quasar | ed097795acee8f6fce5f80e71d2ed3cf6e27cbb3203673b6c1fc034bd3cee538

Sharing

Copy URL

Twitter E-mail

General

Target

BitcoinFakeTransaction(1).zip
Size

1.8MB
Sample

230121-veh37sfa2x
MD5

90f7d627c081ba7a8d9269ef12a0d40f
SHA1

89923e6d770a228cf9ec197ce4c530b4ebb195fd
SHA256

ed097795acee8f6fce5f80e71d2ed3cf6e27cbb3203673b6c1fc034bd3cee538
SHA512

4aaa337ef98f1a84431f416532c18536b90e9040f2ae2447c54a07a7a0d5406483b90c020c4d1325d7e3f48affac5469916a39d3c08025353b3341c7327c631b
SSDEEP

49152:Xq//LgmgdJjarYXwFZvQsFhww6pIYclZusmLh7yY0tm:6Lpg7jlwvLFRktctoByxk

Score

10^/10

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

windows securityy

192.253.245.243:7812

Mutex

VNM_MUTEX_Lwt9GYx0ZlES09069Z

Attributes

encryption_key
AhFntNS40ejah7Nv2cWL
install_name
Window Security Health Service.exe
log_directory
Logs
reconnect_delay
3000
startup_key
window update
subdirectory
windows Service32

Targets

- Target
  
  BitcoinFakeTransaction(1).zip
- Size
  
  1.8MB
- MD5
  
  90f7d627c081ba7a8d9269ef12a0d40f
- SHA1
  
  89923e6d770a228cf9ec197ce4c530b4ebb195fd
- SHA256
  
  ed097795acee8f6fce5f80e71d2ed3cf6e27cbb3203673b6c1fc034bd3cee538
- SHA512
  
  4aaa337ef98f1a84431f416532c18536b90e9040f2ae2447c54a07a7a0d5406483b90c020c4d1325d7e3f48affac5469916a39d3c08025353b3341c7327c631b
- SSDEEP
  
  49152:Xq//LgmgdJjarYXwFZvQsFhww6pIYclZusmLh7yY0tm:6Lpg7jlwvLFRktctoByxk
Score

1^/10
behavioral1 behavioral2
- Target
  
  BitcoinFakeTransaction/BitcoinFakeTransaction.exe
- Size
  
  997KB
- MD5
  
  4fe10e794eb25820b63890cfa0abca42
- SHA1
  
  321ecd39644a864a47cc3d431be53c8035acf59f
- SHA256
  
  5cc80ef8d5cd9c1fffb5660dd739177ae9043cc13a022a8e8e2c696fa5fcf59e
- SHA512
  
  728e83d4782347f8959c528579e504ec38fb8c5c18ebacceb106c46d5462ed731a685be3db0450d0dc5eb08f3f9ead13d5080ce244408e3d371e760dd159d70e
- SSDEEP
  
  12288:1UTyp3ZXSXsy8p4pymXXOZ4z2im3eyOYZ/w4FGVIa9A30xT5uUPDP:1UTSo/Bpu4qim3nZ/wB9+wT5fP
Score

10^/10

quasar venomrat windows securityy evasion persistence rat rootkit spyware stealer trojan
- Contains code to disable Windows Defender
  A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- VenomRAT
  VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
  rat rootkit stealer venomrat
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Loads dropped DLL
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral3 behavioral4
- Target
  
  BitcoinFakeTransaction/ffmpeg.dll
- Size
  
  2.2MB
- MD5
  
  a8ef18a42f931ec927ada9d28c3c845e
- SHA1
  
  45e3853ba2aa4912ec74e0c51684503d645bb882
- SHA256
  
  5b9beea0c42bf17e00fc854434d73452087b7fed323a8f035478b284670fcdae
- SHA512
  
  398ae8eb426275984b10698a1bd3992a17f73aeaeb99f9c0adc3db3ee396e864d50e3307a5e9b5f1987dca331505fd49ece0f173877ea6ffd942b2cba8e36d73
- SSDEEP
  
  49152:gspMRI28259LtbjsjdbVmofrZq/zPhmFyuPAfL1s2OwGNbHRtL2:g4b2aux6LNbHD2
Score

1^/10
behavioral5 behavioral6
- Target
  
  BitcoinFakeTransaction/libEGL.dll
- Size
  
  370KB
- MD5
  
  31611ee5ec79234e559d8ef4a045b31f
- SHA1
  
  2e0b682433fa3c5ee88a55a4b1e0cdeaf72a1efc
- SHA256
  
  316b25ddca2c1035e8f599041480659374caf2b3fc8e3e4a3a8434024bd496e7
- SHA512
  
  a1df2246af7f0f6e2cefc39174be870f23139b87b14b658cd6f267eacdd6936ff4f4ac6bd1071ca7bb2c4395db920dbd718812b1c524c0ac3bdef760833bde43
- SSDEEP
  
  6144:pj0Aq7pjRaVlgZrNJserEW848VvGy1+Gew8YUo/9Jctrp2:pj0F7p4lgZZJsmbk+Gew8cM2
Score

3^/10
behavioral7 behavioral8

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Contains code to disable Windows Defender

Modifies Windows Defender Real-time Protection settings

Quasar RAT

Quasar payload

VenomRAT

Executes dropped EXE

Checks computer location settings

Deletes itself

Loads dropped DLL

Windows security modification

Adds Run key to start application

Looks up external IP address via web service

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8