Overview

overview

10

Static

static

a5d9e8d426...f8.exe

windows7_x64

10

a5d9e8d426...f8.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    a5d9e8d42663f4d7c3690d965df7a5b8ac3999d5fd40bb067ade837ae9829af8

  • Size

    550KB

  • Sample

    220503-yzn2qsbfe7

  • MD5

    87288d8d050aa668f25388f9e12d56f6

  • SHA1

    fcfb9d9d982e787fc32e60e4d5efe6a6c4f00acf

  • SHA256

    a5d9e8d42663f4d7c3690d965df7a5b8ac3999d5fd40bb067ade837ae9829af8

  • SHA512

    28e6a5f7b3d6cab605383f4f35badfbb963035d57fa2afc4ef704cd58522ded2bacea690fb13f0977ced2a0a232956db87a2dffb6118f7b3838f44980effc97a

Score
10/10
quasarvenomratoffice04evasionratrootkitspywarestealersuricatatrojan

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

Office04

C2

127.0.0.1:4782

karmina113.sytes.net:2222

karmina200.sytes.net:2222
Mutex

VNM_MUTEX_c2q7y2ayYutZ2XaYe7

Attributes
  • encryption_key

    Utv1d8B5zhHYcWfy3OEQ

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    svchost

  • subdirectory

    SubDir

Targets

    • Target

      a5d9e8d42663f4d7c3690d965df7a5b8ac3999d5fd40bb067ade837ae9829af8

    • Size

      550KB

    • MD5

      87288d8d050aa668f25388f9e12d56f6

    • SHA1

      fcfb9d9d982e787fc32e60e4d5efe6a6c4f00acf

    • SHA256

      a5d9e8d42663f4d7c3690d965df7a5b8ac3999d5fd40bb067ade837ae9829af8

    • SHA512

      28e6a5f7b3d6cab605383f4f35badfbb963035d57fa2afc4ef704cd58522ded2bacea690fb13f0977ced2a0a232956db87a2dffb6118f7b3838f44980effc97a

    Score
    10/10
    quasarvenomratoffice04evasionratrootkitspywarestealersuricatatrojan

    • Contains code to disable Windows Defender

      A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Quasar Payload

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

      trojanspywarequasar

    • VenomRAT

      VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.

      ratrootkitstealervenomrat

    • suricata: ET MALWARE Common RAT Connectivity Check Observed

      suricata: ET MALWARE Common RAT Connectivity Check Observed

      suricata

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Windows security modification

      evasiontrojan

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks