quasar | e2664640d1772b5f9626787ba8f6c88084c7a3de046457eeec2f0ce6bd07d215

General

Target

e2664640d1772b5f9626787ba8f6c88084c7a3de046457eeec2f0ce6bd07d215
Size

488KB
Sample

220511-29t8aacfc3
MD5

0f9120aa260daa1849a56062f8b6a492
SHA1

a56e35f6cc5424936a56827d307253c56a937a0e
SHA256

e2664640d1772b5f9626787ba8f6c88084c7a3de046457eeec2f0ce6bd07d215
SHA512

ae52b328521f6a550951ac0c53745034f985230dcd850d0881079d1a2f50b865c30e646271dd4230f3d07db34bf6515b434bcf0f085f8e703533ae14180f81dc

Score

10^/10

Malware Config

Extracted

Family

quasar

Attributes

encryption_key
install_name
log_directory
reconnect_delay
3000
startup_key
subdirectory

Extracted

Family

quasar

Version

2.1.0.0

Botnet

Office04

C2

193.161.193.99:25334

Mutex

VNM_MUTEX_3gEHJWUppmmJSCirO4

Attributes

encryption_key
WrqRQZrwZ1NbyFhWiYhM
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Venom Client Startup
subdirectory
SubDir

Targets

- Target
  
  e2664640d1772b5f9626787ba8f6c88084c7a3de046457eeec2f0ce6bd07d215
- Size
  
  488KB
- MD5
  
  0f9120aa260daa1849a56062f8b6a492
- SHA1
  
  a56e35f6cc5424936a56827d307253c56a937a0e
- SHA256
  
  e2664640d1772b5f9626787ba8f6c88084c7a3de046457eeec2f0ce6bd07d215
- SHA512
  
  ae52b328521f6a550951ac0c53745034f985230dcd850d0881079d1a2f50b865c30e646271dd4230f3d07db34bf6515b434bcf0f085f8e703533ae14180f81dc
Score

10^/10

quasar spyware trojan venomrat office04 rat rootkit stealer suricata
- Contains code to disable Windows Defender
  A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
- Quasar Payload
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- VenomRAT
  VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
  rat rootkit stealer venomrat
- suricata: ET MALWARE W32/Quasar 1.3/Venom RAT Connectivity Check 3
  suricata: ET MALWARE W32/Quasar 1.3/Venom RAT Connectivity Check 3
  suricata
- Executes dropped EXE
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

Contains code to disable Windows Defender

Quasar Payload

Quasar RAT

VenomRAT

suricata: ET MALWARE W32/Quasar 1.3/Venom RAT Connectivity Check 3

Executes dropped EXE

Looks up external IP address via web service

Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2