Overview

overview

10

Static

static

a295d00949...a0.exe

windows7_x64

10

a295d00949...a0.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    a295d00949ac1a1ad9eeddb39bf501003cf39ea96253247f88365b88e72fafa0

  • Size

    1.5MB

  • Sample

    220502-1cmlhaeahq

  • MD5

    1f3280270239d88068f9f0677cb6cf91

  • SHA1

    f9eb44bd1558db055395e6fa19d82fe49fe28f16

  • SHA256

    a295d00949ac1a1ad9eeddb39bf501003cf39ea96253247f88365b88e72fafa0

  • SHA512

    7ed6759d00d595010f6fadd9b1820dfb85fb57aaef57dc0a2517e1f11bdd5bbf08f6d06a2a56fa6d096287a3cb1e73ea3a7e5830cdbfae37e61aa676704a9568

Score
10/10
quasarvlcspywaresuricatatrojan

Malware Config

Extracted

Family

quasar

Version

2.5.0.0

Botnet

vlc

C2

79.134.225.15:4449

Mutex

KpyW6aGsPbArfKyHdm

Attributes
  • encryption_key

    rQsXLvhrDD35aBxgF9HB

  • install_name

    Venom.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    vlc

  • subdirectory

Targets

    • Target

      a295d00949ac1a1ad9eeddb39bf501003cf39ea96253247f88365b88e72fafa0

    • Size

      1.5MB

    • MD5

      1f3280270239d88068f9f0677cb6cf91

    • SHA1

      f9eb44bd1558db055395e6fa19d82fe49fe28f16

    • SHA256

      a295d00949ac1a1ad9eeddb39bf501003cf39ea96253247f88365b88e72fafa0

    • SHA512

      7ed6759d00d595010f6fadd9b1820dfb85fb57aaef57dc0a2517e1f11bdd5bbf08f6d06a2a56fa6d096287a3cb1e73ea3a7e5830cdbfae37e61aa676704a9568

    Score
    10/10
    quasarvlcspywaresuricatatrojan

    • Quasar Payload

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

      trojanspywarequasar

    • suricata: ET MALWARE Common RAT Connectivity Check Observed

      suricata: ET MALWARE Common RAT Connectivity Check Observed

      suricata

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Remote System Discovery

1
T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Tasks