quasar | 7a845c7bcfd781b09e0da20118f2e396152fc3aae1e77113c8d3adab45077647 | Triage

Submit
Reports

Overview

overview

Static

static

dridex

windows10-2004-x64

Sharing

General

Target

7a845c7bcfd781b09e0da20118f2e396152fc3aae1e77113c8d3adab45077647
Size

534KB
Sample

230116-cq5ggafh58
MD5

2785b4bbb80b75836c685ac8a1a24f27
SHA1

32dcef1d5f8e45655478c3dd960e6f9422af691c
SHA256

7a845c7bcfd781b09e0da20118f2e396152fc3aae1e77113c8d3adab45077647
SHA512

fb7e706bfee26cd2c2036743799d7accd18bd150c1224bee7d42d8d88c196645d39c333e14fb2c00f18ca002c65940dac10072fe242d8d42b4d46a505d63961c
SSDEEP

6144:s8fGLJngzxsoIasFzFMkbcWV3Nce0/4obc4hpqEpZccKHBIAUYpnxVlGy3V8/GVX:WkxfIayFMPzf/m4hp7ncxKRYpn7Em

Score

10^/10

quasar venomrat office01 evasion rat rootkit spyware stealer trojan

Static task

static1

office01 quasar

3 signatures

Behavioral task

behavioral1

Sample

7a845c7bcfd781b09e0da20118f2e396152fc3aae1e77113c8d3adab45077647.exe

Resource

win10v2004-20220901-en

quasar venomrat office01 evasion rat rootkit spyware stealer trojan

windows10-2004-x64

14 signatures

150 seconds

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

Office01

C2

172.81.131.113:4782

Mutex

VNM_MUTEX_OFUOtYdHQP7Y7fAk1P

Attributes

encryption_key
xufMEowCMSpdPlEx87tq
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
mvscs
subdirectory
SubDir

Targets

- Target
  
  7a845c7bcfd781b09e0da20118f2e396152fc3aae1e77113c8d3adab45077647
- Size
  
  534KB
- MD5
  
  2785b4bbb80b75836c685ac8a1a24f27
- SHA1
  
  32dcef1d5f8e45655478c3dd960e6f9422af691c
- SHA256
  
  7a845c7bcfd781b09e0da20118f2e396152fc3aae1e77113c8d3adab45077647
- SHA512
  
  fb7e706bfee26cd2c2036743799d7accd18bd150c1224bee7d42d8d88c196645d39c333e14fb2c00f18ca002c65940dac10072fe242d8d42b4d46a505d63961c
- SSDEEP
  
  6144:s8fGLJngzxsoIasFzFMkbcWV3Nce0/4obc4hpqEpZccKHBIAUYpnxVlGy3V8/GVX:WkxfIayFMPzf/m4hp7ncxKRYpn7Em
Score

10^/10

quasar venomrat office01 evasion rat rootkit spyware stealer trojan
- Contains code to disable Windows Defender
  A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- VenomRAT
  VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
  rat rootkit stealer venomrat
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Windows security modification
  evasion trojan
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Modify Existing Service

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

quasarvenomratoffice01evasionratrootkitspywarestealertrojan

© 2018-2024

Terms | Privacy