General
-
Target
5941ff394c1b579d7e9d99cbc2f7fdd7e7a2998f2744e16c3ace35d49081a1f1
-
Size
814KB
-
Sample
220325-hatb6afcej
-
MD5
a14720279a25c2635029d82e0b395d8d
-
SHA1
492f8568c09739c0ec3eae755c301be067ba7c3a
-
SHA256
5941ff394c1b579d7e9d99cbc2f7fdd7e7a2998f2744e16c3ace35d49081a1f1
-
SHA512
4c4001b3232257376437c7696e17671f35dde68b9c86a21690edad93d91ae80e4811e4d7b217d252534c9d51d6a3d259d29e572466997932217886f7f57db71f
Malware Config
Extracted
quasar
2.1.0.0
shop
185.204.1.236:4521
VNM_MUTEX_1NgafS3xkifQY5TYWL
-
encryption_key
5KaBFSa6AfCkIN5zPsZV
-
install_name
$77loader.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
dllhost
-
subdirectory
$77loader
Targets
-
-
Target
5941ff394c1b579d7e9d99cbc2f7fdd7e7a2998f2744e16c3ace35d49081a1f1
-
Size
814KB
-
MD5
a14720279a25c2635029d82e0b395d8d
-
SHA1
492f8568c09739c0ec3eae755c301be067ba7c3a
-
SHA256
5941ff394c1b579d7e9d99cbc2f7fdd7e7a2998f2744e16c3ace35d49081a1f1
-
SHA512
4c4001b3232257376437c7696e17671f35dde68b9c86a21690edad93d91ae80e4811e4d7b217d252534c9d51d6a3d259d29e572466997932217886f7f57db71f
Score10/10-
Contains code to disable Windows Defender
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Modifies Windows Defender Real-time Protection settings
-
Quasar Payload
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
VenomRAT
VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Windows security modification
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-