General

  • Target

    Windows Defender.bin

  • Size

    539KB

  • Sample

    220317-psqsbadgd5

  • MD5

    08d0e315fda80ebf3dc817fdaa9ee029

  • SHA1

    f8a03cdb061ec1fbd0ea71d6b4bd688aeb2d6f5a

  • SHA256

    c839c2361421e280ca3e3dba1fbff3d833c24e91f8a8774ae5a22e6c69c3b601

  • SHA512

    9b8bd7f0dd44424bdb21f9adf0cab29dc8683bb2329a98fe18832b00329a1fb0827e028499fb2f7566a7bb959459972517f3ed9fc5eeb7392908a6d302ab2d20

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

Windows Defender

C2

flashy-rake.auto.playit.gg:52017

Mutex

VNM_MUTEX_LYc2mMMFlAV9sQbWDZ

Attributes
  • encryption_key

    C6mUMPNwKyGKrTzmPjoI

  • install_name

    Windows Defender.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Windows Defender

  • subdirectory

    Windows Defender

Targets

    • Target

      Windows Defender.bin

    • Size

      539KB

    • MD5

      08d0e315fda80ebf3dc817fdaa9ee029

    • SHA1

      f8a03cdb061ec1fbd0ea71d6b4bd688aeb2d6f5a

    • SHA256

      c839c2361421e280ca3e3dba1fbff3d833c24e91f8a8774ae5a22e6c69c3b601

    • SHA512

      9b8bd7f0dd44424bdb21f9adf0cab29dc8683bb2329a98fe18832b00329a1fb0827e028499fb2f7566a7bb959459972517f3ed9fc5eeb7392908a6d302ab2d20

    • Contains code to disable Windows Defender

      A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

    • Modifies Windows Defender Real-time Protection settings

    • Quasar Payload

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • VenomRAT

      VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Windows security modification

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v6

Tasks