Extracted

• • Target

    bby.exe

  • Size

    16.0MB

  • MD5

    d7e48e5a49efe9ed774546fa7d35d71a

  • SHA1

    06212065ffe07d1321c8d85bf5c45871683fb197

  • SHA256

    b4f6e6290b1e185bff0baf1b1f3a16291bb2ceb3528051a2aa9528c43231e710

  • SHA512

    7dcfc267f527d27d6cb58bd950241b4a8a658b34bc4696f308fd5448b4111d64b93078fedf8d2c138eef83b6148372d8c887b74aae8291fc05c665fbe3d4eeb1

  Score

  10^/10

  quasarvenomratoffice04evasionpersistenceratrootkitspywarestealertrojan

  • Contains code to disable Windows Defender

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Modifies Windows Defender Real-time Protection settings

    evasiontrojan

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar

  • Quasar payload

  • VenomRAT

    VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.

    ratrootkitstealervenomrat

  • Executes dropped EXE

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Windows security modification

    evasiontrojan

  • Adds Run key to start application

    persistence

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory

  behavioral1behavioral2