Extracted

Extracted

• • Target

    50b2e0afea299c4e8d079367ef95afeb700f9dc0dc05eee018ed2348ef38dc90

  • Size

    6.2MB

  • MD5

    942b78bcd8a5aa6d10436832b1260671

  • SHA1

    e35e87e58f94e304dd0b97e9b85c6cb30146978d

  • SHA256

    50b2e0afea299c4e8d079367ef95afeb700f9dc0dc05eee018ed2348ef38dc90

  • SHA512

    89baba3a305d1d6969b68e4f63c294a861fc755f65ac6d0f5a67f7d6b7aa26cd852f78ce0441af489a70991a9cd0887388687d89efd0f1fb95fb316490d030e3

  Score

  10^/10

  quasarvenomratsteamwindows security notificationevasionpersistenceratrootkitspywarestealertrojan

  • Contains code to disable Windows Defender

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Modifies Windows Defender Real-time Protection settings

    evasiontrojan

  • Modifies security service

    evasion

  • Quasar Payload

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar

  • VenomRAT

    VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.

    ratrootkitstealervenomrat

  • NirSoft WebBrowserPassView

    Password recovery tool for various web browsers

  • Nirsoft

  • Executes dropped EXE

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself

  • Drops startup file

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Windows security modification

    evasiontrojan

  • Adds Run key to start application

    persistence

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory

  behavioral1behavioral2