quasar | 54c1dc44cd458da7ec96343973fa7f350df27517715f41483f9cab748d3a9203

General

Target

e.exe
Size

10.4MB
Sample

220525-g4lzhacebr
MD5

621c28cd39d9d6f9a3377b8da8a8849b
SHA1

5a025ed5f5baae77496e27fb2996fcb22d67ed40
SHA256

54c1dc44cd458da7ec96343973fa7f350df27517715f41483f9cab748d3a9203
SHA512

b5600b871ac950ec10d7bd0c38bb242a9921b1bccd2dacaa709471475a4c410eb2b43b693e2c18db40349f5c8e15b2c0ee93dde4eb3cbce2f47db880fe48033f

Score

10^/10

Malware Config

Extracted

Family

quasar

Mutex

Attributes

encryption_key
install_name
log_directory
reconnect_delay
3000
startup_key
subdirectory

Extracted

Family

redline

Botnet

AwsR

C2

siyatermi.duckdns.org:17044

Extracted

Family

quasar

Version

2.1.0.0

Botnet

V/R/B

C2

siyatermi.duckdns.org:1518

Mutex

VNM_MUTEX_mJ6pCWZMe3OMOha5bj

Attributes

encryption_key
g1Bi32PXFGwyBI9DJGTD
install_name
Start Process.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Browser Module
subdirectory
Sys Resources

Targets

- Target
  
  e.exe
- Size
  
  10.4MB
- MD5
  
  621c28cd39d9d6f9a3377b8da8a8849b
- SHA1
  
  5a025ed5f5baae77496e27fb2996fcb22d67ed40
- SHA256
  
  54c1dc44cd458da7ec96343973fa7f350df27517715f41483f9cab748d3a9203
- SHA512
  
  b5600b871ac950ec10d7bd0c38bb242a9921b1bccd2dacaa709471475a4c410eb2b43b693e2c18db40349f5c8e15b2c0ee93dde4eb3cbce2f47db880fe48033f
Score

10^/10

quasar redline venomrat awsr v/r/b discovery evasion infostealer rat rootkit spyware stealer suricata trojan persistence
- Contains code to disable Windows Defender
  A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- Quasar Payload
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine Payload
- VenomRAT
  VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
  rat rootkit stealer venomrat
- suricata: ET MALWARE Common RAT Connectivity Check Observed
  suricata: ET MALWARE Common RAT Connectivity Check Observed
  suricata
- Executes dropped EXE
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Windows security modification
  evasion trojan
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2