quasar | f7b7b60e1af0c608e5e95f45e63efd24a34227811eefa77871505ff0d0208cda

Sharing

Copy URL

Twitter E-mail

General

Target

SpyNote_6.4.7z
Size

34.5MB
Sample

230112-vycerscf4v
MD5

32d06298f234500359e6619ecaeebf50
SHA1

82ad1788141370c7e849321070b65a9e3319a5dc
SHA256

f7b7b60e1af0c608e5e95f45e63efd24a34227811eefa77871505ff0d0208cda
SHA512

3488d0a798a2d76463edd29a5848c3e548d22018262aae32a99db5402def5587ba59a3bfaee50f35abb589876ae61d8e1343813c07f588423af96a739a2f21bb
SSDEEP

786432:rhwCspfUanXJLBfE6e05ij0VdxJh5FqUpyQ2g0s/LpV7/Y3coFo/w3:9YUaXJL6p0IjExfXpD7Lpt/Y3nFoo

Score

10^/10

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

Office04

smtp.yassine-bolard.nl:72

82.65.150.176:72

Mutex

VNM_MUTEX_c2q7y2ayYutZ2XaYe7

Attributes

encryption_key
oacDd8MguAxsN1YILaEK
install_name
$77Discord.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Discord_Update
subdirectory
Discord_Updater

Targets

- Target
  
  CoreAudioApi.dll
- Size
  
  24KB
- MD5
  
  6a009b7c4b252788d80d4e40adcf51ce
- SHA1
  
  9302cd4f00fa70b768feec2a49505052cd4bd13e
- SHA256
  
  df6115987161ee1238f9564bd10c998d9016f582e5b7b9d23d21a74d6955bdd3
- SHA512
  
  7a27bc38249b293fbfb9389cac3365bf64e9536281c347939192e6b151b4e574bd9743df81721dc4e6beca0ab0a5784436b7f7bff780fdddef4c7c26b02cc354
- SSDEEP
  
  384:JGuIVn86+5zUH4RmcBoZhn9ipvNeFSAucqmPBJGbsw3uiIx5L5gV:CVn86YzgoW0VNeFS0Tbw3up5tgV
Score

1^/10
behavioral1
- Target
  
  Resources/Icons/Logo/Logo.png
- Size
  
  26KB
- MD5
  
  c6099a79ca221e51398757b6164a8f17
- SHA1
  
  77becc1c68fdd97550a8fb6162a86b03cef8344f
- SHA256
  
  204b258904320951c7438e4360ef2b567a3505a397f912edffb30398e34f1ec9
- SHA512
  
  27bf3575ea68314ae39ee5adca196d1b999c76869b929054ba86ac8d157b90eeedb340925339ebe84457b0f2597ec494d97cd8e5eae25c51dda095c8a28fa8fd
- SSDEEP
  
  384:LJwDyOFAvYj7crXBurCP0tnnCIhgwrZ8tb/xibWXYsCCiRdfqJfDG4NS:LJwDFAvOYQkbSoRCNRkfPNS
Score

3^/10
behavioral2
- Target
  
  Resources/Imports/Gsm/GSM.dll
- Size
  
  5KB
- MD5
  
  c4ceacedf5310a761b828bed9f7dbc62
- SHA1
  
  f2c4c23d1c04df3899bc0a1e1812eca8f421fbb1
- SHA256
  
  61b0ca29ce7a62932699f33c272fd6d3731a1430ac3455b7a240b01ae461370f
- SHA512
  
  58c42d60a28c6e344060242e77cc841ba1a892cb8b9d5dae02c8f9b2e4c1deeebb599e6a1c401a3c585eb44c28d9c72b2ee56be273169af1d52850e426a1da32
- SSDEEP
  
  96:Vuyz+/KPV+gzlmtrLPfdHOzHFu90rdjF:5z+m9ELPfdHH90H
Score

1^/10
behavioral3
- Target
  
  Resources/Imports/Payload/SL.exe
- Size
  
  1.5MB
- MD5
  
  2eabc8a774c544e9b6e23ba1b83ed783
- SHA1
  
  a880005b4f619e004f4d9adcce2a9612112c26b2
- SHA256
  
  0080743a4364b8e5d8ec6a19010ee12dc79fcf815f592db639af262420ada0f8
- SHA512
  
  ed8cd1ec97e0954715c81c284bbc2751340a7933511862cda65e72be35fdd9d4a8693066f3023025f92b06c845173c2e5da6f4d88a3e97c62c640643dff475a9
- SSDEEP
  
  768:1KSAOfhZXvSzjWKDIp93ZZwpZpTQdBHiF7QHsIMd3uDzZuFs+mk:nrfhZXvSzjWb5wz16S7l9eDzZu7
Score

