quasar | 4e07acab1178209379b2f3926e63da1a3002c9640667907db610216bd6e02e72 | Triage

Submit
Reports

Overview

overview

Static

static

4e07acab11...72.exe

windows7-x64

4e07acab11...72.exe

windows10-2004-x64

Sharing

General

Target

4e07acab1178209379b2f3926e63da1a3002c9640667907db610216bd6e02e72
Size

606KB
Sample

221130-s7f37sfh6z
MD5

c23863e0d7186334ca69903c6653ae06
SHA1

6040256f4dabd5ee5dee6560e04c56f699532db6
SHA256

4e07acab1178209379b2f3926e63da1a3002c9640667907db610216bd6e02e72
SHA512

b9a7ffaa9a01a488efd29a9f9162c95a8c50f25d2183679f4783ce900319d81f4d375518667959b89bf8df002a869736a2c47bccae3b8ec5844f8f31c2fa7759
SSDEEP

12288:HDNN+IaAFB0OLrdd5xSx8G3cK6TsrId6dd4WCWd9nNxtSR9UcN+Pjv:HDr+FqVvL5x4RcKYd83CWd9+UPv

Score

10^/10

quasar venomrat hacked evasion persistence rat rootkit spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

4e07acab1178209379b2f3926e63da1a3002c9640667907db610216bd6e02e72.exe

Resource

win7-20221111-en

quasar venomrat hacked evasion persistence rat rootkit spyware stealer trojan

windows7-x64

19 signatures

150 seconds

Behavioral task

behavioral2

Sample

4e07acab1178209379b2f3926e63da1a3002c9640667907db610216bd6e02e72.exe

Resource

win10v2004-20221111-en

quasar venomrat hacked persistence rat rootkit spyware stealer trojan

windows10-2004-x64

10 signatures

150 seconds

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

hacked

C2

23.105.131.178:7812

Mutex

VNM_MUTEX_cFzA15c8rYLW8gVTCh

Attributes

encryption_key
VGvtyILUmmcgl2gY0sSm
install_name
Windows Security Health Service.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Windows Update
subdirectory
SubDir

Targets

- Target
  
  4e07acab1178209379b2f3926e63da1a3002c9640667907db610216bd6e02e72
- Size
  
  606KB
- MD5
  
  c23863e0d7186334ca69903c6653ae06
- SHA1
  
  6040256f4dabd5ee5dee6560e04c56f699532db6
- SHA256
  
  4e07acab1178209379b2f3926e63da1a3002c9640667907db610216bd6e02e72
- SHA512
  
  b9a7ffaa9a01a488efd29a9f9162c95a8c50f25d2183679f4783ce900319d81f4d375518667959b89bf8df002a869736a2c47bccae3b8ec5844f8f31c2fa7759
- SSDEEP
  
  12288:HDNN+IaAFB0OLrdd5xSx8G3cK6TsrId6dd4WCWd9nNxtSR9UcN+Pjv:HDr+FqVvL5x4RcKYd83CWd9+UPv
Score

10^/10

quasar venomrat hacked evasion persistence rat rootkit spyware stealer trojan
- Contains code to disable Windows Defender
  A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- VenomRAT
  VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
  rat rootkit stealer venomrat
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Modify Registry

Disabling Security Tools

Install Root Certificate

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

quasarvenomrathackedevasionpersistenceratrootkitspywarestealertrojan

behavioral2

quasarvenomrathackedpersistenceratrootkitspywarestealertrojan

© 2018-2024

Terms | Privacy