quasar | 150ba1e4f4c8340037db7b118b3f95280e231656bdf1f575aa5a2d73591267c8

General

Target

150ba1e4f4c8340037db7b118b3f95280e231656bdf1f575aa5a2d73591267c8
Size

1.2MB
Sample

220420-eqvclsafd5
MD5

a56950b911b53a07e64b1a2f87c2907c
SHA1

2d61afb037ac5ce044b5258b581b28badffae235
SHA256

150ba1e4f4c8340037db7b118b3f95280e231656bdf1f575aa5a2d73591267c8
SHA512

16a3417b212243bb8bb9814636f364971292a75cf2901d936141ddb7afa7ad63da52bcbfa429de7f867ac05fa71d7c7c34459d3e86243cecfeee46f34ccf0bcc

Score

10^/10

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

Wraith00hrs

C2

100.26.221.183:4782

Mutex

VNM_MUTEX_kv7tSTHxhbSWaYVuIh

Attributes

encryption_key
VyRhk9JpIqX4HHIRBxn8
install_name
windows chrome.exe
log_directory
Logs
reconnect_delay
3000
startup_key
chrome Startup
subdirectory
SubDir

Extracted

Family

warzonerat

C2

100.26.221.183:5200

Targets

- Target
  
  150ba1e4f4c8340037db7b118b3f95280e231656bdf1f575aa5a2d73591267c8
- Size
  
  1.2MB
- MD5
  
  a56950b911b53a07e64b1a2f87c2907c
- SHA1
  
  2d61afb037ac5ce044b5258b581b28badffae235
- SHA256
  
  150ba1e4f4c8340037db7b118b3f95280e231656bdf1f575aa5a2d73591267c8
- SHA512
  
  16a3417b212243bb8bb9814636f364971292a75cf2901d936141ddb7afa7ad63da52bcbfa429de7f867ac05fa71d7c7c34459d3e86243cecfeee46f34ccf0bcc
Score

10^/10

quasar venomrat warzonerat wraith00hrs evasion infostealer persistence rat rootkit spyware stealer trojan
- Contains code to disable Windows Defender
  A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- Quasar Payload
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- VenomRAT
  VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
  rat rootkit stealer venomrat
- WarzoneRat, AveMaria
  WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
  rat infostealer warzonerat
- Warzone RAT Payload
  rat
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2