Extracted

• • Target

    bc263ac14818e3dd2e48cc8954eadd8ec99a9287929f749cda1d5fa55ee4975c

  • Size

    699KB

  • MD5

    5807ae1cd17e7f9bc109b3df90b243ba

  • SHA1

    08595bc28d5f185fce26da9e8362d05ad6eed16d

  • SHA256

    bc263ac14818e3dd2e48cc8954eadd8ec99a9287929f749cda1d5fa55ee4975c

  • SHA512

    ad790053c056b0bf519c2bae2585c17f063ecc30961936f78092b9684df693d1eb83b15422841172ebb9398a689b4d3f115efb44bbd156739278cca4147482a9

  Score

  10^/10

  quasarvenomratoffice04ratrootkitspywarestealertrojanpersistencesuricata

  • Contains code to disable Windows Defender

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Quasar Payload

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar

  • VenomRAT

    VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.

    ratrootkitstealervenomrat

  • suricata: ET MALWARE W32/Quasar 1.3/Venom RAT Connectivity Check 3

    suricata: ET MALWARE W32/Quasar 1.3/Venom RAT Connectivity Check 3

    suricata

  • Adds Run key to start application

    persistence

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext

  behavioral1behavioral2