General
-
Target
0x0008000000013a18-65.dat
-
Size
535KB
-
Sample
220604-x5ppsacgc7
-
MD5
4d97786ab8047ad6c08532ed7a017573
-
SHA1
a64d07233d813f9a085722295dca62ca726e291a
-
SHA256
5a72c2a12e0e42313c5d01277d3b26f52810a9753e31883f5f3e7a73a0021870
-
SHA512
9224f6c0af0bb3aa6804e09b36617d2ecf762caf81ec0f2627553788f7045d09878b41ddb63a1d0779973cba52d2f1d59f69bc6c826ad8bb0d807444abab87d2
Malware Config
Extracted
quasar
2.1.0.0
V/R/B
siyatermi.duckdns.org:1518
VNM_MUTEX_mJ6pCWZMe3OMOha5bj
-
encryption_key
g1Bi32PXFGwyBI9DJGTD
-
install_name
Start Process.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Browser Module
-
subdirectory
Sys Resources
Targets
-
-
Target
0x0008000000013a18-65.dat
-
Size
535KB
-
MD5
4d97786ab8047ad6c08532ed7a017573
-
SHA1
a64d07233d813f9a085722295dca62ca726e291a
-
SHA256
5a72c2a12e0e42313c5d01277d3b26f52810a9753e31883f5f3e7a73a0021870
-
SHA512
9224f6c0af0bb3aa6804e09b36617d2ecf762caf81ec0f2627553788f7045d09878b41ddb63a1d0779973cba52d2f1d59f69bc6c826ad8bb0d807444abab87d2
Score10/10-
Contains code to disable Windows Defender
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Modifies Windows Defender Real-time Protection settings
-
Quasar Payload
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
VenomRAT
VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
-
suricata: ET MALWARE Common RAT Connectivity Check Observed
suricata: ET MALWARE Common RAT Connectivity Check Observed
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Windows security modification
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-