quasar | 391b3ed40a1c62a6f159f72e5cce5b6bf1b02dbc26de45ad89f8c8d61e10afb7

Analysis

max time kernel
138s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
05-11-2024 02:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DarkAio v1/DarkAio v1.exe
Size

2.0MB
MD5

0d9c552b2c8836cb71857faf06c0a539
SHA1

4289e2f119a995725be6e1721ebc456a9d00bde8
SHA256

20137d947f979827c4b073dfa8c339d4decf42ca838f4e21204a363bff2337b6
SHA512

2f96567c3890407d86ea657865269bd8d97e3db29f22b57484cef5c28c03f36683ada2624a5b1f287cbd604bf9bd04390fb276b84d879fadc6142966b1a9d79e
SSDEEP

49152:lmPH/GDTgt/axtPhJZdBUd61shsTGfxl0ML:QPH4TYybZnQ5lf

Score

10^/10

quasar redline sectoprat aio venom client discovery infostealer rat spyware trojan

Malware Config

Extracted

Family

quasar

Version

2.7.0.0

Botnet

Venom Client

40.71.25.32:4782

Mutex

JlYM51eW4iZoFyLa2X

Attributes

encryption_key
P9MDWURJLkPDORtyF7Jj
install_name
Payload.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Venom Client Startup

Extracted

Family

redline

Botnet

AIO

40.71.25.32:1337

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral4/files/0x000b000000023b4a-7.dat	family_quasar
behavioral4/memory/896-22-0x0000000000B70000-0x0000000000C80000-memory.dmp	family_quasar

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral4/files/0x000a000000023b58-18.dat	family_redline
behavioral4/memory/3836-45-0x0000000000FC0000-0x0000000000FDE000-memory.dmp	family_redline

Redline family
redline
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 2 IoCs

resource	yara_rule
behavioral4/files/0x000a000000023b58-18.dat	family_sectoprat
behavioral4/memory/3836-45-0x0000000000FC0000-0x0000000000FDE000-memory.dmp	family_sectoprat

Sectoprat family
sectoprat

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	DarkAio v1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	DarkAio v1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	Venom.exe

Executes dropped EXE 6 IoCs

pid	Process
896	Venom.exe
3836	build.exe
1412	DarkAio v1.exe
4364	DarkAio.exe
2296	Payload.exe
2220	Venom.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
21	pastebin.com
22	pastebin.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
9	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
776	4364	WerFault.exe	92

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Venom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DarkAio v1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Payload.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DarkAio v1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	build.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DarkAio.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Venom.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
244	PING.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	DarkAio v1.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
244	PING.EXE

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1412	DarkAio v1.exe
1412	DarkAio v1.exe
1412	DarkAio v1.exe
1412	DarkAio v1.exe
1412	DarkAio v1.exe
1412	DarkAio v1.exe
1412	DarkAio v1.exe
1412	DarkAio v1.exe
1412	DarkAio v1.exe
1412	DarkAio v1.exe

