Overview

overview

10

Static

static

50a1c7fe95...b6.exe

windows7_x64

10

50a1c7fe95...b6.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    50a1c7fe95af7c0af2cc5c21c62faf10e63f4076004e8508b608385aad5be3b6

  • Size

    9.4MB

  • Sample

    220310-xegaqaabc5

  • MD5

    456b54d87d22a2c59cb44ae3e29940a3

  • SHA1

    4eb16df152f774f3794a6ca8c1cd1a3e72bc7232

  • SHA256

    50a1c7fe95af7c0af2cc5c21c62faf10e63f4076004e8508b608385aad5be3b6

  • SHA512

    8213a726aeee1519599e6884f6ad4564d5df066251267d630af4e601bef2b726a2445855e0a609f088c26c84b4cae69e26cc3d744668bf882ff46cb29684cc6d

Score
10/10
quasarvenomratsteamwindows security notificationevasionpersistencepyinstallerratrootkitspywarestealertrojan

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

Windows Security Notification

C2

minecraftgaming009-61323.portmap.io:61323

Mutex

VNM_MUTEX_c2q7y2ayYutZ2XaYe7

Attributes
  • encryption_key

    1oSvdU99XhcwnNYl3rB8

  • install_name

    Windows Security Notification.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Windows Security Notification

  • subdirectory

    SubDir

Extracted

Family

quasar

Version

1.4.0.0

Botnet

Steam

C2

Minecrafthosting6969-35389.portmap.io:35389

Mutex

EAojkiVMQ0sDtyACyi

Attributes
  • encryption_key

    P5xHRD8P5ncR2T1uRpgp

  • install_name

    Steam.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Steam

  • subdirectory

    SubDir

Targets

    • Target

      50a1c7fe95af7c0af2cc5c21c62faf10e63f4076004e8508b608385aad5be3b6

    • Size

      9.4MB

    • MD5

      456b54d87d22a2c59cb44ae3e29940a3

    • SHA1

      4eb16df152f774f3794a6ca8c1cd1a3e72bc7232

    • SHA256

      50a1c7fe95af7c0af2cc5c21c62faf10e63f4076004e8508b608385aad5be3b6

    • SHA512

      8213a726aeee1519599e6884f6ad4564d5df066251267d630af4e601bef2b726a2445855e0a609f088c26c84b4cae69e26cc3d744668bf882ff46cb29684cc6d

    Score
    10/10
    quasarvenomratsteamwindows security notificationevasionpersistencepyinstallerratrootkitspywarestealertrojan

    • Contains code to disable Windows Defender

      A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Modifies security service

      evasion

    • Quasar Payload

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

      trojanspywarequasar

    • VenomRAT

      VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.

      ratrootkitstealervenomrat

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Nirsoft

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Drops startup file

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks