quasar | 8b991be4706455f00586b345e836f27f8bc7c739a5e74090f425267f7e23230b

General

Target

8b991be4706455f00586b345e836f27f8bc7c739a5e74090f425267f7e23230b
Size

11.3MB
Sample

230129-z8vrbaeg4z
MD5

9a7c6e9e4341ad806d89fd54dbc54106
SHA1

6f60af10602477f58a4882c35bf2195974f68659
SHA256

8b991be4706455f00586b345e836f27f8bc7c739a5e74090f425267f7e23230b
SHA512

ce92939c290d681d5dddb11bcd11f00a183a252f21bfbd8732993d6c35d74d82079173919bf450cbe0cb393ef3845015cafb0febca8fd104e39e78d497e2eba6
SSDEEP

196608:QYDB3GqvqSoKND8Pu6FCjl2NU1mWIBMBKsv7eGMCQZPSf2Wi2ejaBsfNTxLoS:hW8qCDe/YkOeiKZPSf2WiZbfNTx

Score

10^/10

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

svchost

C2

brawny-seat.auto.playit.gg:43523

Mutex

VNM_MUTEX_pXcIZtjIcgUFvGjb4Y

Attributes

encryption_key
g9s1kRSzQnDiqkRUUASg
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
svchost
subdirectory
SubDir

Targets

- Target
  
  8b991be4706455f00586b345e836f27f8bc7c739a5e74090f425267f7e23230b
- Size
  
  11.3MB
- MD5
  
  9a7c6e9e4341ad806d89fd54dbc54106
- SHA1
  
  6f60af10602477f58a4882c35bf2195974f68659
- SHA256
  
  8b991be4706455f00586b345e836f27f8bc7c739a5e74090f425267f7e23230b
- SHA512
  
  ce92939c290d681d5dddb11bcd11f00a183a252f21bfbd8732993d6c35d74d82079173919bf450cbe0cb393ef3845015cafb0febca8fd104e39e78d497e2eba6
- SSDEEP
  
  196608:QYDB3GqvqSoKND8Pu6FCjl2NU1mWIBMBKsv7eGMCQZPSf2Wi2ejaBsfNTxLoS:hW8qCDe/YkOeiKZPSf2WiZbfNTx
Score

10^/10

quasar venomrat svchost evasion pyinstaller rat rootkit spyware stealer trojan
- Contains code to disable Windows Defender
  A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- VenomRAT
  VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
  rat rootkit stealer venomrat
- Executes dropped EXE
- Deletes itself
- Loads dropped DLL
- Windows security modification
  evasion trojan
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2