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeDebugPrivilege	3836	build.exe
Token: SeDebugPrivilege	896	Venom.exe
Token: SeDebugPrivilege	1412	DarkAio v1.exe
Token: SeBackupPrivilege	896	Venom.exe
Token: SeBackupPrivilege	896	Venom.exe
Token: SeBackupPrivilege	896	Venom.exe
Token: SeBackupPrivilege	896	Venom.exe
Token: SeBackupPrivilege	896	Venom.exe
Token: SeBackupPrivilege	896	Venom.exe
Token: SeSecurityPrivilege	896	Venom.exe
Token: SeBackupPrivilege	896	Venom.exe
Token: SeBackupPrivilege	896	Venom.exe
Token: SeBackupPrivilege	896	Venom.exe
Token: SeBackupPrivilege	896	Venom.exe
Token: SeBackupPrivilege	896	Venom.exe
Token: SeSecurityPrivilege	896	Venom.exe
Token: SeBackupPrivilege	896	Venom.exe
Token: SeBackupPrivilege	896	Venom.exe
Token: SeSecurityPrivilege	896	Venom.exe
Token: SeBackupPrivilege	896	Venom.exe
Token: SeBackupPrivilege	896	Venom.exe
Token: SeSecurityPrivilege	896	Venom.exe
Token: SeBackupPrivilege	896	Venom.exe
Token: SeBackupPrivilege	896	Venom.exe
Token: SeSecurityPrivilege	896	Venom.exe
Token: SeBackupPrivilege	896	Venom.exe
Token: SeBackupPrivilege	896	Venom.exe
Token: SeSecurityPrivilege	896	Venom.exe
Token: SeBackupPrivilege	896	Venom.exe
Token: SeSecurityPrivilege	896	Venom.exe
Token: SeBackupPrivilege	896	Venom.exe
Token: SeSecurityPrivilege	896	Venom.exe
Token: SeSecurityPrivilege	896	Venom.exe
Token: SeBackupPrivilege	896	Venom.exe
Token: SeBackupPrivilege	896	Venom.exe
Token: SeSecurityPrivilege	896	Venom.exe
Token: SeBackupPrivilege	896	Venom.exe
Token: SeBackupPrivilege	896	Venom.exe
Token: SeSecurityPrivilege	896	Venom.exe
Token: SeBackupPrivilege	896	Venom.exe
Token: SeDebugPrivilege	2296	Payload.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 3032 wrote to memory of 896	3032	DarkAio v1.exe	87
PID 3032 wrote to memory of 896	3032	DarkAio v1.exe	87
PID 3032 wrote to memory of 896	3032	DarkAio v1.exe	87
PID 3032 wrote to memory of 3836	3032	DarkAio v1.exe	88
PID 3032 wrote to memory of 3836	3032	DarkAio v1.exe	88
PID 3032 wrote to memory of 3836	3032	DarkAio v1.exe	88
PID 3032 wrote to memory of 1412	3032	DarkAio v1.exe	90
PID 3032 wrote to memory of 1412	3032	DarkAio v1.exe	90
PID 3032 wrote to memory of 1412	3032	DarkAio v1.exe	90
PID 1412 wrote to memory of 4364	1412	DarkAio v1.exe	92
PID 1412 wrote to memory of 4364	1412	DarkAio v1.exe	92
PID 1412 wrote to memory of 4364	1412	DarkAio v1.exe	92
PID 896 wrote to memory of 2296	896	Venom.exe	94
PID 896 wrote to memory of 2296	896	Venom.exe	94
PID 896 wrote to memory of 2296	896	Venom.exe	94
PID 896 wrote to memory of 4296	896	Venom.exe	98
PID 896 wrote to memory of 4296	896	Venom.exe	98
PID 896 wrote to memory of 4296	896	Venom.exe	98
PID 4296 wrote to memory of 4892	4296	cmd.exe	100
PID 4296 wrote to memory of 4892	4296	cmd.exe	100
PID 4296 wrote to memory of 4892	4296	cmd.exe	100
PID 4296 wrote to memory of 244	4296	cmd.exe	101
PID 4296 wrote to memory of 244	4296	cmd.exe	101
PID 4296 wrote to memory of 244	4296	cmd.exe	101
PID 4296 wrote to memory of 2220	4296	cmd.exe	108
PID 4296 wrote to memory of 2220	4296	cmd.exe	108
PID 4296 wrote to memory of 2220	4296	cmd.exe	108

C:\Users\Admin\AppData\Local\Temp\DarkAio v1\DarkAio v1.exe
"C:\Users\Admin\AppData\Local\Temp\DarkAio v1\DarkAio v1.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3032
- C:\Users\Admin\AppData\Roaming\Venom.exe
  "C:\Users\Admin\AppData\Roaming\Venom.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:896
- - C:\Users\Admin\AppData\Roaming\Payload.exe
    "C:\Users\Admin\AppData\Roaming\Payload.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2296
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lZmYBfPIKDae.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4296
  - - C:\Windows\SysWOW64\chcp.com
      chcp 65001
      4⤵
      System Location Discovery: System Language Discovery
      PID:4892
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 10 localhost
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:244
  - - C:\Users\Admin\AppData\Roaming\Venom.exe
      "C:\Users\Admin\AppData\Roaming\Venom.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2220
- C:\Users\Admin\AppData\Roaming\build.exe
  "C:\Users\Admin\AppData\Roaming\build.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3836
- C:\Users\Admin\AppData\Roaming\DarkAio v1.exe
  "C:\Users\Admin\AppData\Roaming\DarkAio v1.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1412
- - C:\Users\Admin\AppData\Roaming\DarkAio.exe
    "C:\Users\Admin\AppData\Roaming\DarkAio.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4364
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4364 -s 872
      4⤵
      Program crash
      PID:776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4364 -ip 4364
1⤵
PID:3468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\DarkAio v1.exe.log

Filesize
226B

MD5
916851e072fbabc4796d8916c5131092

SHA1
d48a602229a690c512d5fdaf4c8d77547a88e7a2

SHA256
7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

SHA512
07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Venom.exe.log

Filesize
1KB

MD5
9f0ab4a25d1ed1820e2e6791346fcbb3

SHA1
5fe78c8a3b420c4c407e7b081e022b8274fc051b

SHA256
dd3304bba5d4cdb7f7edd03bddc9a6196affc5e15cbec3113fb83607082b6df2

SHA512
1acccc67e08802bf4cbc7a3f402464b121ed98625aaf6dc1470b081f793fce5740e6138eb72dac74182379d7d2c177cbd1558284c53212e876a963c47104dcab

Download Submit
C:\Users\Admin\AppData\Local\Temp\lZmYBfPIKDae.bat

Filesize
199B

MD5
43d96997ac11b2f6ee3cd0ca608e991c

SHA1
84204e423598fa6840e1838bed6315c855d5dc8d

SHA256
73a71b0b1affd8bc053369a35d0679c86c9048458bb69746c8fa427b147dc65e

SHA512
b64fdd635867b967c1cef1f32ce15ab883127b7f8976eb4ba244280755f3d22cfa151a78b1f7a607fd2d0de3a243d0b29835d4878cc44f2df47401e658531f98

Download Submit
C:\Users\Admin\AppData\Roaming\DarkAio v1.exe

Filesize
718KB

MD5
ab69f830a864aa0b2a5efa7b92d87b11

SHA1
46fc9419089e06b82d47e1afebb264b4e8d776a1

SHA256
82339ab250c45199b5e5050a3179c91a44c8369d8739b92e5c498047c81631c8

SHA512
d994fe2f8ad4999652bcfce7d694c43c1f55bb96baac8fc7ffdcac8f2bf2d75e5a2e23f4b3281de82ee634268f4e98f9347ad49b2725ef154e2b483c2fa0abb3

Download Submit
C:\Users\Admin\AppData\Roaming\DarkAio.exe

Filesize
1003KB

MD5
0e6ee37222bfc0a6ec9f5b4ec4c7c053

SHA1
6fed8b55ec8c1daca94141fbc3591f6728fe9530

SHA256
24cc63d8b135457ec2b51dc7103c938887ce4dae6faddd344ffb7477ed6ad672

SHA512
7fc0cfd1baaefd9aa4f288c745709f314dfb0dc39f06bc4bfcbc18b2d593b5893e93da30bb19a273fb5a838821f5429332392bd19431ea0a57f0f94320529f04

Download Submit
C:\Users\Admin\AppData\Roaming\Venom.exe

Filesize
1.0MB

MD5
860a7a517356a57d979ceac2a6d732f0

SHA1
e6559ce68a1faa19a5a74d3c496b245700ef2077

SHA256
cf6771d32409e4ad380ee084ece68be09a648ea20642489473593674fafc3249

SHA512
8b7bc3eed22fc36279d36c6cae708aadd30a090614f311fc3ed2c47db5e3671eb1a8ca343e32ed8025f900477f2a6334f8c52639d36b07fcdcbcadc69a95a08c

Download Submit
C:\Users\Admin\AppData\Roaming\build.exe

Filesize
95KB

MD5
4d46c4c206d1bf83b2cb8d6ff308bc2b

SHA1
80edeb15499f072c8538acbbae5d62ff3a6cc0c0

SHA256
0bf9f0c46953c27761484e8bd991b7f7f21728aa4e45703f0d44e2f68eb85a5a

SHA512
a59aa698246383e6091ef41e27c36ea2cd1f2d2264ddccd85f537bbf8207106d2d3475615a48fd5b76ca416cc8f862a49c40ffc702b60849e28c7be7cefaa859

Download Submit
memory/896-38-0x0000000005BD0000-0x0000000006174000-memory.dmp

Filesize
5.6MB

Download
memory/896-126-0x00000000750F0000-0x00000000758A0000-memory.dmp

Filesize
7.7MB

Download
memory/896-22-0x0000000000B70000-0x0000000000C80000-memory.dmp

Filesize
1.1MB

Download
memory/896-53-0x0000000005530000-0x0000000005596000-memory.dmp

Filesize
408KB

Download
memory/896-40-0x0000000005620000-0x00000000056B2000-memory.dmp

Filesize
584KB

Download
memory/896-34-0x00000000750F0000-0x00000000758A0000-memory.dmp

Filesize
7.7MB

Download
memory/896-43-0x00000000750F0000-0x00000000758A0000-memory.dmp

Filesize
7.7MB

Download
memory/896-121-0x00000000069E0000-0x0000000006A7C000-memory.dmp

Filesize
624KB

Download
memory/1412-48-0x0000000005650000-0x0000000005704000-memory.dmp

Filesize
720KB

Download
memory/1412-114-0x00000000750F0000-0x00000000758A0000-memory.dmp

Filesize
7.7MB

Download
memory/1412-46-0x00000000750F0000-0x00000000758A0000-memory.dmp

Filesize
7.7MB

Download
memory/1412-42-0x00000000750F0000-0x00000000758A0000-memory.dmp

Filesize
7.7MB

Download
memory/1412-54-0x0000000005700000-0x0000000005768000-memory.dmp

Filesize
416KB

Download
memory/1412-41-0x0000000000D30000-0x0000000000DE8000-memory.dmp

Filesize
736KB

Download
memory/2296-130-0x0000000006590000-0x000000000659A000-memory.dmp

Filesize
40KB

Download
memory/3032-2-0x0000000001740000-0x0000000001748000-memory.dmp

Filesize
32KB

Download
memory/3032-1-0x0000000000A90000-0x0000000000C94000-memory.dmp

Filesize
2.0MB

Download
memory/3032-0-0x00000000750FE000-0x00000000750FF000-memory.dmp

Filesize
4KB

Download
memory/3836-51-0x00000000059F0000-0x0000000005A3C000-memory.dmp

Filesize
304KB

Download
memory/3836-52-0x0000000005C50000-0x0000000005D5A000-memory.dmp

Filesize
1.0MB

Download
memory/3836-50-0x00000000059B0000-0x00000000059EC000-memory.dmp

Filesize
240KB

Download
memory/3836-47-0x0000000005DE0000-0x00000000063F8000-memory.dmp

Filesize
6.1MB

Download
memory/3836-49-0x0000000005850000-0x0000000005862000-memory.dmp

Filesize
72KB

Download
memory/3836-45-0x0000000000FC0000-0x0000000000FDE000-memory.dmp

Filesize
120KB

Download
memory/4364-116-0x0000000000C00000-0x0000000000D00000-memory.dmp

Filesize
1024KB

Download