General
-
Target
1c7f91a5e04f5c80a1c9ec36a0b6a78e762359236ac67a5ea57c4083f44339c8
-
Size
546KB
-
Sample
210927-wyncpshgb6
-
MD5
099bce8eba599fd7262af4fe930ab098
-
SHA1
ccdfce07b8ca10a2b33e670dc09550e0b43d5dcb
-
SHA256
1c7f91a5e04f5c80a1c9ec36a0b6a78e762359236ac67a5ea57c4083f44339c8
-
SHA512
3b9aa646ba2862bbd1644ed62034dcf4ff3a6d4b9f63ecc95281832dfbc03cd96c4a1894150ea45b4288abd9eae9a7ee2fa01634a3d7232c169d4c7e3681e345
Malware Config
Extracted
quasar
- encryption_key
- install_name
- log_directory
-
reconnect_delay
3000
- startup_key
- subdirectory
Extracted
quasar
2.1.0.0
Office04
10.0.0.74:1177
VNM_MUTEX_DweppWsG4TQ0OOm4Hi
-
encryption_key
G5PWQxh2RxlVLvkDxu7P
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Venom Client Startup
-
subdirectory
SubDir
Targets
-
-
Target
1c7f91a5e04f5c80a1c9ec36a0b6a78e762359236ac67a5ea57c4083f44339c8
-
Size
546KB
-
MD5
099bce8eba599fd7262af4fe930ab098
-
SHA1
ccdfce07b8ca10a2b33e670dc09550e0b43d5dcb
-
SHA256
1c7f91a5e04f5c80a1c9ec36a0b6a78e762359236ac67a5ea57c4083f44339c8
-
SHA512
3b9aa646ba2862bbd1644ed62034dcf4ff3a6d4b9f63ecc95281832dfbc03cd96c4a1894150ea45b4288abd9eae9a7ee2fa01634a3d7232c169d4c7e3681e345
Score10/10-
Contains code to disable Windows Defender
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Quasar Payload
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
VenomRAT
VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
-
Executes dropped EXE
-
Loads dropped DLL
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-