Extracted

• • Target

    3b78f0d649e384179c12f8efcd36eb06d1484198c413f0f00e7124b05f50dedc

  • Size

    812KB

  • MD5

    cfa968813fa0bfd7dc8dc2ebd0a1d761

  • SHA1

    397f43f47ab3ff37b4dabe4fa5eae15ca506fff2

  • SHA256

    3b78f0d649e384179c12f8efcd36eb06d1484198c413f0f00e7124b05f50dedc

  • SHA512

    ce22c402088e342a6b4814e55f96a3e82b0aa358ba36ad6765cf9f2c62093d558e50d4d384d34a373b80d8d32095b2e6c4a0f0de03055ee5713e0b2a632f8dae

  Score

  10^/10

  quasarvenomratoffice04persistenceratrootkitspywarestealertrojan

  • Contains code to disable Windows Defender

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Quasar Payload

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar

  • VenomRAT

    VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.

    ratrootkitstealervenomrat

  • Adds Run key to start application

    persistence

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext

  behavioral1behavioral2