General
-
Target
c6efe542545e64afc24b7a5f9a7b7085f98b0a74ee5990dfb980e51f4549c029
-
Size
10.9MB
-
Sample
220314-qh75aahfdq
-
MD5
028e65c25875e64a40b280abb798fdbe
-
SHA1
1d2c753f97f3687762a9230c6006ad68a1a7f8c6
-
SHA256
c6efe542545e64afc24b7a5f9a7b7085f98b0a74ee5990dfb980e51f4549c029
-
SHA512
fbf01736d96b790ec40684b0a0bfac0159d04e209b8e7254c04fd5aa4e08fcbaa88871980ee9915cc35821a21ec38043f3d51eb1440ce9513c7ab415d1825ded
Static task
static1
Behavioral task
behavioral1
Sample
c6efe542545e64afc24b7a5f9a7b7085f98b0a74ee5990dfb980e51f4549c029.exe
Resource
win7-20220311-en
Malware Config
Extracted
quasar
2.6.0.0
defender
20.82.128.5:4444
HkuL6QRMZaTdYNlEJY
-
encryption_key
auS4Dqyt2zp1gKolism7
-
install_name
Venom.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Venom Client Startup
-
subdirectory
C:\Users\neilish\Desktop\rat
Targets
-
-
Target
c6efe542545e64afc24b7a5f9a7b7085f98b0a74ee5990dfb980e51f4549c029
-
Size
10.9MB
-
MD5
028e65c25875e64a40b280abb798fdbe
-
SHA1
1d2c753f97f3687762a9230c6006ad68a1a7f8c6
-
SHA256
c6efe542545e64afc24b7a5f9a7b7085f98b0a74ee5990dfb980e51f4549c029
-
SHA512
fbf01736d96b790ec40684b0a0bfac0159d04e209b8e7254c04fd5aa4e08fcbaa88871980ee9915cc35821a21ec38043f3d51eb1440ce9513c7ab415d1825ded
-
Modifies security service
-
Quasar Payload
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Nirsoft
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Loads dropped DLL
-
Drops desktop.ini file(s)
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-