Extracted

• • Target

    e14fe9800b600ce61b06794233aa47d6fbbc20d18dbb1e531c5deaac995bbca8

  • Size

    590KB

  • MD5

    f7d70adb404cf63562d6541fce16ee94

  • SHA1

    7c855ae562c54c6747c682f9403ff902308deeb1

  • SHA256

    e14fe9800b600ce61b06794233aa47d6fbbc20d18dbb1e531c5deaac995bbca8

  • SHA512

    aed0a69aa45018197f04eec259ab4954f0ecd6f0e309a745346282cc46efd4e6567f920a3cfa39326082abff40de6ad932150ae5f6207e1a580d87343410d519

  • SSDEEP

    6144:kU9/iRCAm9wyitWVSIyIXQR3YQJrjYPUotecWo7vMyYp5lQj64cmX3Hrv9Otawza:i3ynm3RsPj7WYUxp+TvotLzAFLBz8LS

  Score

  10^/10

  quasarvenomratratevasionpersistenceratrootkitspywarestealertrojan

  • Contains code to disable Windows Defender

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Modifies Windows Defender Real-time Protection settings

    evasiontrojan

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar

  • Quasar payload

  • VenomRAT

    VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.

    ratrootkitstealervenomrat

  • Executes dropped EXE

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself

  • Loads dropped DLL

  • Windows security modification

    evasiontrojan

  • Adds Run key to start application

    persistence

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  behavioral1behavioral2