Overview

overview

10

Static

static

8355ecc5bf...34.exe

windows7-x64

10

8355ecc5bf...34.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    8355ecc5bf7aaff778180863fee588adf6fdc1cb12062c021109a1ec1f130b34

  • Size

    611KB

  • Sample

    221125-kshpgsaa8z

  • MD5

    cc65b79bc0887658e9c592071bf8cb91

  • SHA1

    a45592c19ed3c8579972c7c7e19ba01af2894348

  • SHA256

    8355ecc5bf7aaff778180863fee588adf6fdc1cb12062c021109a1ec1f130b34

  • SHA512

    0f0155a099487c91485b1df911fdbc4ae00fbbcd9ce48954daffadfe72247dc3d1f1af58d41081216a8977f43d277eb6578d8d4f04dceae32a361168c288b719

  • SSDEEP

    6144:4iBZTVvvVDzRW1BHH3g1NWT+AKYEM+gW4SmSMX0zCVsVwX+v456/Z9ZGoaEKwa/W:4AZTVXFRW1ZpK2bNV0Cgwu/ZGmkAh

Score
10/10
quasarvenomratratevasionpersistenceratrootkitspywarestealertrojan

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

RAT

C2

23.105.131.178:7812

Mutex

VNM_MUTEX_It9SqdFDNndEItXfKp

Attributes
  • encryption_key

    txgQXKaATimN7DY8jnPH

  • install_name

    Windows Defender Security.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Windows Update

  • subdirectory

    Microsoft

Targets

    • Target

      8355ecc5bf7aaff778180863fee588adf6fdc1cb12062c021109a1ec1f130b34

    • Size

      611KB

    • MD5

      cc65b79bc0887658e9c592071bf8cb91

    • SHA1

      a45592c19ed3c8579972c7c7e19ba01af2894348

    • SHA256

      8355ecc5bf7aaff778180863fee588adf6fdc1cb12062c021109a1ec1f130b34

    • SHA512

      0f0155a099487c91485b1df911fdbc4ae00fbbcd9ce48954daffadfe72247dc3d1f1af58d41081216a8977f43d277eb6578d8d4f04dceae32a361168c288b719

    • SSDEEP

      6144:4iBZTVvvVDzRW1BHH3g1NWT+AKYEM+gW4SmSMX0zCVsVwX+v456/Z9ZGoaEKwa/W:4AZTVXFRW1ZpK2bNV0Cgwu/ZGmkAh

    Score
    10/10
    quasarvenomratratevasionpersistenceratrootkitspywarestealertrojan

    • Contains code to disable Windows Defender

      A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

      trojanspywarequasar

    • Quasar payload

    • VenomRAT

      VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.

      ratrootkitstealervenomrat

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Loads dropped DLL

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks