quasar | 4b7b29f6ce0795d1f393f286bfb524e377ce76482daf84c4a5f0bafbbe204392 | Triage

Submit
Reports

Overview

overview

Static

static

dll injector.exe

windows10-2004_x64

Sharing

General

Target

dll injector.bin.zip
Size

366KB
Sample

220423-h1g2tafbbr
MD5

e212a87930943719270da897200b39fd
SHA1

97e9e1ed06a64bf0fd8b82bd245bafb0ea3d4ca7
SHA256

4b7b29f6ce0795d1f393f286bfb524e377ce76482daf84c4a5f0bafbbe204392
SHA512

63fec7d0db1eab5165a7f7a547e6dea7aba549318b2dda411cfea56b856b9847242bc4de14acab4d00f93cd5796548ae5baf4f5efaf11bf91202a6c49eacd96d

Score

10^/10

quasar venomrat windows defender evasion rat rootkit spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

dll injector.exe

Resource

win10v2004-20220414-es

quasar venomrat windows defender evasion rat rootkit spyware stealer trojan

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

Windows Defender

C2

flashy-rake.auto.playit.gg:52017

Mutex

VNM_MUTEX_LYc2mMMFlAV9sQbWDZ

Attributes

encryption_key
3k1niu66x6tavwV3IiuB
install_name
Windows Defender.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Windows Defender
subdirectory
Windows Defender

Targets

- Target
  
  dll injector.bin
- Size
  
  412KB
- MD5
  
  bbd4f2c780777a588f70d0a747bad1a4
- SHA1
  
  b865d58a7877d0807d3d4dbcd01c763c9afe266f
- SHA256
  
  29601ce154ca13b2db98aa15e48d48ad9d894420746b29e63bc48202d67bce8d
- SHA512
  
  c293059e9bcb6c28bbd01d1a9a144e03a9fdde04c867795747edf56ea4bb7cb3e3a8d04e61ca0a6dd05a22389e693e217e71199df747f28719e0077d29f98f06
Score

10^/10

quasar venomrat windows defender evasion rat rootkit spyware stealer trojan
- Contains code to disable Windows Defender
  A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- Quasar Payload
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- VenomRAT
  VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
  rat rootkit stealer venomrat
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Windows security modification
  evasion trojan
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Modify Existing Service

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

quasarvenomratwindows defenderevasionratrootkitspywarestealertrojan

© 2018-2024

Terms | Privacy