quasar | 329b98802dad1219886d6912d0d5303f7d8012ff2c27fe0bd917b5b069865903 | Triage

Submit
Reports

Overview

overview

Static

static

329b98802d...03.exe

windows7-x64

329b98802d...03.exe

windows10-2004-x64

Sharing

General

Target

329b98802dad1219886d6912d0d5303f7d8012ff2c27fe0bd917b5b069865903
Size

1.0MB
Sample

230129-v3mrasfe83
MD5

fc6cd521af42d5423b8ce0e53ae67703
SHA1

49a14b2ba77028b1dfb8167bdafdd2908c40f861
SHA256

329b98802dad1219886d6912d0d5303f7d8012ff2c27fe0bd917b5b069865903
SHA512

0de482d1f6ae53197da70045f84f2071e3a17b9cc90a4e3b7c68c1210590fe5f6eb4ec86d1c233e4c0c4662fb639c861bed0c869509ddf9cf53b9b3b4b841bab
SSDEEP

24576:ucvkTM6qPOgKbORmiNbbAb21NUJ2k+U1kYC80Oy2dj08:pvkT9Q+4miNG217k9Z5x

Score

10^/10

quasar venomrat office04 evasion rat rootkit spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

329b98802dad1219886d6912d0d5303f7d8012ff2c27fe0bd917b5b069865903.exe

Resource

win7-20220812-en

quasar venomrat office04 evasion rat rootkit spyware stealer trojan

windows7-x64

20 signatures

150 seconds

Behavioral task

behavioral2

Sample

329b98802dad1219886d6912d0d5303f7d8012ff2c27fe0bd917b5b069865903.exe

Resource

win10v2004-20220812-en

quasar venomrat office04 evasion rat rootkit spyware stealer trojan

windows10-2004-x64

17 signatures

150 seconds

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

Office04

C2

127.0.0.1:4782

rat94522.ddnsking.com:4000

Mutex

VNM_MUTEX_c2q7y2ayYutZ2XaYe7

Attributes

encryption_key
WIwQFd2V7FhUXFH7QX71
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Venom Client Startup
subdirectory
SubDir

Targets

- Target
  
  329b98802dad1219886d6912d0d5303f7d8012ff2c27fe0bd917b5b069865903
- Size
  
  1.0MB
- MD5
  
  fc6cd521af42d5423b8ce0e53ae67703
- SHA1
  
  49a14b2ba77028b1dfb8167bdafdd2908c40f861
- SHA256
  
  329b98802dad1219886d6912d0d5303f7d8012ff2c27fe0bd917b5b069865903
- SHA512
  
  0de482d1f6ae53197da70045f84f2071e3a17b9cc90a4e3b7c68c1210590fe5f6eb4ec86d1c233e4c0c4662fb639c861bed0c869509ddf9cf53b9b3b4b841bab
- SSDEEP
  
  24576:ucvkTM6qPOgKbORmiNbbAb21NUJ2k+U1kYC80Oy2dj08:pvkT9Q+4miNG217k9Z5x
Score

10^/10

quasar venomrat office04 evasion rat rootkit spyware stealer trojan
- Contains code to disable Windows Defender
  A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- VenomRAT
  VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
  rat rootkit stealer venomrat
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Loads dropped DLL
- Windows security modification
  evasion trojan
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

Privilege Escalation

Defense Evasion

Modify Registry

Disabling Security Tools

Install Root Certificate

Credential Access

Discovery

Query Registry

System Information Discovery

Remote System Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

quasarvenomratoffice04evasionratrootkitspywarestealertrojan

behavioral2

quasarvenomratoffice04evasionratrootkitspywarestealertrojan

© 2018-2024

Terms | Privacy