quasar | 75031e206522faaec5981f7cf411472b23ee0508748cd5c1453e390c6facffc8 | Triage

Submit
Reports

Overview

overview

Static

static

8c274dad5f...26.exe

windows7-x64

8c274dad5f...26.exe

windows10-2004-x64

Sharing

General

Target

8c274dad5fd77b0692ca5c299ffb0d26.exe
Size

536KB
Sample

230119-k5llxace4y
MD5

8c274dad5fd77b0692ca5c299ffb0d26
SHA1

5dda42516b5f3b65093dae4b55506e9c8813d745
SHA256

75031e206522faaec5981f7cf411472b23ee0508748cd5c1453e390c6facffc8
SHA512

370c2b2f4a2342b1d3281e2b8d2a426606e0e828b4342981bcd42b16f78dd071d419d646e3c94292cf11e287347b48f2231de91a21ff2856ea08e2085da335b9
SSDEEP

12288:k04p+yRb8qXeSCTQVpyQJPiDZOjVYXRTyyss:k0M8qXzCTQ/yQWRyq

Score

10^/10

quasar venomrat office01 evasion rat rootkit spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

8c274dad5fd77b0692ca5c299ffb0d26.exe

Resource

win7-20220812-en

quasar venomrat office01 evasion rat rootkit spyware stealer trojan

windows7-x64

17 signatures

150 seconds

Behavioral task

behavioral2

Sample

8c274dad5fd77b0692ca5c299ffb0d26.exe

Resource

win10v2004-20220812-en

quasar venomrat office01 evasion rat rootkit spyware stealer trojan

windows10-2004-x64

15 signatures

150 seconds

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

Office01

C2

172.81.131.113:4782

Mutex

VNM_MUTEX_OFUOtYdHQP7Y7fAk1P

Attributes

encryption_key
xufMEowCMSpdPlEx87tq
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
mvscs
subdirectory
SubDir

Targets

- Target
  
  8c274dad5fd77b0692ca5c299ffb0d26.exe
- Size
  
  536KB
- MD5
  
  8c274dad5fd77b0692ca5c299ffb0d26
- SHA1
  
  5dda42516b5f3b65093dae4b55506e9c8813d745
- SHA256
  
  75031e206522faaec5981f7cf411472b23ee0508748cd5c1453e390c6facffc8
- SHA512
  
  370c2b2f4a2342b1d3281e2b8d2a426606e0e828b4342981bcd42b16f78dd071d419d646e3c94292cf11e287347b48f2231de91a21ff2856ea08e2085da335b9
- SSDEEP
  
  12288:k04p+yRb8qXeSCTQVpyQJPiDZOjVYXRTyyss:k0M8qXzCTQ/yQWRyq
Score

10^/10

quasar venomrat office01 evasion rat rootkit spyware stealer trojan
- Contains code to disable Windows Defender
  A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- VenomRAT
  VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
  rat rootkit stealer venomrat
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Loads dropped DLL
- Windows security modification
  evasion trojan
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Modify Existing Service

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Disabling Security Tools

Install Root Certificate

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

quasarvenomratoffice01evasionratrootkitspywarestealertrojan

behavioral2

quasarvenomratoffice01evasionratrootkitspywarestealertrojan

© 2018-2024

Terms | Privacy