quasar | 5e43890d2a5f7ccb9728e2eec8a030131c94be13d6358a85835806306ad44952

General

Target

5e43890d2a5f7ccb9728e2eec8a030131c94be13d6358a85835806306ad44952
Size

716KB
Sample

220418-nzf11shdf5
MD5

57a24eb9bd6fcda2c033c8ca10890e09
SHA1

35a011428d3a4020658c294e35527c4205ede798
SHA256

5e43890d2a5f7ccb9728e2eec8a030131c94be13d6358a85835806306ad44952
SHA512

4bdca657fb1faf8bc9ea9459bb022837792483abb87d3bf257609a31e91b5f59af1fa672d588f567779f3b113c1b04a6ef1f81f6ff7c9779a6b4eb917c02e67c

Score

10^/10

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

Mundo

C2

201.111.223.252:6700

Mutex

VNM_MUTEX_KJflzK0oXUK0jjdJ05

Attributes

encryption_key
eSgMT4XlUNEBcxqW7GsH
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Venom Client Startup
subdirectory
SubDir

Targets

- Target
  
  5e43890d2a5f7ccb9728e2eec8a030131c94be13d6358a85835806306ad44952
- Size
  
  716KB
- MD5
  
  57a24eb9bd6fcda2c033c8ca10890e09
- SHA1
  
  35a011428d3a4020658c294e35527c4205ede798
- SHA256
  
  5e43890d2a5f7ccb9728e2eec8a030131c94be13d6358a85835806306ad44952
- SHA512
  
  4bdca657fb1faf8bc9ea9459bb022837792483abb87d3bf257609a31e91b5f59af1fa672d588f567779f3b113c1b04a6ef1f81f6ff7c9779a6b4eb917c02e67c
Score

10^/10

quasar venomrat mundo rat rootkit spyware stealer trojan
- Contains code to disable Windows Defender
  A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
- Quasar Payload
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- VenomRAT
  VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
  rat rootkit stealer venomrat
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Contains code to disable Windows Defender

Quasar Payload

Quasar RAT

VenomRAT

Executes dropped EXE

Checks computer location settings

Looks up external IP address via web service

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2