quasar | 9c8ea131bde14b5038358c608f55b0238e3610ceb8503b32527ae936221e862e

General

Target

9c8ea131bde14b5038358c608f55b0238e3610ceb8503b32527ae936221e862e
Size

725KB
Sample

220418-n3ex5aechl
MD5

a7ab1b1d14ae721f0ed0b0b828feb078
SHA1

bcb83a1665a7a1436af50ef13d01e78303f349c0
SHA256

9c8ea131bde14b5038358c608f55b0238e3610ceb8503b32527ae936221e862e
SHA512

0d8e7cf0fe51b9f695debce7a37d721992f88f574095c96152fb15bff6c0ab1b1574495c793cc6a1446031c9c8069d2ff3c3bca7f8acc9e16dcd7168236a4118

Score

10^/10

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

Mundo

C2

201.111.223.252:6700

Mutex

VNM_MUTEX_KJflzK0oXUK0jjdJ05

Attributes

encryption_key
eSgMT4XlUNEBcxqW7GsH
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Venom Client Startup
subdirectory
SubDir

Targets

- Target
  
  9c8ea131bde14b5038358c608f55b0238e3610ceb8503b32527ae936221e862e
- Size
  
  725KB
- MD5
  
  a7ab1b1d14ae721f0ed0b0b828feb078
- SHA1
  
  bcb83a1665a7a1436af50ef13d01e78303f349c0
- SHA256
  
  9c8ea131bde14b5038358c608f55b0238e3610ceb8503b32527ae936221e862e
- SHA512
  
  0d8e7cf0fe51b9f695debce7a37d721992f88f574095c96152fb15bff6c0ab1b1574495c793cc6a1446031c9c8069d2ff3c3bca7f8acc9e16dcd7168236a4118
Score

10^/10

quasar venomrat mundo rat rootkit spyware stealer trojan suricata
- Contains code to disable Windows Defender
  A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
- Quasar Payload
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- VenomRAT
  VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
  rat rootkit stealer venomrat
- suricata: ET MALWARE W32/Quasar 1.3/Venom RAT Connectivity Check 3
  suricata: ET MALWARE W32/Quasar 1.3/Venom RAT Connectivity Check 3
  suricata
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Contains code to disable Windows Defender

Quasar Payload

Quasar RAT

VenomRAT

suricata: ET MALWARE W32/Quasar 1.3/Venom RAT Connectivity Check 3

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Looks up external IP address via web service

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2