quasar | fbc4fd5e3d3f2b5ccd26807e9e73498b3a3699e7efe35c624fbebcdc2c0c6314

General

Target

fbc4fd5e3d3f2b5ccd26807e9e73498b3a3699e7efe35c624fbebcdc2c0c6314
Size

757KB
Sample

220512-n3x4psdec4
MD5

2957c39376a38df6aefaee72674c92af
SHA1

f32007bbb1c99bda6e4c97b4a695e87913fd87b1
SHA256

fbc4fd5e3d3f2b5ccd26807e9e73498b3a3699e7efe35c624fbebcdc2c0c6314
SHA512

8cecae621972be05ab9be0071689fcf29028f63b1519c4698d531bc754af7363f7bc21dbfb1d97e75914d884ecf4e1264ff20b2903f7b11c45dc88a77ec5dcbc

Score

10^/10

Malware Config

Extracted

Family

quasar

Mutex

Attributes

encryption_key
install_name
log_directory
reconnect_delay
3000
startup_key
subdirectory

Extracted

Family

quasar

Version

2.1.0.0

Botnet

Office04

C2

myconect.ddns.net:6606

Mutex

VNM_MUTEX_bW2Pm17MwUNvIYeCrf

Attributes

encryption_key
skMcIyTXgvAaYya6lzLD
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Venom Client Startup
subdirectory
SubDir

Targets

- Target
  
  fbc4fd5e3d3f2b5ccd26807e9e73498b3a3699e7efe35c624fbebcdc2c0c6314
- Size
  
  757KB
- MD5
  
  2957c39376a38df6aefaee72674c92af
- SHA1
  
  f32007bbb1c99bda6e4c97b4a695e87913fd87b1
- SHA256
  
  fbc4fd5e3d3f2b5ccd26807e9e73498b3a3699e7efe35c624fbebcdc2c0c6314
- SHA512
  
  8cecae621972be05ab9be0071689fcf29028f63b1519c4698d531bc754af7363f7bc21dbfb1d97e75914d884ecf4e1264ff20b2903f7b11c45dc88a77ec5dcbc
Score

10^/10

quasar persistence spyware trojan venomrat office04 rat rootkit stealer suricata
- Contains code to disable Windows Defender
  A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
- Quasar Payload
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- VenomRAT
  VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
  rat rootkit stealer venomrat
- suricata: ET MALWARE Common RAT Connectivity Check Observed
  suricata: ET MALWARE Common RAT Connectivity Check Observed
  suricata
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

Contains code to disable Windows Defender

Quasar Payload

Quasar RAT

VenomRAT

suricata: ET MALWARE Common RAT Connectivity Check Observed

Executes dropped EXE

Adds Run key to start application

Looks up external IP address via web service

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2