Overview

overview

10

Static

static

bf79b08db6040f...31.exe

windows7_x64

10

bf79b08db6040f...31.exe

windows10-2004_x64

10
General
Target

bf79b08db6040f007e6ba07e7628388df2ab9f666e75b16e230d3e9d8600ab31

Size

351KB

Sample

220508-je8s3sbcb8

Score
10/10
MD5

ce5ad18cc090c8a1405f084d9144671d

SHA1

67530a17331ad6477e4b25ef866412349791a3cb

SHA256

bf79b08db6040f007e6ba07e7628388df2ab9f666e75b16e230d3e9d8600ab31

SHA512

66f3d07eb12c2a94f30fd37dadf832769fb87d10be3751f91ac474f4e72d86b535c5159f7fe2ac80500a844e9a7ace0db1d6dac69c1150475f03c207b9e8bc2a

Malware Config

Extracted

Family

quasar
Version

2.1.0.0
Botnet

1
C2

10.0.2.15:1337
Attributes
encryption_key
0hi0YaDWMh7jhT37Tcsm
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Windows Defender
subdirectory
SubDir
Targets
Target

bf79b08db6040f007e6ba07e7628388df2ab9f666e75b16e230d3e9d8600ab31

MD5

ce5ad18cc090c8a1405f084d9144671d

Filesize

351KB

Score
10/10
SHA1

67530a17331ad6477e4b25ef866412349791a3cb

SHA256

bf79b08db6040f007e6ba07e7628388df2ab9f666e75b16e230d3e9d8600ab31

SHA512

66f3d07eb12c2a94f30fd37dadf832769fb87d10be3751f91ac474f4e72d86b535c5159f7fe2ac80500a844e9a7ace0db1d6dac69c1150475f03c207b9e8bc2a

Tags

Signatures

  • Contains code to disable Windows Defender

    Description

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Quasar Payload

  • Quasar RAT

    Description

    Quasar is an open source Remote Access Tool.

    Tags

  • VenomRAT

    Description

    VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.

    Tags

  • suricata: ET MALWARE Common RAT Connectivity Check Observed

    Description

    suricata: ET MALWARE Common RAT Connectivity Check Observed

    Tags

  • Executes dropped EXE

  • Checks computer location settings

    Description

    Looks up country code configured in the registry, likely geofence.

    TTPs

    Query RegistrySystem Information Discovery

  • Loads dropped DLL

  • Looks up external IP address via web service

    Description

    Uses a legitimate IP lookup service to find the infected system's external IP.

Related Tasks

behavioral1behavioral2
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Discovery
          Execution
            Exfiltration
              Impact
                Initial Access
                  Lateral Movement
                    Persistence
                    Privilege Escalation
                      Tasks