quasar | 14dc1c330f5e4b976d09b6b0e8c740cac85a1e4ccca18089f9ae693de988996a | Triage

Submit
Reports

Overview

overview

Static

static

14dc1c330f...6a.exe

windows7-x64

14dc1c330f...6a.exe

windows10-2004-x64

Sharing

General

Target

14dc1c330f5e4b976d09b6b0e8c740cac85a1e4ccca18089f9ae693de988996a
Size

601KB
Sample

221125-kpt84shh5t
MD5

ac916695fe810d70b17bf78c9474aa4e
SHA1

36d871bd8f2bbd050f5218ad994fbe04d1cfe759
SHA256

14dc1c330f5e4b976d09b6b0e8c740cac85a1e4ccca18089f9ae693de988996a
SHA512

21821fb26a4a3c820f0497d3ed56de66cba7915eb76845e1d1829cff20065ff5909a065e81c6ba44406710d315bd9f1988cb06076047fa5a562ff49a7590730f
SSDEEP

12288:wgxy4jZZ8vDc6h3iUhFbAsUMdzxP0V2t5fI44FPTZFyd:1xy4jZ+vDc05hFXxxEIfhe7yd

Score

10^/10

quasar venomrat hacked evasion persistence rat rootkit spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

14dc1c330f5e4b976d09b6b0e8c740cac85a1e4ccca18089f9ae693de988996a.exe

Resource

win7-20221111-en

quasar venomrat hacked evasion persistence rat rootkit spyware stealer trojan

windows7-x64

16 signatures

150 seconds

Behavioral task

behavioral2

Sample

14dc1c330f5e4b976d09b6b0e8c740cac85a1e4ccca18089f9ae693de988996a.exe

Resource

win10v2004-20221111-en

quasar venomrat hacked evasion persistence rat rootkit spyware stealer trojan

windows10-2004-x64

15 signatures

150 seconds

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

hacked

C2

23.105.131.178:7812

Mutex

VNM_MUTEX_0Ae9WwC7TPO9smz3BJ

Attributes

encryption_key
jCEkwlvO5Scyan0S8vZo
install_name
Windows Security Health Service.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Windows Update
subdirectory
Microsoft

Targets

- Target
  
  14dc1c330f5e4b976d09b6b0e8c740cac85a1e4ccca18089f9ae693de988996a
- Size
  
  601KB
- MD5
  
  ac916695fe810d70b17bf78c9474aa4e
- SHA1
  
  36d871bd8f2bbd050f5218ad994fbe04d1cfe759
- SHA256
  
  14dc1c330f5e4b976d09b6b0e8c740cac85a1e4ccca18089f9ae693de988996a
- SHA512
  
  21821fb26a4a3c820f0497d3ed56de66cba7915eb76845e1d1829cff20065ff5909a065e81c6ba44406710d315bd9f1988cb06076047fa5a562ff49a7590730f
- SSDEEP
  
  12288:wgxy4jZZ8vDc6h3iUhFbAsUMdzxP0V2t5fI44FPTZFyd:1xy4jZ+vDc05hFXxxEIfhe7yd
Score

10^/10

quasar venomrat hacked evasion persistence rat rootkit spyware stealer trojan
- Contains code to disable Windows Defender
  A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- VenomRAT
  VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
  rat rootkit stealer venomrat
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Modify Registry

Disabling Security Tools

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

quasarvenomrathackedevasionpersistenceratrootkitspywarestealertrojan

behavioral2

quasarvenomrathackedevasionpersistenceratrootkitspywarestealertrojan

© 2018-2024

Terms | Privacy