General

  • Target

    bf79b08db6040f007e6ba07e7628388df2ab9f666e75b16e230d3e9d8600ab31

  • Size

    351KB

  • Sample

    220508-je8s3sbcb8

  • MD5

    ce5ad18cc090c8a1405f084d9144671d

  • SHA1

    67530a17331ad6477e4b25ef866412349791a3cb

  • SHA256

    bf79b08db6040f007e6ba07e7628388df2ab9f666e75b16e230d3e9d8600ab31

  • SHA512

    66f3d07eb12c2a94f30fd37dadf832769fb87d10be3751f91ac474f4e72d86b535c5159f7fe2ac80500a844e9a7ace0db1d6dac69c1150475f03c207b9e8bc2a

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

1

C2

10.0.2.15:1337

Mutex

VNM_MUTEX_28broDsmlFWTzx7r3B

Attributes
  • encryption_key

    0hi0YaDWMh7jhT37Tcsm

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Windows Defender

  • subdirectory

    SubDir

Targets

    • Target

      bf79b08db6040f007e6ba07e7628388df2ab9f666e75b16e230d3e9d8600ab31

    • Size

      351KB

    • MD5

      ce5ad18cc090c8a1405f084d9144671d

    • SHA1

      67530a17331ad6477e4b25ef866412349791a3cb

    • SHA256

      bf79b08db6040f007e6ba07e7628388df2ab9f666e75b16e230d3e9d8600ab31

    • SHA512

      66f3d07eb12c2a94f30fd37dadf832769fb87d10be3751f91ac474f4e72d86b535c5159f7fe2ac80500a844e9a7ace0db1d6dac69c1150475f03c207b9e8bc2a

    • Contains code to disable Windows Defender

      A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

    • Quasar Payload

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • VenomRAT

      VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.

    • suricata: ET MALWARE Common RAT Connectivity Check Observed

      suricata: ET MALWARE Common RAT Connectivity Check Observed

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Tasks