quasar | e0e76e89c5a7be76558559d83051f927f308a269d26f1c73d82df13c8afc834d | Triage

Submit
Reports

Overview

overview

Static

static

e0e76e89c5...4d.exe

windows7_x64

e0e76e89c5...4d.exe

windows10-2004_x64

Sharing

General

Target

e0e76e89c5a7be76558559d83051f927f308a269d26f1c73d82df13c8afc834d
Size

644KB
Sample

220418-nzbrasebek
MD5

ba6403b11dfc7faf3eabf9a6c71c38e4
SHA1

19a7760b1bfa03b9a650462e4e9d8a08f1ce069f
SHA256

e0e76e89c5a7be76558559d83051f927f308a269d26f1c73d82df13c8afc834d
SHA512

491e26588db0033dfcd1580aaeb1ddd8a23d19b71dea6a0b2f50b3175b2b758ffd310b978dd38a2ba8e40c6692d1adfc6f753a99abe9e5a09b891beb051a0807

Score

10^/10

quasar venomrat windows security evasion persistence rat rootkit spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

e0e76e89c5a7be76558559d83051f927f308a269d26f1c73d82df13c8afc834d.exe

Resource

win7-20220414-en

quasar venomrat windows security evasion persistence rat rootkit spyware stealer trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

e0e76e89c5a7be76558559d83051f927f308a269d26f1c73d82df13c8afc834d.exe

Resource

win10v2004-20220414-en

quasar venomrat windows security evasion persistence rat rootkit spyware stealer trojan

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

Windows Security

C2

vilvaraj-32652.portmap.io:32652

Mutex

VNM_MUTEX_px0s48GfhAUBhjVpWU

Attributes

encryption_key
yvDiKJ3lhd7v25pBa6mQ
install_name
Windows Security.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Windows Security
subdirectory
SubDir

Targets

- Target
  
  e0e76e89c5a7be76558559d83051f927f308a269d26f1c73d82df13c8afc834d
- Size
  
  644KB
- MD5
  
  ba6403b11dfc7faf3eabf9a6c71c38e4
- SHA1
  
  19a7760b1bfa03b9a650462e4e9d8a08f1ce069f
- SHA256
  
  e0e76e89c5a7be76558559d83051f927f308a269d26f1c73d82df13c8afc834d
- SHA512
  
  491e26588db0033dfcd1580aaeb1ddd8a23d19b71dea6a0b2f50b3175b2b758ffd310b978dd38a2ba8e40c6692d1adfc6f753a99abe9e5a09b891beb051a0807
Score

10^/10

quasar venomrat windows security evasion persistence rat rootkit spyware stealer trojan
- Contains code to disable Windows Defender
  A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- Quasar Payload
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- VenomRAT
  VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
  rat rootkit stealer venomrat
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Query Registry

Remote System Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

quasarvenomratwindows securityevasionpersistenceratrootkitspywarestealertrojan

behavioral2

quasarvenomratwindows securityevasionpersistenceratrootkitspywarestealertrojan

© 2018-2024

Terms | Privacy