General

  • Target

    2c73be6b374db37dd28a204f49d78a61ebcc678a9164828b9f01e50e06ece3cb

  • Size

    534KB

  • Sample

    210302-gpqnjgn76x

  • MD5

    fda53610c25408e427c84eebdc5b8ec2

  • SHA1

    13830e44fb35c5f6d4750abd620ecb4df85e7a6a

  • SHA256

    2c73be6b374db37dd28a204f49d78a61ebcc678a9164828b9f01e50e06ece3cb

  • SHA512

    617b6fb67057c7207cbe9f73be85b6f4d9d69462aee9b526a1bea085d1c101f7ff9da98da6a0e266bd49cafc41c0cdb741453bc76e9c09011bf4f1ec446f52e7

Malware Config

Targets

    • Target

      2c73be6b374db37dd28a204f49d78a61ebcc678a9164828b9f01e50e06ece3cb

    • Size

      534KB

    • MD5

      fda53610c25408e427c84eebdc5b8ec2

    • SHA1

      13830e44fb35c5f6d4750abd620ecb4df85e7a6a

    • SHA256

      2c73be6b374db37dd28a204f49d78a61ebcc678a9164828b9f01e50e06ece3cb

    • SHA512

      617b6fb67057c7207cbe9f73be85b6f4d9d69462aee9b526a1bea085d1c101f7ff9da98da6a0e266bd49cafc41c0cdb741453bc76e9c09011bf4f1ec446f52e7

    • Contains code to disable Windows Defender

      A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

    • Modifies Windows Defender Real-time Protection settings

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • VenomRAT

      VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.

    • Executes dropped EXE

    • Loads dropped DLL

    • Windows security modification

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v6

Tasks