General
-
Target
d76aafee2e54939467b8375394c17f0f99e1dd8497fe2e9a91ff61c4b2d6c8dc
-
Size
655KB
-
Sample
221130-wan94aec9v
-
MD5
c6b8dff8c0e4204c318dc7e349d5f531
-
SHA1
af9f8e6bacac7bd9c2b59c80d4448f0abc10b3c3
-
SHA256
d76aafee2e54939467b8375394c17f0f99e1dd8497fe2e9a91ff61c4b2d6c8dc
-
SHA512
6d81e1b0b22452fab716d4e7baa8d05cec02e7a4a3d4a8460504bd7075b23645c2344576f9b0364eef9cfbce64a53d5c12266d9d7f8ab3a0c9e03fdd39d09d8f
-
SSDEEP
12288:QNlD5ZS/1WEJOAqRSEM3Sy21LVbK89elrrJ56m:QKIDAEQSy2TbKuKN
Malware Config
Extracted
quasar
2.1.0.0
ajith
23.105.131.178:7812
VNM_MUTEX_NdVd2sPSSqFdo7I35g
-
encryption_key
jyerms3KOWmt3C9DBFuq
-
install_name
Windows Defender Security.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Windows Update
-
subdirectory
SubDir
Targets
-
-
Target
d76aafee2e54939467b8375394c17f0f99e1dd8497fe2e9a91ff61c4b2d6c8dc
-
Size
655KB
-
MD5
c6b8dff8c0e4204c318dc7e349d5f531
-
SHA1
af9f8e6bacac7bd9c2b59c80d4448f0abc10b3c3
-
SHA256
d76aafee2e54939467b8375394c17f0f99e1dd8497fe2e9a91ff61c4b2d6c8dc
-
SHA512
6d81e1b0b22452fab716d4e7baa8d05cec02e7a4a3d4a8460504bd7075b23645c2344576f9b0364eef9cfbce64a53d5c12266d9d7f8ab3a0c9e03fdd39d09d8f
-
SSDEEP
12288:QNlD5ZS/1WEJOAqRSEM3Sy21LVbK89elrrJ56m:QKIDAEQSy2TbKuKN
Score10/10-
Contains code to disable Windows Defender
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Modifies Windows Defender Real-time Protection settings
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar payload
-
VenomRAT
VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Windows security modification
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-