quasar | 59b2725f7466da2b7426c5d2b64af386c128e313738a0cd5a838a5ec3ca90b5c

General

Target

59b2725f7466da2b7426c5d2b64af386c128e313738a0cd5a838a5ec3ca90b5c
Size

2.7MB
Sample

221130-vdm1rsbf5s
MD5

533a8b7d2d523e95e31f517ea0e432de
SHA1

64e003d9c733196f1c1569ee40c64983cc6e4127
SHA256

59b2725f7466da2b7426c5d2b64af386c128e313738a0cd5a838a5ec3ca90b5c
SHA512

b777d95be33e9b9cd5e0f4e5d9c494b83be0f835697bf9b358c7cc93acf6f2ef35f2ac502b9f96030c0262a0c5289d072b0920cd9ea46eea0fa1b4cc59136c4f
SSDEEP

49152:NUF0bDj03kJVsDZj3dE1juUo5XipVmaiDQ2EX8q8bgZvakhJGFLBz8LS:NUFUjmmVsDhNYj/VpVzh2I4S0FLBz8LS

Score

10^/10

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

RAT

C2

23.105.131.178:7812

Mutex

VNM_MUTEX_gdy9bWxR0te3WgTRnI

Attributes

encryption_key
MDXzdQumRqZGIeya7nG9
install_name
Windows Defender Security.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Windows Update
subdirectory
Microsoft

Targets

- Target
  
  59b2725f7466da2b7426c5d2b64af386c128e313738a0cd5a838a5ec3ca90b5c
- Size
  
  2.7MB
- MD5
  
  533a8b7d2d523e95e31f517ea0e432de
- SHA1
  
  64e003d9c733196f1c1569ee40c64983cc6e4127
- SHA256
  
  59b2725f7466da2b7426c5d2b64af386c128e313738a0cd5a838a5ec3ca90b5c
- SHA512
  
  b777d95be33e9b9cd5e0f4e5d9c494b83be0f835697bf9b358c7cc93acf6f2ef35f2ac502b9f96030c0262a0c5289d072b0920cd9ea46eea0fa1b4cc59136c4f
- SSDEEP
  
  49152:NUF0bDj03kJVsDZj3dE1juUo5XipVmaiDQ2EX8q8bgZvakhJGFLBz8LS:NUFUjmmVsDhNYj/VpVzh2I4S0FLBz8LS
Score

10^/10

quasar venomrat rat evasion persistence rat rootkit spyware stealer trojan
- Contains code to disable Windows Defender
  A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- VenomRAT
  VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
  rat rootkit stealer venomrat
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Loads dropped DLL
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2