Overview

overview

10

Static

static

10

d79a203cab...16.exe

windows7-x64

10

d79a203cab...16.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    7a98ca652a682ae96bc3f9ac6d554d82.bin

  • Size

    488KB

  • Sample

    230528-byfbwadg75

  • MD5

    fb8f7264ab9fcf4ca72ece72604f49fe

  • SHA1

    9e7b3a4fb41bfc8067e25be0e50bd24bc2db6943

  • SHA256

    1e2ca810cc9233dc0350cafb6d52f0a9e5ccafe1b3b8c9d3f70ca406be970566

  • SHA512

    65e343a202259258119152903418aca362bc367acea2791372c7fce433e559dfb829c40a057f1e7eae750e96786daee061db8176ba3511b2abcc39dc38213bc8

  • SSDEEP

    6144:4ODuQ1xDSfFIIfghqa/EJVDj0mzr/mykSooZ3mRiV6sIcCHVizF0duoSmPn:jDuCx2FIIYMayD3uyV3NkcC1aF0d1S2n

Score
10/10
quasarvenom clientpersistencespywaretrojan

Malware Config

Extracted

Family

quasar

Version

2.7.0.0

Botnet

Venom Client

C2

markphoto.casacam.net:5000

Mutex

JlYM51eW4iZoFyLa2X

Attributes
  • encryption_key

    BL7lZzIkUckEp2RCh8Q6

  • install_name

    Venom.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Venom Client Startup

Targets

    • Target

      d79a203caba18b6e1190b0022296d56f96253d4fb39b96aaaeaaa02241f28b16.exe

    • Size

      1.0MB

    • MD5

      7a98ca652a682ae96bc3f9ac6d554d82

    • SHA1

      dbb6b1d490b64e9b1260d0ad55cd2fe1d776586f

    • SHA256

      d79a203caba18b6e1190b0022296d56f96253d4fb39b96aaaeaaa02241f28b16

    • SHA512

      6fd10b572f7c39fc2b33d57957f1c36102da158a22a5b4d855736dd5ed92a3ba5d945662d11ad2b69f845f16c48a9875258fa2cdc80089cd5863c7980d21ce9f

    • SSDEEP

      24576:t+ynkc1ZzBvtrZHFjMKY2naU8elKA9eaZYZg+ryTh:4ynkc1ZzBvtrZHFjMKY2nb8elKAgaZXN

    Score
    10/10
    quasarvenom clientpersistencespywaretrojan

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

      trojanspywarequasar

    • Quasar payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks