quasar | 08fb091d9d284795239c1ffd5f06f339b8b6db726198f5325f4ae55c77199402

General

Target

08fb091d9d284795239c1ffd5f06f339b8b6db726198f5325f4ae55c77199402
Size

798KB
Sample

220503-ysr5taebdj
MD5

99ecc057418a2cb4973f91b94fcc3aa2
SHA1

d0db89df21526c8da958112040e8370d8fd2f2b3
SHA256

08fb091d9d284795239c1ffd5f06f339b8b6db726198f5325f4ae55c77199402
SHA512

7addf85566e779271189de062b1b852001f908efc6a6cc7b8c8b1f0cf6850241e4a7609945f73391b42be1d89f8a359e99ba886d3667b1dff42197ff5c45ba9c

Score

10^/10

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

$77systemtelemtry

C2

192.168.0.44:80

67.61.188.107:80

Mutex

VNM_MUTEX_OplgS6EDrflEgnBXyU

Attributes

encryption_key
tfNbPwosWP6IOHXzQKKG
install_name
windowsrc.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Windows Registry Handler
subdirectory
bin

Targets

- Target
  
  Rusher Hack/Data/Installer.dll
- Size
  
  683KB
- MD5
  
  497e3b749e37fa682a0cf5f5ec869296
- SHA1
  
  b6405eb80e48a075489dae999c3291eff5246112
- SHA256
  
  288cf51166bb6407c0f13c70a31fefba81ca381bc79dda54af39370ee479d47c
- SHA512
  
  86d137a1d8dd452c94c42293b2d2c05d3a10c017c2f1f6f18b2ca54c75925fcd0745d5e59e9deb9d533aeaf824a1e727513a2bf852d96c68e2c1f252ce84fd93
Score

10^/10

quasar venomrat $77systemtelemtry evasion persistence rat rootkit spyware stealer suricata trojan
- Contains code to disable Windows Defender
  A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- Quasar Payload
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- VenomRAT
  VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
  rat rootkit stealer venomrat
- suricata: ET MALWARE Common RAT Connectivity Check Observed
  suricata: ET MALWARE Common RAT Connectivity Check Observed
  suricata
- suricata: ET MALWARE W32/Quasar 1.3/Venom RAT Connectivity Check 3
  suricata: ET MALWARE W32/Quasar 1.3/Venom RAT Connectivity Check 3
  suricata
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2
- Target
  
  Rusher Hack/RusherHackInstaller.exe
- Size
  
  683KB
- MD5
  
  a8b9706ed1ca326d4673b88fed84db23
- SHA1
  
  72fb18cdcd67d83fe1484b8ff93ba477e8082f7d
- SHA256
  
  bfc55cb35294fba322924cd2fe7ab9e79875b2cca66419ee5ef6d675b895349c
- SHA512
  
  89c5706bba41e6b25ad1f4431eba26df9145c2292f0c42c64c688851c1882004814bf4444f8013efc1504b4bb2bbb4d11896fec7c2e42088604eedadd28ebb9b
Score

10^/10

quasar venomrat $77systemtelemtry evasion persistence rat rootkit spyware stealer suricata trojan
- Contains code to disable Windows Defender
  A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- Quasar Payload
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- VenomRAT
  VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
  rat rootkit stealer venomrat
- suricata: ET MALWARE Common RAT Connectivity Check Observed
  suricata: ET MALWARE Common RAT Connectivity Check Observed
  suricata
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral3 behavioral4