General
-
Target
Windows Defender.bin
-
Size
539KB
-
Sample
220317-psqsbadgd5
-
MD5
08d0e315fda80ebf3dc817fdaa9ee029
-
SHA1
f8a03cdb061ec1fbd0ea71d6b4bd688aeb2d6f5a
-
SHA256
c839c2361421e280ca3e3dba1fbff3d833c24e91f8a8774ae5a22e6c69c3b601
-
SHA512
9b8bd7f0dd44424bdb21f9adf0cab29dc8683bb2329a98fe18832b00329a1fb0827e028499fb2f7566a7bb959459972517f3ed9fc5eeb7392908a6d302ab2d20
Malware Config
Extracted
quasar
2.1.0.0
Windows Defender
flashy-rake.auto.playit.gg:52017
VNM_MUTEX_LYc2mMMFlAV9sQbWDZ
-
encryption_key
C6mUMPNwKyGKrTzmPjoI
-
install_name
Windows Defender.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Windows Defender
-
subdirectory
Windows Defender
Targets
-
-
Target
Windows Defender.bin
-
Size
539KB
-
MD5
08d0e315fda80ebf3dc817fdaa9ee029
-
SHA1
f8a03cdb061ec1fbd0ea71d6b4bd688aeb2d6f5a
-
SHA256
c839c2361421e280ca3e3dba1fbff3d833c24e91f8a8774ae5a22e6c69c3b601
-
SHA512
9b8bd7f0dd44424bdb21f9adf0cab29dc8683bb2329a98fe18832b00329a1fb0827e028499fb2f7566a7bb959459972517f3ed9fc5eeb7392908a6d302ab2d20
Score10/10-
Contains code to disable Windows Defender
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Modifies Windows Defender Real-time Protection settings
-
Quasar Payload
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
VenomRAT
VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Windows security modification
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-