Extracted

• • Target

    0e0a586e4c7a3d6508de4cffe0c78050c01dda128441853127ef10e1e3c7e25c

  • Size

    602KB

  • MD5

    f78e8fdb5c76c784818c1ea7ba8217cd

  • SHA1

    9a3ca4ab923d8b93b49f5d46c6b449845ca94c6d

  • SHA256

    0e0a586e4c7a3d6508de4cffe0c78050c01dda128441853127ef10e1e3c7e25c

  • SHA512

    9fc70809bac9189e693af1ccd10f35af84fe295b048ed609262a90bf071157b0a23ff2672c57f424fbcd56fc816c1400b6a9a09cd30e12619d785518151d62b3

  Score

  10^/10

  quasarvenomratwindows securityevasionpersistenceratrootkitspywarestealersuricatatrojan

  • Contains code to disable Windows Defender

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Modifies Windows Defender Real-time Protection settings

    evasiontrojan

  • Quasar Payload

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar

  • VenomRAT

    VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.

    ratrootkitstealervenomrat

  • suricata: ET MALWARE Common RAT Connectivity Check Observed

    suricata: ET MALWARE Common RAT Connectivity Check Observed

    suricata

  • suricata: ET MALWARE W32/Quasar 1.3/Venom RAT Connectivity Check 3

    suricata: ET MALWARE W32/Quasar 1.3/Venom RAT Connectivity Check 3

    suricata

  • Executes dropped EXE

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL

  • Windows security modification

    evasiontrojan

  • Adds Run key to start application

    persistence

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext

  behavioral1behavioral2