General
-
Target
ctvhost.exe
-
Size
950KB
-
Sample
221124-v5rs2ada3s
-
MD5
400e6840d7481c535d4dd1cf118f128f
-
SHA1
ce7b34e004cd85769405d55f2fdd5562f91b9811
-
SHA256
d7072b1ca3dae32f46c5044acb5f4ada760fbca463d9295db43f30d52d6bc364
-
SHA512
858ef64ce1d40013fc026790f2a5767c9284c9f7bfca58f4d3db6e61070893fda4ea05e01115ecbc92a36178f6c54be3c97e1a75fc7ad372113b041ef5d676d0
-
SSDEEP
12288:1XHYsZ1DX/VDJtV7w974FzDxIh/LOj5dBgb2yHNrciAlFebwuZHyRA1x09:VHYkzMLQdO9N9fpn09
Malware Config
Targets
-
-
Target
ctvhost.exe
-
Size
950KB
-
MD5
400e6840d7481c535d4dd1cf118f128f
-
SHA1
ce7b34e004cd85769405d55f2fdd5562f91b9811
-
SHA256
d7072b1ca3dae32f46c5044acb5f4ada760fbca463d9295db43f30d52d6bc364
-
SHA512
858ef64ce1d40013fc026790f2a5767c9284c9f7bfca58f4d3db6e61070893fda4ea05e01115ecbc92a36178f6c54be3c97e1a75fc7ad372113b041ef5d676d0
-
SSDEEP
12288:1XHYsZ1DX/VDJtV7w974FzDxIh/LOj5dBgb2yHNrciAlFebwuZHyRA1x09:VHYkzMLQdO9N9fpn09
Score10/10-
Contains code to disable Windows Defender
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Modifies Windows Defender Real-time Protection settings
-
Modifies security service
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar payload
-
UAC bypass
-
Windows security bypass
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE
-
Loads dropped DLL
-
Windows security modification
-
Adds Run key to start application
-
Checks whether UAC is enabled
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-