Overview

overview

10

Static

static

10

bfc55cb352...9c.exe

windows7_x64

10

bfc55cb352...9c.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    bfc55cb35294fba322924cd2fe7ab9e79875b2cca66419ee5ef6d675b895349c

  • Size

    683KB

  • Sample

    220503-ysqlzsebcr

  • MD5

    a8b9706ed1ca326d4673b88fed84db23

  • SHA1

    72fb18cdcd67d83fe1484b8ff93ba477e8082f7d

  • SHA256

    bfc55cb35294fba322924cd2fe7ab9e79875b2cca66419ee5ef6d675b895349c

  • SHA512

    89c5706bba41e6b25ad1f4431eba26df9145c2292f0c42c64c688851c1882004814bf4444f8013efc1504b4bb2bbb4d11896fec7c2e42088604eedadd28ebb9b

Score
10/10
quasarvenomrat$77systemtelemtryevasionpersistenceratrootkitspywarestealersuricatatrojan

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

$77systemtelemtry

C2

192.168.0.44:80

67.61.188.107:80
Mutex

VNM_MUTEX_OplgS6EDrflEgnBXyU

Attributes
  • encryption_key

    6opnJj4VnPTLLOS9SdTg

  • install_name

    windowsrc.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Windows Registry Handler

  • subdirectory

    bin

Targets

    • Target

      bfc55cb35294fba322924cd2fe7ab9e79875b2cca66419ee5ef6d675b895349c

    • Size

      683KB

    • MD5

      a8b9706ed1ca326d4673b88fed84db23

    • SHA1

      72fb18cdcd67d83fe1484b8ff93ba477e8082f7d

    • SHA256

      bfc55cb35294fba322924cd2fe7ab9e79875b2cca66419ee5ef6d675b895349c

    • SHA512

      89c5706bba41e6b25ad1f4431eba26df9145c2292f0c42c64c688851c1882004814bf4444f8013efc1504b4bb2bbb4d11896fec7c2e42088604eedadd28ebb9b

    Score
    10/10
    quasarvenomrat$77systemtelemtryevasionratrootkitspywarestealersuricatatrojanpersistence

    • Contains code to disable Windows Defender

      A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Quasar Payload

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

      trojanspywarequasar

    • VenomRAT

      VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.

      ratrootkitstealervenomrat

    • suricata: ET MALWARE Common RAT Connectivity Check Observed

      suricata: ET MALWARE Common RAT Connectivity Check Observed

      suricata

    • suricata: ET MALWARE W32/Quasar 1.3/Venom RAT Connectivity Check 3

      suricata: ET MALWARE W32/Quasar 1.3/Venom RAT Connectivity Check 3

      suricata

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks