General

  • Target

    _-Venom.exe.vir

  • Size

    534KB

  • Sample

    220621-mq39hsdadl

  • MD5

    b0f6e15f83e03ea0ab502951b62c3dbf

  • SHA1

    feeb74ad283f27e9eb5e96dccc9fa1c44eab00be

  • SHA256

    6b39407f3c2b6064f483c474c9359f344f2aa8e0afef0941d33deddbc275fdb2

  • SHA512

    8641c8a0b9b46e62a91d2d47a240a8df030394fbf2460d1327428daa46fc8fbf6950d799f9c17c710473712cf44cdb016ba7d4dffeabd6f0912b65874429da45

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

Office04

C2

littlehf.ddns.net:4566

Mutex

VNM_MUTEX_au1VZH90ssfu7up6jn

Attributes
  • encryption_key

    XZHIHOgylm3qxGXtmm9j

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Venom Client Startup

  • subdirectory

    SubDir

Targets

    • Target

      _-Venom.exe.vir

    • Size

      534KB

    • MD5

      b0f6e15f83e03ea0ab502951b62c3dbf

    • SHA1

      feeb74ad283f27e9eb5e96dccc9fa1c44eab00be

    • SHA256

      6b39407f3c2b6064f483c474c9359f344f2aa8e0afef0941d33deddbc275fdb2

    • SHA512

      8641c8a0b9b46e62a91d2d47a240a8df030394fbf2460d1327428daa46fc8fbf6950d799f9c17c710473712cf44cdb016ba7d4dffeabd6f0912b65874429da45

    • Contains code to disable Windows Defender

      A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

    • Quasar Payload

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • VenomRAT

      VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.

    • suricata: ET MALWARE Common RAT Connectivity Check Observed

      suricata: ET MALWARE Common RAT Connectivity Check Observed

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Matrix

Tasks