Overview

overview

10

Static

static

c3fc5c1cd6...48.exe

windows7_x64

10

c3fc5c1cd6...48.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    c3fc5c1cd66f7e367cd4194310500aead7341c0154e61111bd1031e262de5648

  • Size

    617KB

  • Sample

    220508-v6nsrsggar

  • MD5

    7ca7553bd7447c208b5ef00e7374cb44

  • SHA1

    2718e5d21d8f12748f8353cd5574554c654f82a0

  • SHA256

    c3fc5c1cd66f7e367cd4194310500aead7341c0154e61111bd1031e262de5648

  • SHA512

    472b6931e9e712b7c8f045efa99b5a4fd23e3aa14dab256a6690850e711f3263d27c85c6df222ab72f2f4ab120986080e96e1bca2b1d4e5c52a29dc26eaecb1c

Score
10/10
quasarvenomratwindows defender security hostevasionpersistenceratrootkitspywarestealersuricatatrojan

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

Windows Defender Security Host

C2

vilvaraj-32652.portmap.io:32652

Mutex

VNM_MUTEX_s1ArJSYbui8dt0HUpJ

Attributes
  • encryption_key

    8gl4TCjsLQUmqCIxalku

  • install_name

    Windows Defender Security Host.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Windows Defender Security Host

  • subdirectory

    SubDir

Targets

    • Target

      c3fc5c1cd66f7e367cd4194310500aead7341c0154e61111bd1031e262de5648

    • Size

      617KB

    • MD5

      7ca7553bd7447c208b5ef00e7374cb44

    • SHA1

      2718e5d21d8f12748f8353cd5574554c654f82a0

    • SHA256

      c3fc5c1cd66f7e367cd4194310500aead7341c0154e61111bd1031e262de5648

    • SHA512

      472b6931e9e712b7c8f045efa99b5a4fd23e3aa14dab256a6690850e711f3263d27c85c6df222ab72f2f4ab120986080e96e1bca2b1d4e5c52a29dc26eaecb1c

    Score
    10/10
    quasarvenomratwindows defender security hostevasionpersistenceratrootkitspywarestealersuricatatrojan

    • Contains code to disable Windows Defender

      A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Quasar Payload

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

      trojanspywarequasar

    • VenomRAT

      VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.

      ratrootkitstealervenomrat

    • suricata: ET MALWARE Common RAT Connectivity Check Observed

      suricata: ET MALWARE Common RAT Connectivity Check Observed

      suricata

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks