quasar | 391b3ed40a1c62a6f159f72e5cce5b6bf1b02dbc26de45ad89f8c8d61e10afb7

Analysis

max time kernel
131s
max time network
141s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
08/11/2024, 02:39

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

DarkAio v1/DarkAio v1.exe
Size

2.0MB
MD5

0d9c552b2c8836cb71857faf06c0a539
SHA1

4289e2f119a995725be6e1721ebc456a9d00bde8
SHA256

20137d947f979827c4b073dfa8c339d4decf42ca838f4e21204a363bff2337b6
SHA512

2f96567c3890407d86ea657865269bd8d97e3db29f22b57484cef5c28c03f36683ada2624a5b1f287cbd604bf9bd04390fb276b84d879fadc6142966b1a9d79e
SSDEEP

49152:lmPH/GDTgt/axtPhJZdBUd61shsTGfxl0ML:QPH4TYybZnQ5lf

Score

10^/10

quasar redline sectoprat aio venom client discovery infostealer rat spyware trojan

Malware Config

Extracted

Family

quasar

Version

2.7.0.0

Botnet

Venom Client

40.71.25.32:4782

Mutex

JlYM51eW4iZoFyLa2X

Attributes

encryption_key
P9MDWURJLkPDORtyF7Jj
install_name
Payload.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Venom Client Startup

Extracted

Family

redline

Botnet

AIO

40.71.25.32:1337

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 4 IoCs

resource	yara_rule
behavioral3/files/0x0005000000010300-5.dat	family_quasar
behavioral3/memory/2808-23-0x0000000000120000-0x0000000000230000-memory.dmp	family_quasar
behavioral3/memory/1824-35-0x00000000002B0000-0x00000000003C0000-memory.dmp	family_quasar
behavioral3/memory/2196-62-0x0000000000200000-0x0000000000310000-memory.dmp	family_quasar

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral3/files/0x0005000000018696-16.dat	family_redline
behavioral3/memory/2688-26-0x0000000001260000-0x000000000127E000-memory.dmp	family_redline

Redline family
redline
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 2 IoCs

resource	yara_rule
behavioral3/files/0x0005000000018696-16.dat	family_sectoprat
behavioral3/memory/2688-26-0x0000000001260000-0x000000000127E000-memory.dmp	family_sectoprat

Sectoprat family
sectoprat

Executes dropped EXE 6 IoCs

pid	Process
2808	Venom.exe
2688	build.exe
2872	DarkAio v1.exe
1824	Payload.exe
2912	DarkAio.exe
2196	Venom.exe

Loads dropped DLL 10 IoCs

pid	Process
1448	DarkAio v1.exe
1448	DarkAio v1.exe
1448	DarkAio v1.exe
2808	Venom.exe
2872	DarkAio v1.exe
2756	WerFault.exe
2756	WerFault.exe
2756	WerFault.exe
2756	WerFault.exe
2756	WerFault.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
6	pastebin.com
7	pastebin.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2756	2912	WerFault.exe	36

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Venom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DarkAio v1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Payload.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	build.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DarkAio.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Venom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DarkAio v1.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2052	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2052	PING.EXE

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2872	DarkAio v1.exe
2872	DarkAio v1.exe
2872	DarkAio v1.exe
2872	DarkAio v1.exe
2872	DarkAio v1.exe
2872	DarkAio v1.exe
2872	DarkAio v1.exe
2872	DarkAio v1.exe
2872	DarkAio v1.exe
2872	DarkAio v1.exe

Suspicious use of AdjustPrivilegeToken 33 IoCs

description	pid	Process
Token: SeDebugPrivilege	2688	build.exe
Token: SeDebugPrivilege	2808	Venom.exe
Token: SeBackupPrivilege	2808	Venom.exe
Token: SeSecurityPrivilege	2808	Venom.exe
Token: SeBackupPrivilege	2808	Venom.exe
Token: SeBackupPrivilege	2808	Venom.exe
Token: SeSecurityPrivilege	2808	Venom.exe
Token: SeBackupPrivilege	2808	Venom.exe
Token: SeBackupPrivilege	2808	Venom.exe
Token: SeSecurityPrivilege	2808	Venom.exe
Token: SeBackupPrivilege	2808	Venom.exe
Token: SeBackupPrivilege	2808	Venom.exe
Token: SeSecurityPrivilege	2808	Venom.exe
Token: SeBackupPrivilege	2808	Venom.exe
Token: SeBackupPrivilege	2808	Venom.exe
Token: SeSecurityPrivilege	2808	Venom.exe
Token: SeBackupPrivilege	2808	Venom.exe
Token: SeBackupPrivilege	2808	Venom.exe
Token: SeSecurityPrivilege	2808	Venom.exe
Token: SeDebugPrivilege	1824	Payload.exe
Token: SeBackupPrivilege	2808	Venom.exe
Token: SeSecurityPrivilege	2808	Venom.exe
Token: SeBackupPrivilege	2808	Venom.exe
Token: SeSecurityPrivilege	2808	Venom.exe
Token: SeSecurityPrivilege	2808	Venom.exe
Token: SeBackupPrivilege	2808	Venom.exe
Token: SeBackupPrivilege	2808	Venom.exe
Token: SeSecurityPrivilege	2808	Venom.exe
Token: SeBackupPrivilege	2808	Venom.exe
Token: SeBackupPrivilege	2808	Venom.exe
Token: SeSecurityPrivilege	2808	Venom.exe
Token: SeBackupPrivilege	2808	Venom.exe
Token: SeDebugPrivilege	2872	DarkAio v1.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 1448 wrote to memory of 2808	1448	DarkAio v1.exe	30
PID 1448 wrote to memory of 2808	1448	DarkAio v1.exe	30
PID 1448 wrote to memory of 2808	1448	DarkAio v1.exe	30
PID 1448 wrote to memory of 2808	1448	DarkAio v1.exe	30
PID 1448 wrote to memory of 2688	1448	DarkAio v1.exe	31
PID 1448 wrote to memory of 2688	1448	DarkAio v1.exe	31
PID 1448 wrote to memory of 2688	1448	DarkAio v1.exe	31
PID 1448 wrote to memory of 2688	1448	DarkAio v1.exe	31
PID 1448 wrote to memory of 2872	1448	DarkAio v1.exe	33
PID 1448 wrote to memory of 2872	1448	DarkAio v1.exe	33
PID 1448 wrote to memory of 2872	1448	DarkAio v1.exe	33
PID 1448 wrote to memory of 2872	1448	DarkAio v1.exe	33
PID 2808 wrote to memory of 1824	2808	Venom.exe	35
PID 2808 wrote to memory of 1824	2808	Venom.exe	35
PID 2808 wrote to memory of 1824	2808	Venom.exe	35
PID 2808 wrote to memory of 1824	2808	Venom.exe	35
PID 2872 wrote to memory of 2912	2872	DarkAio v1.exe	36
PID 2872 wrote to memory of 2912	2872	DarkAio v1.exe	36
PID 2872 wrote to memory of 2912	2872	DarkAio v1.exe	36
PID 2872 wrote to memory of 2912	2872	DarkAio v1.exe	36
PID 2912 wrote to memory of 2756	2912	DarkAio.exe	38
PID 2912 wrote to memory of 2756	2912	DarkAio.exe	38
PID 2912 wrote to memory of 2756	2912	DarkAio.exe	38
PID 2912 wrote to memory of 2756	2912	DarkAio.exe	38
PID 2808 wrote to memory of 536	2808	Venom.exe	39
PID 2808 wrote to memory of 536	2808	Venom.exe	39
PID 2808 wrote to memory of 536	2808	Venom.exe	39
PID 2808 wrote to memory of 536	2808	Venom.exe	39
PID 536 wrote to memory of 2028	536	cmd.exe	41
PID 536 wrote to memory of 2028	536	cmd.exe	41
PID 536 wrote to memory of 2028	536	cmd.exe	41
PID 536 wrote to memory of 2028	536	cmd.exe	41
PID 536 wrote to memory of 2052	536	cmd.exe	42
PID 536 wrote to memory of 2052	536	cmd.exe	42
PID 536 wrote to memory of 2052	536	cmd.exe	42
PID 536 wrote to memory of 2052	536	cmd.exe	42
PID 536 wrote to memory of 2196	536	cmd.exe	43
PID 536 wrote to memory of 2196	536	cmd.exe	43
PID 536 wrote to memory of 2196	536	cmd.exe	43
PID 536 wrote to memory of 2196	536	cmd.exe	43

C:\Users\Admin\AppData\Local\Temp\DarkAio v1\DarkAio v1.exe
"C:\Users\Admin\AppData\Local\Temp\DarkAio v1\DarkAio v1.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1448
- C:\Users\Admin\AppData\Roaming\Venom.exe
  "C:\Users\Admin\AppData\Roaming\Venom.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2808
- - C:\Users\Admin\AppData\Roaming\Payload.exe
    "C:\Users\Admin\AppData\Roaming\Payload.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1824
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\xaUgz2lU79uw.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:536
  - - C:\Windows\SysWOW64\chcp.com
      chcp 65001
      4⤵
      System Location Discovery: System Language Discovery
      PID:2028
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 10 localhost
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2052
  - - C:\Users\Admin\AppData\Roaming\Venom.exe
      "C:\Users\Admin\AppData\Roaming\Venom.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2196
- C:\Users\Admin\AppData\Roaming\build.exe
  "C:\Users\Admin\AppData\Roaming\build.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2688
- C:\Users\Admin\AppData\Roaming\DarkAio v1.exe
  "C:\Users\Admin\AppData\Roaming\DarkAio v1.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2872
- - C:\Users\Admin\AppData\Roaming\DarkAio.exe
    "C:\Users\Admin\AppData\Roaming\DarkAio.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2912
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2912 -s 548
      4⤵
      Loads dropped DLL
      Program crash
      PID:2756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\xaUgz2lU79uw.bat

Filesize
199B

MD5
a1d2420e31fda2ad0a1575e383808ff4

SHA1
eb3efc2df20447c12c8e10e279987b1532acedb7

SHA256
9b6d2cf50c435289572a25b556ddf703d6a7ecc3155714317c855e481baa4b82

SHA512
99a0257b8da00bfcf911a13001563db5ba9752b00b1ea7be52a234fd38d21e835522b392080c16b4a5c889ede9368c04b05c11c107daf62f37568c388f1e097e

Download Submit
C:\Users\Admin\AppData\Roaming\build.exe

Filesize
95KB

MD5
4d46c4c206d1bf83b2cb8d6ff308bc2b

SHA1
80edeb15499f072c8538acbbae5d62ff3a6cc0c0

SHA256
0bf9f0c46953c27761484e8bd991b7f7f21728aa4e45703f0d44e2f68eb85a5a

SHA512
a59aa698246383e6091ef41e27c36ea2cd1f2d2264ddccd85f537bbf8207106d2d3475615a48fd5b76ca416cc8f862a49c40ffc702b60849e28c7be7cefaa859

Download Submit
\Users\Admin\AppData\Roaming\DarkAio v1.exe

Filesize
718KB

MD5
ab69f830a864aa0b2a5efa7b92d87b11

SHA1
46fc9419089e06b82d47e1afebb264b4e8d776a1

SHA256
82339ab250c45199b5e5050a3179c91a44c8369d8739b92e5c498047c81631c8

SHA512
d994fe2f8ad4999652bcfce7d694c43c1f55bb96baac8fc7ffdcac8f2bf2d75e5a2e23f4b3281de82ee634268f4e98f9347ad49b2725ef154e2b483c2fa0abb3

Download Submit
\Users\Admin\AppData\Roaming\DarkAio.exe

Filesize
1003KB

MD5
0e6ee37222bfc0a6ec9f5b4ec4c7c053

SHA1
6fed8b55ec8c1daca94141fbc3591f6728fe9530

SHA256
24cc63d8b135457ec2b51dc7103c938887ce4dae6faddd344ffb7477ed6ad672

SHA512
7fc0cfd1baaefd9aa4f288c745709f314dfb0dc39f06bc4bfcbc18b2d593b5893e93da30bb19a273fb5a838821f5429332392bd19431ea0a57f0f94320529f04

Download Submit
\Users\Admin\AppData\Roaming\Venom.exe

Filesize
1.0MB

MD5
860a7a517356a57d979ceac2a6d732f0

SHA1
e6559ce68a1faa19a5a74d3c496b245700ef2077

SHA256
cf6771d32409e4ad380ee084ece68be09a648ea20642489473593674fafc3249

SHA512
8b7bc3eed22fc36279d36c6cae708aadd30a090614f311fc3ed2c47db5e3671eb1a8ca343e32ed8025f900477f2a6334f8c52639d36b07fcdcbcadc69a95a08c

Download Submit
memory/1448-1-0x0000000000DE0000-0x0000000000FE4000-memory.dmp

Filesize
2.0MB

Download
memory/1448-2-0x00000000003C0000-0x00000000003C8000-memory.dmp

Filesize
32KB

Download
memory/1448-0-0x000000007431E000-0x000000007431F000-memory.dmp

Filesize
4KB

Download
memory/1824-35-0x00000000002B0000-0x00000000003C0000-memory.dmp

Filesize
1.1MB

Download
memory/2196-62-0x0000000000200000-0x0000000000310000-memory.dmp

Filesize
1.1MB

Download
memory/2688-26-0x0000000001260000-0x000000000127E000-memory.dmp

Filesize
120KB

Download
memory/2808-28-0x0000000074310000-0x00000000749FE000-memory.dmp

Filesize
6.9MB

Download
memory/2808-23-0x0000000000120000-0x0000000000230000-memory.dmp

Filesize
1.1MB

Download
memory/2808-58-0x0000000074310000-0x00000000749FE000-memory.dmp

Filesize
6.9MB

Download
memory/2872-36-0x0000000000330000-0x0000000000398000-memory.dmp

Filesize
416KB

Download
memory/2872-27-0x00000000042A0000-0x0000000004354000-memory.dmp

Filesize
720KB

Download
memory/2872-24-0x0000000000270000-0x0000000000328000-memory.dmp

Filesize
736KB

Download
memory/2912-45-0x0000000001200000-0x0000000001300000-memory.dmp

Filesize
1024KB

Download