quasar | 29533c09c2ca85885835c2c3cbe3cba61b4310f14c170cc52bfc0d1bbf1779f5

General

Target

29533c09c2ca85885835c2c3cbe3cba61b4310f14c170cc52bfc0d1bbf1779f5
Size

615KB
Sample

221130-v3qg7adf4t
MD5

76869ef841f2820d0bbadddc46fc3c9a
SHA1

e827d9b426e4ef75f31e6e9d81f47e70da3ac3a2
SHA256

29533c09c2ca85885835c2c3cbe3cba61b4310f14c170cc52bfc0d1bbf1779f5
SHA512

582047f529fae9eacf9b4c762904b21c1d430d219e77b9bc65730e89c00be5f666a452f95cd1b0af067480eb9abd4446bf9431aa4afe2a4f68ad8226d1c11995
SSDEEP

6144:QYhWwTVvvVDzRW1BHH3g1NWT+AKYEM+gW4SmSMX0zCVsVwX+v456/bT8GoaEKwae:dhHTVXFRW1ZpK2bNV0CgwuX8GmkAh

Score

10^/10

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

RAT

C2

23.105.131.178:7812

Mutex

VNM_MUTEX_It9SqdFDNndEItXfKp

Attributes

encryption_key
txgQXKaATimN7DY8jnPH
install_name
Windows Defender Security.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Windows Update
subdirectory
Microsoft

Targets

- Target
  
  29533c09c2ca85885835c2c3cbe3cba61b4310f14c170cc52bfc0d1bbf1779f5
- Size
  
  615KB
- MD5
  
  76869ef841f2820d0bbadddc46fc3c9a
- SHA1
  
  e827d9b426e4ef75f31e6e9d81f47e70da3ac3a2
- SHA256
  
  29533c09c2ca85885835c2c3cbe3cba61b4310f14c170cc52bfc0d1bbf1779f5
- SHA512
  
  582047f529fae9eacf9b4c762904b21c1d430d219e77b9bc65730e89c00be5f666a452f95cd1b0af067480eb9abd4446bf9431aa4afe2a4f68ad8226d1c11995
- SSDEEP
  
  6144:QYhWwTVvvVDzRW1BHH3g1NWT+AKYEM+gW4SmSMX0zCVsVwX+v456/bT8GoaEKwae:dhHTVXFRW1ZpK2bNV0CgwuX8GmkAh
Score

10^/10

quasar venomrat rat evasion rat rootkit spyware stealer trojan
- Contains code to disable Windows Defender
  A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- VenomRAT
  VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
  rat rootkit stealer venomrat
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Loads dropped DLL
- Windows security modification
  evasion trojan
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2