General

  • Target

    317318d266640fa0575567b71cc5ba18e1cca5d8205e544037e6e730a3795e87

  • Size

    2.6MB

  • Sample

    221130-xk6gssaa2t

  • MD5

    017d1ddeb4f16982eda16fe8f07c63e6

  • SHA1

    ac0bca32f8eb453aad9df1b9fb0ca6dad9d70556

  • SHA256

    317318d266640fa0575567b71cc5ba18e1cca5d8205e544037e6e730a3795e87

  • SHA512

    d0439cdcea450461ce8f61121b86fada72abd52d13251e47d76949aa9ce370c8bc64169be96719e7010411fe92d8194db9835df1825490da4bc283b1660886bc

  • SSDEEP

    49152:sslxW0qtwxdh9Q7Wm1kX8sp1ua2oUHXN5Wr7Pf:nlwTtWhs1a8KOVHXNgXf

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

RAT

C2

23.105.131.178:7812

Mutex

VNM_MUTEX_It9SqdFDNndEItXfKp

Attributes
  • encryption_key

    txgQXKaATimN7DY8jnPH

  • install_name

    Windows Defender Security.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Windows Update

  • subdirectory

    Microsoft

Targets

    • Target

      317318d266640fa0575567b71cc5ba18e1cca5d8205e544037e6e730a3795e87

    • Size

      2.6MB

    • MD5

      017d1ddeb4f16982eda16fe8f07c63e6

    • SHA1

      ac0bca32f8eb453aad9df1b9fb0ca6dad9d70556

    • SHA256

      317318d266640fa0575567b71cc5ba18e1cca5d8205e544037e6e730a3795e87

    • SHA512

      d0439cdcea450461ce8f61121b86fada72abd52d13251e47d76949aa9ce370c8bc64169be96719e7010411fe92d8194db9835df1825490da4bc283b1660886bc

    • SSDEEP

      49152:sslxW0qtwxdh9Q7Wm1kX8sp1ua2oUHXN5Wr7Pf:nlwTtWhs1a8KOVHXNgXf

    • Contains code to disable Windows Defender

      A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

    • Modifies Windows Defender Real-time Protection settings

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Quasar payload

    • VenomRAT

      VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Windows security modification

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks