General
-
Target
defbae45ea8e71f8a50123f382f4538afc9db836de09bab316464d4793394f19
-
Size
637KB
-
Sample
220107-mdm2rscbc3
-
MD5
3ae1b43ae183a646db68834676be741c
-
SHA1
e50bb029949247457a6c9faa31e38f1fb9dfd6ae
-
SHA256
defbae45ea8e71f8a50123f382f4538afc9db836de09bab316464d4793394f19
-
SHA512
eb4f887d7e73f8130ae6d2f7cf27e6921a304b4a94ca50e2e747b7f057dd7d3e882556edf27dd1fdb625d0b74afc7d000702a034f258609ded97cd7940abfe70
Malware Config
Extracted
quasar
2.1.0.0
KRNL
127.0.0.1:4782
quadrad.duckdns.org:1604
VNM_MUTEX_w5oFkfEj8KXNrXmElF
-
encryption_key
HNAC3wR1K0TyDxzlsLfi
-
install_name
KRNL By IceBerg.exe
-
log_directory
Logs
-
reconnect_delay
100
-
startup_key
KRNL By IceBerg
-
subdirectory
Boostrapper
Targets
-
-
Target
defbae45ea8e71f8a50123f382f4538afc9db836de09bab316464d4793394f19
-
Size
637KB
-
MD5
3ae1b43ae183a646db68834676be741c
-
SHA1
e50bb029949247457a6c9faa31e38f1fb9dfd6ae
-
SHA256
defbae45ea8e71f8a50123f382f4538afc9db836de09bab316464d4793394f19
-
SHA512
eb4f887d7e73f8130ae6d2f7cf27e6921a304b4a94ca50e2e747b7f057dd7d3e882556edf27dd1fdb625d0b74afc7d000702a034f258609ded97cd7940abfe70
Score10/10-
Contains code to disable Windows Defender
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Modifies Windows Defender Real-time Protection settings
-
Quasar Payload
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
VenomRAT
VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
-
Executes dropped EXE
-
Loads dropped DLL
-
Windows security modification
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-