Extracted

• • Target

    bb93cc9ac1cab079b9d6de25f206129f.exe

  • Size

    141KB

  • MD5

    bb93cc9ac1cab079b9d6de25f206129f

  • SHA1

    ba3a22a55f312eae953e10a352399a2950db42a2

  • SHA256

    9ff2439dd5f32e84e058c6ffe6864efefee16651600726b85a4cac2d2c0e4cdf

  • SHA512

    34eaa395573d6ae9c7ebb8b192b08549e49a0eb4da47ca280a5ece763fb927f60dba669b8adf7ab3a45a8a21eb438851ec484523b948bb6718a963ee08de92b7

  • SSDEEP

    3072:RARHROub6IiZktM+t4B6IZeAzaZyJ6QYzHHxgGT0Iw:RkxbQktMo4BRiyjYz6GTrw

  Score

  10^/10

  quasarvenomratwarzoneratoffice01collectionevasioninfostealerpersistenceratrootkitspywarestealertrojan

  • Contains code to disable Windows Defender

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Modifies Windows Defender Real-time Protection settings

    evasiontrojan

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar

  • Quasar payload

  • VenomRAT

    VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.

    ratrootkitstealervenomrat

  • WarzoneRat, AveMaria

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    ratinfostealerwarzonerat

  • Downloads MZ/PE file

  • Executes dropped EXE

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself

  • Drops startup file

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Windows security modification

    evasiontrojan

  • Accesses Microsoft Outlook profiles

    collection

  • Adds Run key to start application

    persistence

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  behavioral1behavioral2