General
-
Target
545d4b0dcf911ffdf44b5bf01dfef7be8421e05250806eb03ffb25e736961b80
-
Size
625KB
-
Sample
220508-jf4whsecdk
-
MD5
0ab869a3a06f47cd99e5164e76d0ed33
-
SHA1
19a4f343aeafa888b1b45e95f238ef537cbfe451
-
SHA256
545d4b0dcf911ffdf44b5bf01dfef7be8421e05250806eb03ffb25e736961b80
-
SHA512
46987f55f6674a74606d2b106036d35b2c95b4ce4eceb3355132881fc9f730e4f1ef31d874ee1d271ddfb1ed0a21f665c99966a0c531b073fe3b42ad5bd1e0da
Malware Config
Extracted
quasar
2.1.0.0
1
10.0.2.15:1337
VNM_MUTEX_28broDsmlFWTzx7r3B
-
encryption_key
0hi0YaDWMh7jhT37Tcsm
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Windows Defender
-
subdirectory
SubDir
Targets
-
-
Target
545d4b0dcf911ffdf44b5bf01dfef7be8421e05250806eb03ffb25e736961b80
-
Size
625KB
-
MD5
0ab869a3a06f47cd99e5164e76d0ed33
-
SHA1
19a4f343aeafa888b1b45e95f238ef537cbfe451
-
SHA256
545d4b0dcf911ffdf44b5bf01dfef7be8421e05250806eb03ffb25e736961b80
-
SHA512
46987f55f6674a74606d2b106036d35b2c95b4ce4eceb3355132881fc9f730e4f1ef31d874ee1d271ddfb1ed0a21f665c99966a0c531b073fe3b42ad5bd1e0da
Score10/10-
Contains code to disable Windows Defender
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Quasar Payload
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
VenomRAT
VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
-
suricata: ET MALWARE Common RAT Connectivity Check Observed
suricata: ET MALWARE Common RAT Connectivity Check Observed
-
suricata: ET MALWARE W32/Quasar 1.3/Venom RAT Connectivity Check 3
suricata: ET MALWARE W32/Quasar 1.3/Venom RAT Connectivity Check 3
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-