General
-
Target
288cf51166bb6407c0f13c70a31fefba81ca381bc79dda54af39370ee479d47c
-
Size
683KB
-
Sample
220503-ysp1fsebcq
-
MD5
497e3b749e37fa682a0cf5f5ec869296
-
SHA1
b6405eb80e48a075489dae999c3291eff5246112
-
SHA256
288cf51166bb6407c0f13c70a31fefba81ca381bc79dda54af39370ee479d47c
-
SHA512
86d137a1d8dd452c94c42293b2d2c05d3a10c017c2f1f6f18b2ca54c75925fcd0745d5e59e9deb9d533aeaf824a1e727513a2bf852d96c68e2c1f252ce84fd93
Malware Config
Extracted
quasar
2.1.0.0
$77systemtelemtry
192.168.0.44:80
67.61.188.107:80
VNM_MUTEX_OplgS6EDrflEgnBXyU
-
encryption_key
tfNbPwosWP6IOHXzQKKG
-
install_name
windowsrc.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Windows Registry Handler
-
subdirectory
bin
Targets
-
-
Target
288cf51166bb6407c0f13c70a31fefba81ca381bc79dda54af39370ee479d47c
-
Size
683KB
-
MD5
497e3b749e37fa682a0cf5f5ec869296
-
SHA1
b6405eb80e48a075489dae999c3291eff5246112
-
SHA256
288cf51166bb6407c0f13c70a31fefba81ca381bc79dda54af39370ee479d47c
-
SHA512
86d137a1d8dd452c94c42293b2d2c05d3a10c017c2f1f6f18b2ca54c75925fcd0745d5e59e9deb9d533aeaf824a1e727513a2bf852d96c68e2c1f252ce84fd93
Score10/10-
Contains code to disable Windows Defender
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Modifies Windows Defender Real-time Protection settings
-
Quasar Payload
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
VenomRAT
VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
-
suricata: ET MALWARE Common RAT Connectivity Check Observed
suricata: ET MALWARE Common RAT Connectivity Check Observed
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Windows security modification
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-