General
-
Target
8349f7ac2a0e0f0b8da7bf7121cc0a4f6c235136ec0a491972aaacb5803bc8a2
-
Size
618KB
-
Sample
220508-w4mncsehb5
-
MD5
b4a017055a4928d2c8d7261285f9bda9
-
SHA1
4987b49f51a86f302d77f48c542e270952242b13
-
SHA256
8349f7ac2a0e0f0b8da7bf7121cc0a4f6c235136ec0a491972aaacb5803bc8a2
-
SHA512
c75306c8514ebe0ccb10c2d31c0323d4c1d0cce98f3e20c30bf18e965bf040c0237c9d1afee38f79ee8d62b16839c6b67dfe35753a77ae046211eadc808dad2c
Static task
static1
Behavioral task
behavioral1
Sample
8349f7ac2a0e0f0b8da7bf7121cc0a4f6c235136ec0a491972aaacb5803bc8a2.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
8349f7ac2a0e0f0b8da7bf7121cc0a4f6c235136ec0a491972aaacb5803bc8a2.exe
Resource
win10v2004-20220414-en
Malware Config
Extracted
quasar
2.1.0.0
Windows Defender Security Host
vilvaraj-32652.portmap.io:32652
VNM_MUTEX_s1ArJSYbui8dt0HUpJ
-
encryption_key
8gl4TCjsLQUmqCIxalku
-
install_name
Windows Defender Security Host.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Windows Defender Security Host
-
subdirectory
SubDir
Targets
-
-
Target
8349f7ac2a0e0f0b8da7bf7121cc0a4f6c235136ec0a491972aaacb5803bc8a2
-
Size
618KB
-
MD5
b4a017055a4928d2c8d7261285f9bda9
-
SHA1
4987b49f51a86f302d77f48c542e270952242b13
-
SHA256
8349f7ac2a0e0f0b8da7bf7121cc0a4f6c235136ec0a491972aaacb5803bc8a2
-
SHA512
c75306c8514ebe0ccb10c2d31c0323d4c1d0cce98f3e20c30bf18e965bf040c0237c9d1afee38f79ee8d62b16839c6b67dfe35753a77ae046211eadc808dad2c
-
Contains code to disable Windows Defender
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Quasar Payload
-
suricata: ET MALWARE Common RAT Connectivity Check Observed
suricata: ET MALWARE Common RAT Connectivity Check Observed
-
suricata: ET MALWARE W32/Quasar 1.3/Venom RAT Connectivity Check 3
suricata: ET MALWARE W32/Quasar 1.3/Venom RAT Connectivity Check 3
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-