1^/10
behavioral4
- Target
  
  Resources/Imports/Payload/stub.apk
- Size
  
  730KB
- MD5
  
  0c0290abde03555f3c66c81eba860a3d
- SHA1
  
  939a8e6d0ed4bd8c9f491405ecf069df7bddb7cc
- SHA256
  
  7b20a276931c8625b39ebc46017c7e4d4a7bdf319b9f451231d777b078b0cd6a
- SHA512
  
  441922d41856ec246d1cb29e3b290b62b2d3bc4ca54f896af1df72263e67a320f1b3b85f4d5bd129fa32b4633a1b9f74a63783791f1ea1cb1ca97a8a26b8ea48
- SSDEEP
  
  12288:CJc+EIBvAvcKIth8eGz3zaR9QHqd8gmw+/goe13VvqX:CJc+EIO0K4KeGTzaR+imz/goeHvqX
Score

3^/10
behavioral5
- Target
  
  Resources/Imports/PlayerJava/PlayerJava.jar
- Size
  
  3KB
- MD5
  
  d9c23d7574c0d886321dcd029e463f2c
- SHA1
  
  7fad47eb6860a01325c6d526a43d9bbadb66aff7
- SHA256
  
  e22d8a06415f21b900a9a079a6a7928d6c84d2cf33aa07c6ad385dfbbfcd55ed
- SHA512
  
  c32c019fb0bacbd70441cf3ed769bfde9597389f840ff8511db36586756382ef22bd163a7b7cb9e258a4b7a896e5d1a606d92513a141cb2e3c6e421a66ecb316
Score

1^/10
behavioral6
- Target
  
  Resources/Imports/T/sS.exe
- Size
  
  20KB
- MD5
  
  fcc080409bf077b1c85f159218e62dbf
- SHA1
  
  616e64d4ca2286d4f4b11df583fa2b9ba81c6e78
- SHA256
  
  e3865e0d3f776a6827f4ddb640cc66c56ede8826a1f29383e3578b85caf248ef
- SHA512
  
  14d7ceac1730faadfe10ff573ed825f8e449c7ae879892d09d832b67d68a128c07ef94c675a5221edde82e7b73fd1b852ddbda7894e554cce98fa1625fb00eb6
- SSDEEP
  
  384:3AOcHfvbeLb7i4yimcx5GLD9WLEO2a0R7RknlcDqfJ:3AO+fDen7i4fmFrRFknGDy
Score

1^/10
behavioral7
- Target
  
  Resources/Imports/platform-tools/plwin.exe
- Size
  
  25KB
- MD5
  
  9aadaec3eccf406b2591e32c438a67a4
- SHA1
  
  fb971b1687400fcedf5ac4a36f45ead3b54d14e3
- SHA256
  
  268fa687554273029bf87668367b4084d4928de6b2a4cf4fbcd52e944d0efe16
- SHA512
  
  cba31ace6459a83dca18a486fc7a06da50419442d92e25e2661fdc101542b49ae3778fe197b6409396b7093747c67316917760de8576d351cd37e51e3dda9d3d
- SSDEEP
  
  768:Q3ULAwpnEUaSCMc/o6/d5cfsEAIHtYcFmVc6K:eULAwcSCMcdWfsQfmVcl
Score

1^/10
behavioral8
- Target
  
  SpyNote_6.4.exe
- Size
  
  20.6MB
- MD5
  
  a85a3487b761469b8d2e412331d8d1c7
- SHA1
  
  7ee2a306d942b37baad5943a42ae40c673376161
- SHA256
  
  719d66cf2ffd53ffc2db32097433bf9bdc169d67e4d03474a5bd0c3bdf68f37d
- SHA512
  
  35af4f14d101f0bd01fbf87363cc03216a1258bcfdb33c5886d430b7fa7fd53c11729955128e516660306c0f15674144b347ad434b2682792e91d8812be4fac7
- SSDEEP
  
  393216:BnSbLcYDnp2+qKRLaS1GB6jMI/0s7bynxYnMHcBNvUqvvDY4g3X9w+ijU0UkL2Y:DYTpD7LaS1GVI8xmnM8BNvnNg6+KU0L
Score

10^/10

quasar venomrat office04 evasion rat rootkit spyware stealer trojan
- Contains code to disable Windows Defender
  A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- VenomRAT
  VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
  rat rootkit stealer venomrat
- Executes dropped EXE
- Windows security modification
  evasion trojan
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
behavioral9

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Contains code to disable Windows Defender

Modifies Windows Defender Real-time Protection settings

Quasar RAT

Quasar payload

VenomRAT

Executes dropped EXE

Windows security modification

Looks up external IP address via web service

Drops file in System32 directory

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9