quasar | bf79b08db6040f007e6ba07e7628388df2ab9f666e75b16e230d3e9d8600ab31 | Triage

Submit
Reports

Overview

overview

Static

static

bf79b08db6...31.exe

windows7_x64

bf79b08db6...31.exe

windows10-2004_x64

Sharing

General

Target

bf79b08db6040f007e6ba07e7628388df2ab9f666e75b16e230d3e9d8600ab31
Size

351KB
Sample

220508-je8s3sbcb8
MD5

ce5ad18cc090c8a1405f084d9144671d
SHA1

67530a17331ad6477e4b25ef866412349791a3cb
SHA256

bf79b08db6040f007e6ba07e7628388df2ab9f666e75b16e230d3e9d8600ab31
SHA512

66f3d07eb12c2a94f30fd37dadf832769fb87d10be3751f91ac474f4e72d86b535c5159f7fe2ac80500a844e9a7ace0db1d6dac69c1150475f03c207b9e8bc2a

Score

10^/10

quasar venomrat 1 rat rootkit spyware stealer suricata trojan

Static task

static1

Behavioral task

behavioral1

Sample

bf79b08db6040f007e6ba07e7628388df2ab9f666e75b16e230d3e9d8600ab31.exe

Resource

win7-20220414-en

quasar venomrat 1 rat rootkit spyware stealer suricata trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

bf79b08db6040f007e6ba07e7628388df2ab9f666e75b16e230d3e9d8600ab31.exe

Resource

win10v2004-20220414-en

quasar venomrat 1 rat rootkit spyware stealer suricata trojan

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

1

C2

10.0.2.15:1337

Mutex

VNM_MUTEX_28broDsmlFWTzx7r3B

Attributes

encryption_key
0hi0YaDWMh7jhT37Tcsm
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Windows Defender
subdirectory
SubDir

Targets

- Target
  
  bf79b08db6040f007e6ba07e7628388df2ab9f666e75b16e230d3e9d8600ab31
- Size
  
  351KB
- MD5
  
  ce5ad18cc090c8a1405f084d9144671d
- SHA1
  
  67530a17331ad6477e4b25ef866412349791a3cb
- SHA256
  
  bf79b08db6040f007e6ba07e7628388df2ab9f666e75b16e230d3e9d8600ab31
- SHA512
  
  66f3d07eb12c2a94f30fd37dadf832769fb87d10be3751f91ac474f4e72d86b535c5159f7fe2ac80500a844e9a7ace0db1d6dac69c1150475f03c207b9e8bc2a
Score

10^/10

quasar venomrat 1 rat rootkit spyware stealer suricata trojan
- Contains code to disable Windows Defender
  A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
- Quasar Payload
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- VenomRAT
  VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
  rat rootkit stealer venomrat
- suricata: ET MALWARE Common RAT Connectivity Check Observed
  suricata: ET MALWARE Common RAT Connectivity Check Observed
  suricata
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

quasarvenomrat1ratrootkitspywarestealersuricatatrojan

behavioral2

quasarvenomrat1ratrootkitspywarestealersuricatatrojan

© 2018-2025

Terms | Privacy