quasar | af1d446bb3abc47b5eacb7a00ebb1992be1c464cac5b0e4283b12f0500c3ad4e | Triage

Submit
Reports

Overview

overview

Static

static

17e6bffaff...ae.exe

windows7-x64

17e6bffaff...ae.exe

windows10-2004-x64

Sharing

General

Target

17e6bffaff1ea223913deb1bc78e74ae.exe
Size

534KB
Sample

221015-g3q7tsfcd3
MD5

17e6bffaff1ea223913deb1bc78e74ae
SHA1

67daf17f3c8f6d2169b24f9a3698921991bbba2f
SHA256

af1d446bb3abc47b5eacb7a00ebb1992be1c464cac5b0e4283b12f0500c3ad4e
SHA512

72086bdd67ce5c778a625d37d7069200747b70193742afee986ec3d58b3a4a5c95b206c91997faf5d3e46e7ab379955db5f033a8b10a4a4899ff6e6068c60ab6
SSDEEP

6144:l8fGABIgrx8kFYLTiMkbMaOcXL/Tb88ASigvCcD+6cfsfiTDpxUKl3Gy3V8/GV0S:EPx7FYPiMNA/flvCcqTsfGpxLl+u

Score

10^/10

quasar venomrat asdf evasion rat rootkit spyware stealer trojan

Static task

static1

3 signatures

Behavioral task

behavioral1

Sample

17e6bffaff1ea223913deb1bc78e74ae.exe

Resource

win7-20220901-en

quasar venomrat asdf evasion rat rootkit spyware stealer trojan

windows7-x64

17 signatures

150 seconds

Behavioral task

behavioral2

Sample

17e6bffaff1ea223913deb1bc78e74ae.exe

Resource

win10v2004-20220812-en

quasar venomrat asdf evasion rat rootkit spyware stealer trojan

windows10-2004-x64

16 signatures

150 seconds

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

asdf

C2

checkme12.freeddns.org:1604

Mutex

VNM_MUTEX_yidaALoSEROfTPWHwX

Attributes

encryption_key
TbfVFQWqb0uiZoBjJ9E9
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Venom Client Startup
subdirectory
UPX

Targets

- Target
  
  17e6bffaff1ea223913deb1bc78e74ae.exe
- Size
  
  534KB
- MD5
  
  17e6bffaff1ea223913deb1bc78e74ae
- SHA1
  
  67daf17f3c8f6d2169b24f9a3698921991bbba2f
- SHA256
  
  af1d446bb3abc47b5eacb7a00ebb1992be1c464cac5b0e4283b12f0500c3ad4e
- SHA512
  
  72086bdd67ce5c778a625d37d7069200747b70193742afee986ec3d58b3a4a5c95b206c91997faf5d3e46e7ab379955db5f033a8b10a4a4899ff6e6068c60ab6
- SSDEEP
  
  6144:l8fGABIgrx8kFYLTiMkbMaOcXL/Tb88ASigvCcD+6cfsfiTDpxUKl3Gy3V8/GV0S:EPx7FYPiMNA/flvCcqTsfGpxLl+u
Score

10^/10

quasar venomrat asdf evasion rat rootkit spyware stealer trojan
- Contains code to disable Windows Defender
  A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- VenomRAT
  VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
  rat rootkit stealer venomrat
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Windows security modification
  evasion trojan
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Modify Existing Service

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Disabling Security Tools

Install Root Certificate

Modify Registry

Credential Access

Discovery

Query Registry

Remote System Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

quasarvenomratasdfevasionratrootkitspywarestealertrojan

behavioral2

quasarvenomratasdfevasionratrootkitspywarestealertrojan

© 2018-2024

Terms | Privacy