General

  • Target

    0d5e2eae0c67083409f56b1b0da8a3ed755241f3c571c28fae7f6a8ba383ff72

  • Size

    555KB

  • Sample

    220516-p7sv8aehfn

  • MD5

    ccf59a9ca800d77f057cdc4f521495c1

  • SHA1

    7cdab49311072b2de9adc80c44bb60c323367321

  • SHA256

    0d5e2eae0c67083409f56b1b0da8a3ed755241f3c571c28fae7f6a8ba383ff72

  • SHA512

    7ba18a18d3af162ea408746b362d6d56027b76c3f3208e87cea43aa9023ac39e1fa000c95d8e02c45e974674dc327f26f3d6a4ce0b36b1ccb226036ed104596a

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

Office04

C2

Mju-49682.portmap.io:49682

Mutex

VNM_MUTEX_c2q7y2ayYutZ2XaYe7

Attributes
  • encryption_key

    SuO52LCbOLZpyY12QyzT

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Venom Client Startup

  • subdirectory

    SubDir

Targets

    • Target

      0d5e2eae0c67083409f56b1b0da8a3ed755241f3c571c28fae7f6a8ba383ff72

    • Size

      555KB

    • MD5

      ccf59a9ca800d77f057cdc4f521495c1

    • SHA1

      7cdab49311072b2de9adc80c44bb60c323367321

    • SHA256

      0d5e2eae0c67083409f56b1b0da8a3ed755241f3c571c28fae7f6a8ba383ff72

    • SHA512

      7ba18a18d3af162ea408746b362d6d56027b76c3f3208e87cea43aa9023ac39e1fa000c95d8e02c45e974674dc327f26f3d6a4ce0b36b1ccb226036ed104596a

    • Contains code to disable Windows Defender

      A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

    • Quasar Payload

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • VenomRAT

      VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.

    • suricata: ET MALWARE Common RAT Connectivity Check Observed

      suricata: ET MALWARE Common RAT Connectivity Check Observed

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks