Overview

overview

10

Static

static

d959ff47bf...26.exe

windows7_x64

10

d959ff47bf...26.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    d959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726

  • Size

    664KB

  • Sample

    220503-yw7dxaecbj

  • MD5

    1f2f26a299287d8353502a9133df4cf1

  • SHA1

    ee40f71067f91d23841e2f2f2b178a153e0f4e07

  • SHA256

    d959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726

  • SHA512

    135124918b26b6dffecf39953eacfaef9ab1e715423a1c1db6ca87fb79c2c38e7b068dcfc01cb70ecaf56af2f6f2b5a270b1e2eb0fcc9d3f4b48ae1a00846c97

Score
10/10
quasarvenomratoffice04evasionratrootkitspywarestealersuricatatrojan

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

Office04

C2

127.0.0.1:4782

karmina113.sytes.net:2222

karmina200.sytes.net:2222
Mutex

VNM_MUTEX_c2q7y2ayYutZ2XaYe7

Attributes
  • encryption_key

    Utv1d8B5zhHYcWfy3OEQ

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    svchost

  • subdirectory

    SubDir

Targets

    • Target

      d959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726

    • Size

      664KB

    • MD5

      1f2f26a299287d8353502a9133df4cf1

    • SHA1

      ee40f71067f91d23841e2f2f2b178a153e0f4e07

    • SHA256

      d959ff47bfc45b45bf58c3dc5fc72d0112093950916a0f5c05eafdaffe123726

    • SHA512

      135124918b26b6dffecf39953eacfaef9ab1e715423a1c1db6ca87fb79c2c38e7b068dcfc01cb70ecaf56af2f6f2b5a270b1e2eb0fcc9d3f4b48ae1a00846c97

    Score
    10/10
    quasarvenomratoffice04evasionratrootkitspywarestealersuricatatrojan

    • Contains code to disable Windows Defender

      A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Quasar Payload

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

      trojanspywarequasar

    • VenomRAT

      VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.

      ratrootkitstealervenomrat

    • suricata: ET MALWARE Common RAT Connectivity Check Observed

      suricata: ET MALWARE Common RAT Connectivity Check Observed

      suricata

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Windows security modification

      evasiontrojan

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks