Extracted

• • Target

    d5f6dbe3d6f5644a77d7a3971d9dd17caec494ced43ffc535473b285b0f1507e

  • Size

    1.0MB

  • MD5

    d7ddd317f0382a2200832312449a20cd

  • SHA1

    bd3710cff6322c6a372db549b637c32e383f05cc

  • SHA256

    d5f6dbe3d6f5644a77d7a3971d9dd17caec494ced43ffc535473b285b0f1507e

  • SHA512

    c3936a1943575b0bb9dfdf8fef0d9705fc08c275260ce8199b7ff13213b72173565e7c1a4dfd47bd4a5a592ce10749ff1dafe73ba0053c9bd8f7a8cee495407d

  • SSDEEP

    24576:WcvkT1s+3Z3aGWqKg0Ogj1OLHd+JwbMFdt6ATCRcaahwKHGaTKBupdl:hvkTq+3Z3ZWGsSHd+J+MFTsRcXnHGmKm

  Score

  10^/10

  quasarvenomratoffice04evasionratrootkitspywarestealertrojan

  • Contains code to disable Windows Defender

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Modifies Windows Defender Real-time Protection settings

    evasiontrojan

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar

  • Quasar payload

  • VenomRAT

    VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.

    ratrootkitstealervenomrat

  • Executes dropped EXE

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself

  • Loads dropped DLL

  • Windows security modification

    evasiontrojan

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  behavioral1behavioral2