General

  • Target

    dac30ab400ec6be2daa29718ea6d0a3e.exe

  • Size

    867KB

  • Sample

    221015-g3q7tsfcfm

  • MD5

    dac30ab400ec6be2daa29718ea6d0a3e

  • SHA1

    06320ebc648623885645657fd2a72a728f2441cd

  • SHA256

    93361aea837c73c75f9067700572262e69d1cfbfa6634e7ea8f249701e1fdebb

  • SHA512

    67f360d49625822199c133981c4077d88d9ec2347386858f33d08d6b6f37c15af0c56cf9772e0fb819072ab4b63b13eb334237ccd727ce91cad9b68ab47ec58c

  • SSDEEP

    12288:3ARp0gFW4q6AD9/Gz8hQOFPA/OcMowPzQvEXpqCctQHNM:2igFW4qbx/GY7Y/jw7tICct4a

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

asdf

C2

checkme12.freeddns.org:1604

Mutex

VNM_MUTEX_yidaALoSEROfTPWHwX

Attributes
  • encryption_key

    TbfVFQWqb0uiZoBjJ9E9

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Venom Client Startup

  • subdirectory

    UPX

Targets

    • Target

      dac30ab400ec6be2daa29718ea6d0a3e.exe

    • Size

      867KB

    • MD5

      dac30ab400ec6be2daa29718ea6d0a3e

    • SHA1

      06320ebc648623885645657fd2a72a728f2441cd

    • SHA256

      93361aea837c73c75f9067700572262e69d1cfbfa6634e7ea8f249701e1fdebb

    • SHA512

      67f360d49625822199c133981c4077d88d9ec2347386858f33d08d6b6f37c15af0c56cf9772e0fb819072ab4b63b13eb334237ccd727ce91cad9b68ab47ec58c

    • SSDEEP

      12288:3ARp0gFW4q6AD9/Gz8hQOFPA/OcMowPzQvEXpqCctQHNM:2igFW4qbx/GY7Y/jw7tICct4a

    • Contains code to disable Windows Defender

      A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

    • Modifies Windows Defender Real-time Protection settings

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Quasar payload

    • VenomRAT

      VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.

    • Executes dropped EXE

    • Deletes itself

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks