General
-
Target
026beaf36cb34931a5e173f71873b451ef43a889c1c09aa0b071641c6c3345d3
-
Size
15.0MB
-
Sample
220508-jbl5xabbb6
-
MD5
35ecc52f8d324f88c65432ca49d6f223
-
SHA1
4102ef0264dac3521052e1acb32bca0c12162cae
-
SHA256
026beaf36cb34931a5e173f71873b451ef43a889c1c09aa0b071641c6c3345d3
-
SHA512
e91092fc235acda0f9d71e3867f11b3c237627aa69049a8588b3466e3efb09663eab11f046e56f9b87aaa988322c0e1d8ea1278565624c152922da8972e1a50a
Malware Config
Extracted
quasar
2.1.0.0
WinDir
0.tcp.ngrok.io:18130
VNM_MUTEX_kdX9JMeh4Tx0gANlkq
-
encryption_key
4z4UlPgqlyr06tHY9YuZ
-
install_name
WindowsSystemDirectoryManager.exe
-
log_directory
JR_DIR
-
reconnect_delay
3000
-
startup_key
WindowsSystemDirectoryManager
-
subdirectory
WinSysDir
Targets
-
-
Target
026beaf36cb34931a5e173f71873b451ef43a889c1c09aa0b071641c6c3345d3
-
Size
15.0MB
-
MD5
35ecc52f8d324f88c65432ca49d6f223
-
SHA1
4102ef0264dac3521052e1acb32bca0c12162cae
-
SHA256
026beaf36cb34931a5e173f71873b451ef43a889c1c09aa0b071641c6c3345d3
-
SHA512
e91092fc235acda0f9d71e3867f11b3c237627aa69049a8588b3466e3efb09663eab11f046e56f9b87aaa988322c0e1d8ea1278565624c152922da8972e1a50a
Score10/10-
Contains code to disable Windows Defender
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Modifies Windows Defender Real-time Protection settings
-
Quasar Payload
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
VenomRAT
VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
-
suricata: ET MALWARE Common RAT Connectivity Check Observed
suricata: ET MALWARE Common RAT Connectivity Check Observed
-
Executes dropped EXE
-
Loads dropped DLL
-
Windows security modification
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-