quasar | 8355ecc5bf7aaff778180863fee588adf6fdc1cb12062c021109a1ec1f130b34

General

Target

8355ecc5bf7aaff778180863fee588adf6fdc1cb12062c021109a1ec1f130b34
Size

611KB
Sample

221125-kshpgsaa8z
MD5

cc65b79bc0887658e9c592071bf8cb91
SHA1

a45592c19ed3c8579972c7c7e19ba01af2894348
SHA256

8355ecc5bf7aaff778180863fee588adf6fdc1cb12062c021109a1ec1f130b34
SHA512

0f0155a099487c91485b1df911fdbc4ae00fbbcd9ce48954daffadfe72247dc3d1f1af58d41081216a8977f43d277eb6578d8d4f04dceae32a361168c288b719
SSDEEP

6144:4iBZTVvvVDzRW1BHH3g1NWT+AKYEM+gW4SmSMX0zCVsVwX+v456/Z9ZGoaEKwa/W:4AZTVXFRW1ZpK2bNV0Cgwu/ZGmkAh

Score

10^/10

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

RAT

C2

23.105.131.178:7812

Mutex

VNM_MUTEX_It9SqdFDNndEItXfKp

Attributes

encryption_key
txgQXKaATimN7DY8jnPH
install_name
Windows Defender Security.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Windows Update
subdirectory
Microsoft

Targets

- Target
  
  8355ecc5bf7aaff778180863fee588adf6fdc1cb12062c021109a1ec1f130b34
- Size
  
  611KB
- MD5
  
  cc65b79bc0887658e9c592071bf8cb91
- SHA1
  
  a45592c19ed3c8579972c7c7e19ba01af2894348
- SHA256
  
  8355ecc5bf7aaff778180863fee588adf6fdc1cb12062c021109a1ec1f130b34
- SHA512
  
  0f0155a099487c91485b1df911fdbc4ae00fbbcd9ce48954daffadfe72247dc3d1f1af58d41081216a8977f43d277eb6578d8d4f04dceae32a361168c288b719
- SSDEEP
  
  6144:4iBZTVvvVDzRW1BHH3g1NWT+AKYEM+gW4SmSMX0zCVsVwX+v456/Z9ZGoaEKwa/W:4AZTVXFRW1ZpK2bNV0Cgwu/ZGmkAh
Score

10^/10

quasar venomrat rat evasion persistence rat rootkit spyware stealer trojan
- Contains code to disable Windows Defender
  A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- VenomRAT
  VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
  rat rootkit stealer venomrat
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Loads dropped DLL
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2