quasar | f0c295d05e3abafc2d53f0c748a900a3571e1a17ee1754a6f3177266a743c42e

General

Target

f0c295d05e3abafc2d53f0c748a900a3571e1a17ee1754a6f3177266a743c42e
Size

760KB
Sample

220323-kk4lzsaga4
MD5

e87a4d9bcbb37442e69780961b8fe70d
SHA1

227e974b4ec3a72120cbf2928a673c7162edf2d8
SHA256

f0c295d05e3abafc2d53f0c748a900a3571e1a17ee1754a6f3177266a743c42e
SHA512

88808e1e47b1c81c2577c2846e28d4afb3e19778fbbb17f6ceec93c83be364e50161857c9156c41beb47ccc5bd24442c564117b409068e6db25837e51813d2e5

Score

10^/10

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

HOST

C2

44334333-37569.portmap.io:37569

Mutex

VNM_MUTEX_r9KEk55BXqBf4yPSnV

Attributes

encryption_key
LLyf89MHSBugWmHubstO
install_name
svchost.exe
log_directory
liblogsconfig
reconnect_delay
3000
startup_key
Java Update
subdirectory
svchost

Targets

- Target
  
  f0c295d05e3abafc2d53f0c748a900a3571e1a17ee1754a6f3177266a743c42e
- Size
  
  760KB
- MD5
  
  e87a4d9bcbb37442e69780961b8fe70d
- SHA1
  
  227e974b4ec3a72120cbf2928a673c7162edf2d8
- SHA256
  
  f0c295d05e3abafc2d53f0c748a900a3571e1a17ee1754a6f3177266a743c42e
- SHA512
  
  88808e1e47b1c81c2577c2846e28d4afb3e19778fbbb17f6ceec93c83be364e50161857c9156c41beb47ccc5bd24442c564117b409068e6db25837e51813d2e5
Score

10^/10

quasar host persistence spyware trojan venomrat rat rootkit stealer
- Contains code to disable Windows Defender
  A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
- Quasar Payload
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- VenomRAT
  VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
  rat rootkit stealer venomrat
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Contains code to disable Windows Defender

Quasar Payload

Quasar RAT

VenomRAT

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Adds Run key to start application

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2