General

  • Target

    2785b4bbb80b75836c685ac8a1a24f27.exe

  • Size

    534KB

  • Sample

    230115-q8pevsfe99

  • MD5

    2785b4bbb80b75836c685ac8a1a24f27

  • SHA1

    32dcef1d5f8e45655478c3dd960e6f9422af691c

  • SHA256

    7a845c7bcfd781b09e0da20118f2e396152fc3aae1e77113c8d3adab45077647

  • SHA512

    fb7e706bfee26cd2c2036743799d7accd18bd150c1224bee7d42d8d88c196645d39c333e14fb2c00f18ca002c65940dac10072fe242d8d42b4d46a505d63961c

  • SSDEEP

    6144:s8fGLJngzxsoIasFzFMkbcWV3Nce0/4obc4hpqEpZccKHBIAUYpnxVlGy3V8/GVX:WkxfIayFMPzf/m4hp7ncxKRYpn7Em

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

Office01

C2

172.81.131.113:4782

Mutex

VNM_MUTEX_OFUOtYdHQP7Y7fAk1P

Attributes
  • encryption_key

    xufMEowCMSpdPlEx87tq

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    mvscs

  • subdirectory

    SubDir

Targets

    • Target

      2785b4bbb80b75836c685ac8a1a24f27.exe

    • Size

      534KB

    • MD5

      2785b4bbb80b75836c685ac8a1a24f27

    • SHA1

      32dcef1d5f8e45655478c3dd960e6f9422af691c

    • SHA256

      7a845c7bcfd781b09e0da20118f2e396152fc3aae1e77113c8d3adab45077647

    • SHA512

      fb7e706bfee26cd2c2036743799d7accd18bd150c1224bee7d42d8d88c196645d39c333e14fb2c00f18ca002c65940dac10072fe242d8d42b4d46a505d63961c

    • SSDEEP

      6144:s8fGLJngzxsoIasFzFMkbcWV3Nce0/4obc4hpqEpZccKHBIAUYpnxVlGy3V8/GVX:WkxfIayFMPzf/m4hp7ncxKRYpn7Em

    • Contains code to disable Windows Defender

      A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

    • Modifies Windows Defender Real-time Protection settings

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Quasar payload

    • VenomRAT

      VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Windows security modification

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v6

Tasks