM_MUTEX_ND6PULLW5ZVLwo1nwR

Attributes

encryption_key
yaa63tXY4j55os5llHHd
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Venom Client Startup
subdirectory
SubDir

Signatures

Contains code to disable Windows Defender 2 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\$77-Venom.exe	disable_win_def
behavioral1/memory/1880-16-0x0000000000330000-0x00000000003BC000-memory.dmp	disable_win_def

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\$77-Venom.exe	family_quasar
behavioral1/memory/1880-16-0x0000000000330000-0x00000000003BC000-memory.dmp	family_quasar

VenomRAT
VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
rat rootkit stealer venomrat
Executes dropped EXE 1 IoCs

Processes:

$77-Venom.exe

pid process

1880 $77-Venom.exe
Loads dropped DLL 1 IoCs

Processes:

dbdca8a3ffa33284e03a1a7bd57e12ad_JaffaCakes118.exe

pid process

1420 dbdca8a3ffa33284e03a1a7bd57e12ad_JaffaCakes118.exe
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

2 ip-api.com
Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
1880	$77-Venom.exe

pid	process
1420	dbdca8a3ffa33284e03a1a7bd57e12ad_JaffaCakes118.exe

flow	ioc
2	ip-api.com

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

dbdca8a3ffa33284e03a1a7bd57e12ad_JaffaCakes118.exe$77-Venom.exeWINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dbdca8a3ffa33284e03a1a7bd57e12ad_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	$77-Venom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE

Office loads VBA resources, possible macro or embedded object present
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

2332 WINWORD.EXE
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

$77-Venom.exe

description pid process

Token: SeDebugPrivilege 1880 $77-Venom.exe
Token: SeDebugPrivilege 1880 $77-Venom.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

2332 WINWORD.EXE
2332 WINWORD.EXE

pid	process
2332	WINWORD.EXE

description	pid	process
Token: SeDebugPrivilege	1880	$77-Venom.exe
Token: SeDebugPrivilege	1880	$77-Venom.exe

pid	process
2332	WINWORD.EXE
2332	WINWORD.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

dbdca8a3ffa33284e03a1a7bd57e12ad_JaffaCakes118.exeWINWORD.EXE

description	pid	process	target process
PID 1420 wrote to memory of 1880	1420	dbdca8a3ffa33284e03a1a7bd57e12ad_JaffaCakes118.exe	$77-Venom.exe
PID 1420 wrote to memory of 1880	1420	dbdca8a3ffa33284e03a1a7bd57e12ad_JaffaCakes118.exe	$77-Venom.exe
PID 1420 wrote to memory of 1880	1420	dbdca8a3ffa33284e03a1a7bd57e12ad_JaffaCakes118.exe	$77-Venom.exe
PID 1420 wrote to memory of 1880	1420	dbdca8a3ffa33284e03a1a7bd57e12ad_JaffaCakes118.exe	$77-Venom.exe
PID 1420 wrote to memory of 2332	1420	dbdca8a3ffa33284e03a1a7bd57e12ad_JaffaCakes118.exe	WINWORD.EXE
PID 1420 wrote to memory of 2332	1420	dbdca8a3ffa33284e03a1a7bd57e12ad_JaffaCakes118.exe	WINWORD.EXE
PID 1420 wrote to memory of 2332	1420	dbdca8a3ffa33284e03a1a7bd57e12ad_JaffaCakes118.exe	WINWORD.EXE
PID 1420 wrote to memory of 2332	1420	dbdca8a3ffa33284e03a1a7bd57e12ad_JaffaCakes118.exe	WINWORD.EXE
PID 2332 wrote to memory of 272	2332	WINWORD.EXE	splwow64.exe
PID 2332 wrote to memory of 272	2332	WINWORD.EXE	splwow64.exe
PID 2332 wrote to memory of 272	2332	WINWORD.EXE	splwow64.exe
PID 2332 wrote to memory of 272	2332	WINWORD.EXE	splwow64.exe

C:\Users\Admin\AppData\Local\Temp\dbdca8a3ffa33284e03a1a7bd57e12ad_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\dbdca8a3ffa33284e03a1a7bd57e12ad_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1420
- C:\Users\Admin\AppData\Roaming\$77-Venom.exe
  "C:\Users\Admin\AppData\Roaming\$77-Venom.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1880
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Roaming\null (2).docx"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2332
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    PID:272

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\$77-Venom.exe

Filesize
534KB

MD5
84c1dc6b428904cc2a6746653849df0f

SHA1
5cce4078427481f4d7456b5a4f3930ae6e706fb4

SHA256
bc24e3c5408fea0b6f9aa0deb56a4636a8d0b9a6054ff1033efa6ccfe04ba44a

SHA512
3b7a7607c3409b5ded563f2e1fcc0fa489c4465ab764d14a647b474968a025a95fa8ceb549fc70482b7b1dd935f66a41ada7b4910059786aafc870c5847a9245

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
19KB

MD5
fccdd353d4a5d4e02b81bd4bd2cc0878

SHA1
ccd9b73cc99a611fcb0718a1c1cf40caad7e8a03

SHA256
1923df02488296c2ef19aa861f6b5da7b7b0464a5ca32eb6f010d34c3c90df4a

SHA512
b2aacfd7e6a5962ebe29e6b83b66c92af974a168e0b2eb2f3acd267bd2508926860b12ad37c9a8cdac1900247c318f82f4b47d57e930f8b2d65eed554c2c8237

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\null (2).docx

Filesize
2KB

MD5
b73ace90e3fbada0e8baa0d47b2cbd6f

SHA1
2147bfa5d92cb0c3fd296e7c90befa08564240a6

SHA256
94f271283b679ee024724d1aee0f4ead90ce56fb67813b5e0cbc082091fbe364

SHA512
d1a9d73fca25a73782bd0170937225afdb402a354a7fb6ea308114e276aed7f77ef211c458dd03292d2e90cd1d61976340396540ac410d452bda363f6d2ee157

Download Submit
memory/1420-1-0x00000000742D0000-0x000000007487B000-memory.dmp

Filesize
5.7MB

Download
memory/1420-2-0x00000000742D0000-0x000000007487B000-memory.dmp

Filesize
5.7MB

Download
memory/1420-0-0x00000000742D1000-0x00000000742D2000-memory.dmp

Filesize
4KB

Download
memory/1420-13-0x00000000742D0000-0x000000007487B000-memory.dmp

Filesize
5.7MB

Download
memory/1880-36-0x0000000071F9E000-0x0000000071F9F000-memory.dmp

Filesize
4KB

Download
memory/1880-16-0x0000000000330000-0x00000000003BC000-memory.dmp

Filesize
560KB

Download
memory/1880-11-0x0000000071F9E000-0x0000000071F9F000-memory.dmp

Filesize
4KB

Download
memory/2332-15-0x000000006DF9D000-0x000000006DFA8000-memory.dmp

Filesize
44KB

Download
memory/2332-14-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2332-12-0x000000002F2F1000-0x000000002F2F2000-memory.dmp

Filesize
4KB

Download
memory/2332-37-0x000000006DF9D000-0x000000006DFA8000-memory.dmp

Filesize
44KB

Download
memory/2332-56-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads