quasar | 391b3ed40a1c62a6f159f72e5cce5b6bf1b02dbc26de45ad89f8c8d61e10afb7

Analysis

max time kernel
131s
max time network
141s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
05-11-2024 02:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DarkAio v1/DarkAio v1.exe
Size

2.0MB
MD5

0d9c552b2c8836cb71857faf06c0a539
SHA1

4289e2f119a995725be6e1721ebc456a9d00bde8
SHA256

20137d947f979827c4b073dfa8c339d4decf42ca838f4e21204a363bff2337b6
SHA512

2f96567c3890407d86ea657865269bd8d97e3db29f22b57484cef5c28c03f36683ada2624a5b1f287cbd604bf9bd04390fb276b84d879fadc6142966b1a9d79e
SSDEEP

49152:lmPH/GDTgt/axtPhJZdBUd61shsTGfxl0ML:QPH4TYybZnQ5lf

Score

10^/10

quasar redline sectoprat aio venom client discovery infostealer rat spyware trojan

Malware Config

Extracted

Family

quasar

Version

2.7.0.0

Botnet

Venom Client

40.71.25.32:4782

Mutex

JlYM51eW4iZoFyLa2X

Attributes

encryption_key
P9MDWURJLkPDORtyF7Jj
install_name
Payload.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Venom Client Startup

Extracted

Family

redline

Botnet

AIO

40.71.25.32:1337

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 4 IoCs

resource	yara_rule
behavioral3/files/0x000c00000001225b-5.dat	family_quasar
behavioral3/memory/2972-12-0x0000000000120000-0x0000000000230000-memory.dmp	family_quasar
behavioral3/memory/2588-36-0x00000000009F0000-0x0000000000B00000-memory.dmp	family_quasar
behavioral3/memory/2920-63-0x0000000000A10000-0x0000000000B20000-memory.dmp	family_quasar

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral3/files/0x0005000000019234-13.dat	family_redline
behavioral3/memory/2504-25-0x00000000001C0000-0x00000000001DE000-memory.dmp	family_redline

Redline family
redline
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 2 IoCs

resource	yara_rule
behavioral3/files/0x0005000000019234-13.dat	family_sectoprat
behavioral3/memory/2504-25-0x00000000001C0000-0x00000000001DE000-memory.dmp	family_sectoprat

Sectoprat family
sectoprat

Executes dropped EXE 6 IoCs

pid	Process
2972	Venom.exe
2504	build.exe
2320	DarkAio v1.exe
2588	Payload.exe
1648	DarkAio.exe
2920	Venom.exe

Loads dropped DLL 10 IoCs

pid	Process
1928	DarkAio v1.exe
1928	DarkAio v1.exe
1928	DarkAio v1.exe
2972	Venom.exe
2320	DarkAio v1.exe
1064	WerFault.exe
1064	WerFault.exe
1064	WerFault.exe
1064	WerFault.exe
1064	WerFault.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
5	pastebin.com
6	pastebin.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1064	1648	WerFault.exe	37

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Venom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DarkAio v1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Venom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DarkAio.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DarkAio v1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	build.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Payload.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2032	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2032	PING.EXE

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2320	DarkAio v1.exe
2320	DarkAio v1.exe
2320	DarkAio v1.exe
2320	DarkAio v1.exe
2320	DarkAio v1.exe
2320	DarkAio v1.exe
2320	DarkAio v1.exe
2320	DarkAio v1.exe
2320	DarkAio v1.exe
2320	DarkAio v1.exe

Suspicious use of AdjustPrivilegeToken 33 IoCs

description	pid	Process
Token: SeDebugPrivilege	2504	build.exe
Token: SeDebugPrivilege	2972	Venom.exe
Token: SeBackupPrivilege	2972	Venom.exe
Token: SeSecurityPrivilege	2972	Venom.exe
Token: SeBackupPrivilege	2972	Venom.exe
Token: SeBackupPrivilege	2972	Venom.exe
Token: SeSecurityPrivilege	2972	Venom.exe
Token: SeBackupPrivilege	2972	Venom.exe
Token: SeBackupPrivilege	2972	Venom.exe
Token: SeSecurityPrivilege	2972	Venom.exe
Token: SeBackupPrivilege	2972	Venom.exe
Token: SeBackupPrivilege	2972	Venom.exe
Token: SeSecurityPrivilege	2972	Venom.exe
Token: SeBackupPrivilege	2972	Venom.exe
Token: SeBackupPrivilege	2972	Venom.exe
Token: SeSecurityPrivilege	2972	Venom.exe
Token: SeBackupPrivilege	2972	Venom.exe
Token: SeBackupPrivilege	2972	Venom.exe
Token: SeSecurityPrivilege	2972	Venom.exe
Token: SeBackupPrivilege	2972	Venom.exe
Token: SeSecurityPrivilege	2972	Venom.exe
Token: SeBackupPrivilege	2972	Venom.exe
Token: SeSecurityPrivilege	2972	Venom.exe
Token: SeSecurityPrivilege	2972	Venom.exe
Token: SeBackupPrivilege	2972	Venom.exe
Token: SeBackupPrivilege	2972	Venom.exe
Token: SeSecurityPrivilege	2972	Venom.exe
Token: SeBackupPrivilege	2972	Venom.exe
Token: SeBackupPrivilege	2972	Venom.exe
Token: SeSecurityPrivilege	2972	Venom.exe
Token: SeBackupPrivilege	2972	Venom.exe
Token: SeDebugPrivilege	2588	Payload.exe
Token: SeDebugPrivilege	2320	DarkAio v1.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 1928 wrote to memory of 2972	1928	DarkAio v1.exe	31
PID 1928 wrote to memory of 2972	1928	DarkAio v1.exe	31
PID 1928 wrote to memory of 2972	1928	DarkAio v1.exe	31
PID 1928 wrote to memory of 2972	1928	DarkAio v1.exe	31
PID 1928 wrote to memory of 2504	1928	DarkAio v1.exe	32
PID 1928 wrote to memory of 2504	1928	DarkAio v1.exe	32
PID 1928 wrote to memory of 2504	1928	DarkAio v1.exe	32
PID 1928 wrote to memory of 2504	1928	DarkAio v1.exe	32
PID 1928 wrote to memory of 2320	1928	DarkAio v1.exe	34
PID 1928 wrote to memory of 2320	1928	DarkAio v1.exe	34
PID 1928 wrote to memory of 2320	1928	DarkAio v1.exe	34
PID 1928 wrote to memory of 2320	1928	DarkAio v1.exe	34
PID 2972 wrote to memory of 2588	2972	Venom.exe	36
PID 2972 wrote to memory of 2588	2972	Venom.exe	36
PID 2972 wrote to memory of 2588	2972	Venom.exe	36
PID 2972 wrote to memory of 2588	2972	Venom.exe	36
PID 2320 wrote to memory of 1648	2320	DarkAio v1.exe	37
PID 2320 wrote to memory of 1648	2320	DarkAio v1.exe	37
PID 2320 wrote to memory of 1648	2320	DarkAio v1.exe	37
PID 2320 wrote to memory of 1648	2320	DarkAio v1.exe	37
PID 1648 wrote to memory of 1064	1648	DarkAio.exe	39
PID 1648 wrote to memory of 1064	1648	DarkAio.exe	39
PID 1648 wrote to memory of 1064	1648	DarkAio.exe	39
PID 1648 wrote to memory of 1064	1648	DarkAio.exe	39
PID 2972 wrote to memory of 1044	2972	Venom.exe	40
PID 2972 wrote to memory of 1044	2972	Venom.exe	40
PID 2972 wrote to memory of 1044	2972	Venom.exe	40
PID 2972 wrote to memory of 1044	2972	Venom.exe	40
PID 1044 wrote to memory of 1976	1044	cmd.exe	42
PID 1044 wrote to memory of 1976	1044	cmd.exe	42
PID 1044 wrote to memory of 1976	1044	cmd.exe	42
PID 1044 wrote to memory of 1976	1044	cmd.exe	42
PID 1044 wrote to memory of 2032	1044	cmd.exe	43
PID 1044 wrote to memory of 2032	1044	cmd.exe	43
PID 1044 wrote to memory of 2032	1044	cmd.exe	43
PID 1044 wrote to memory of 2032	1044	cmd.exe	43
PID 1044 wrote to memory of 2920	1044	cmd.exe	44
PID 1044 wrote to memory of 2920	1044	cmd.exe	44
PID 1044 wrote to memory of 2920	1044	cmd.exe	44
PID 1044 wrote to memory of 2920	1044	cmd.exe	44

C:\Users\Admin\AppData\Local\Temp\DarkAio v1\DarkAio v1.exe
"C:\Users\Admin\AppData\Local\Temp\DarkAio v1\DarkAio v1.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1928
- C:\Users\Admin\AppData\Roaming\Venom.exe
  "C:\Users\Admin\AppData\Roaming\Venom.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2972
- - C:\Users\Admin\AppData\Roaming\Payload.exe
    "C:\Users\Admin\AppData\Roaming\Payload.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2588
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\MCLUdfglgETy.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1044
  - - C:\Windows\SysWOW64\chcp.com
      chcp 65001
      4⤵
      System Location Discovery: System Language Discovery
      PID:1976
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 10 localhost
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2032
  - - C:\Users\Admin\AppData\Roaming\Venom.exe
      "C:\Users\Admin\AppData\Roaming\Venom.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2920
- C:\Users\Admin\AppData\Roaming\build.exe
  "C:\Users\Admin\AppData\Roaming\build.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2504
- C:\Users\Admin\AppData\Roaming\DarkAio v1.exe
  "C:\Users\Admin\AppData\Roaming\DarkAio v1.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2320
- - C:\Users\Admin\AppData\Roaming\DarkAio.exe
    "C:\Users\Admin\AppData\Roaming\DarkAio.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1648
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1648 -s 548
      4⤵
      Loads dropped DLL
      Program crash
      PID:1064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MCLUdfglgETy.bat

Filesize
199B

MD5
1fb85a4d9430e728b5a677d4450d760f

SHA1
7b755f88468614cc1898f0d4da12a399f45e48f3

SHA256
3d8a88249f6edddbc2d746e7b487cec16f8495d41e28ea256a10346090413ca5

SHA512
b9121cb8b44fb3b04a83b9c865543f1c895118120cc923d0764ec446c5b2879f4c89023b9de1331e1f120ea67bfad94695932331133fdc4b28dcb0ba8ab65c7f

Download Submit
\Users\Admin\AppData\Roaming\DarkAio v1.exe

Filesize
718KB

MD5
ab69f830a864aa0b2a5efa7b92d87b11

SHA1
46fc9419089e06b82d47e1afebb264b4e8d776a1

SHA256
82339ab250c45199b5e5050a3179c91a44c8369d8739b92e5c498047c81631c8

SHA512
d994fe2f8ad4999652bcfce7d694c43c1f55bb96baac8fc7ffdcac8f2bf2d75e5a2e23f4b3281de82ee634268f4e98f9347ad49b2725ef154e2b483c2fa0abb3

Download Submit
\Users\Admin\AppData\Roaming\DarkAio.exe

Filesize
1003KB

MD5
0e6ee37222bfc0a6ec9f5b4ec4c7c053

SHA1
6fed8b55ec8c1daca94141fbc3591f6728fe9530

SHA256
24cc63d8b135457ec2b51dc7103c938887ce4dae6faddd344ffb7477ed6ad672

SHA512
7fc0cfd1baaefd9aa4f288c745709f314dfb0dc39f06bc4bfcbc18b2d593b5893e93da30bb19a273fb5a838821f5429332392bd19431ea0a57f0f94320529f04

Download Submit
\Users\Admin\AppData\Roaming\Venom.exe

Filesize
1.0MB

MD5
860a7a517356a57d979ceac2a6d732f0

SHA1
e6559ce68a1faa19a5a74d3c496b245700ef2077

SHA256
cf6771d32409e4ad380ee084ece68be09a648ea20642489473593674fafc3249

SHA512
8b7bc3eed22fc36279d36c6cae708aadd30a090614f311fc3ed2c47db5e3671eb1a8ca343e32ed8025f900477f2a6334f8c52639d36b07fcdcbcadc69a95a08c

Download Submit
\Users\Admin\AppData\Roaming\build.exe

Filesize
95KB

MD5
4d46c4c206d1bf83b2cb8d6ff308bc2b

SHA1
80edeb15499f072c8538acbbae5d62ff3a6cc0c0

SHA256
0bf9f0c46953c27761484e8bd991b7f7f21728aa4e45703f0d44e2f68eb85a5a

SHA512
a59aa698246383e6091ef41e27c36ea2cd1f2d2264ddccd85f537bbf8207106d2d3475615a48fd5b76ca416cc8f862a49c40ffc702b60849e28c7be7cefaa859

Download Submit
memory/1648-46-0x0000000000EE0000-0x0000000000FE0000-memory.dmp

Filesize
1024KB

Download
memory/1928-2-0x00000000004F0000-0x00000000004F8000-memory.dmp

Filesize
32KB

Download
memory/1928-1-0x0000000000070000-0x0000000000274000-memory.dmp

Filesize
2.0MB

Download
memory/1928-0-0x00000000749CE000-0x00000000749CF000-memory.dmp

Filesize
4KB

Download
memory/2320-37-0x00000000008B0000-0x0000000000918000-memory.dmp

Filesize
416KB

Download
memory/2320-26-0x0000000000BB0000-0x0000000000C68000-memory.dmp

Filesize
736KB

Download
memory/2320-27-0x0000000004670000-0x0000000004724000-memory.dmp

Filesize
720KB

Download
memory/2504-25-0x00000000001C0000-0x00000000001DE000-memory.dmp

Filesize
120KB

Download
memory/2588-36-0x00000000009F0000-0x0000000000B00000-memory.dmp

Filesize
1.1MB

Download
memory/2920-63-0x0000000000A10000-0x0000000000B20000-memory.dmp

Filesize
1.1MB

Download
memory/2972-29-0x00000000749C0000-0x00000000750AE000-memory.dmp

Filesize
6.9MB

Download
memory/2972-28-0x00000000749C0000-0x00000000750AE000-memory.dmp

Filesize
6.9MB

Download
memory/2972-12-0x0000000000120000-0x0000000000230000-memory.dmp

Filesize
1.1MB

Download
memory/2972-61-0x00000000749C0000-0x00000000750AE000-memory.dmp

Filesize
6.9MB

Download