Overview

overview

10

Static

static

97e2976919...9a.exe

windows7_x64

10

97e2976919...9a.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    97e297691930f3a5fc04b5e46f4ffdac7b13a781f1629da71f38824ee935af9a

  • Size

    1.1MB

  • Sample

    220329-y8awgafabj

  • MD5

    1f27a3ecac5d0c549112fc03b10c552a

  • SHA1

    28064a66a5743d932d92ba19af6f8a123372a070

  • SHA256

    97e297691930f3a5fc04b5e46f4ffdac7b13a781f1629da71f38824ee935af9a

  • SHA512

    b4c6003a7eb5ac9baad09f16d9531e842513dcd5e1c322e11cc7a5688b4359943a2af0b89ed7486bfbc02b75a9b25aed67642ec60614f8338b615f88e4a4962e

Score
10/10
quasarvenomratwarzoneratshooter00hrsevasioninfostealerpersistenceratrootkitspywarestealertrojan

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

shooter00hrs

C2

185.219.134.245:4782

Mutex

VNM_MUTEX_ZFDh9LaTbTmwqFwo3L

Attributes
  • encryption_key

    wGYjrQIx5abERLvzC8Zu

  • install_name

    windows chrome.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    chrome Startup

  • subdirectory

    SubDir

Extracted

Family

warzonerat

C2

185.219.134.245:5200

Targets

    • Target

      97e297691930f3a5fc04b5e46f4ffdac7b13a781f1629da71f38824ee935af9a

    • Size

      1.1MB

    • MD5

      1f27a3ecac5d0c549112fc03b10c552a

    • SHA1

      28064a66a5743d932d92ba19af6f8a123372a070

    • SHA256

      97e297691930f3a5fc04b5e46f4ffdac7b13a781f1629da71f38824ee935af9a

    • SHA512

      b4c6003a7eb5ac9baad09f16d9531e842513dcd5e1c322e11cc7a5688b4359943a2af0b89ed7486bfbc02b75a9b25aed67642ec60614f8338b615f88e4a4962e

    Score
    10/10
    quasarvenomratwarzoneratshooter00hrsevasioninfostealerpersistenceratrootkitspywarestealertrojan

    • Contains code to disable Windows Defender

      A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Quasar Payload

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

      trojanspywarequasar

    • VenomRAT

      VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.

      ratrootkitstealervenomrat

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

      ratinfostealerwarzonerat

    • Warzone RAT Payload

      rat

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks