Overview

overview

10

Static

static

10

11dbce37df...7e.exe

windows7-x64

10

11dbce37df...7e.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    d1c929278c8a9455e511c54af3fa83f0.bin

  • Size

    488KB

  • Sample

    230528-cc4m1sdh49

  • MD5

    714babb95b4192a1db18440a4e557eca

  • SHA1

    6a01288bb2fda6e7e64cdd8531d9cc1b76b8e9e4

  • SHA256

    ab991f490e6b779f70f684ac6742c6ba25be045822695bfc02fa0dd1c6e423c2

  • SHA512

    d0b70a2b96fba7f455a689c2e851e983451641d6aa03aaf8763241650724e710bb60ee9f97b3c7270e185907b63f7d60240ef8b3db168ed293584a3dbfe5f943

  • SSDEEP

    12288:+zThjUGPf+maBTIG/yzQm/P0cOS8JqEL5hBb3Y:eTBPf+RBUPzQYPEL5hBDY

Score
10/10
quasarvenom clientpersistencespywaretrojan

Malware Config

Extracted

Family

quasar

Version

2.7.0.0

Botnet

Venom Client

C2

markphoto.casacam.net:5000

Mutex

JlYM51eW4iZoFyLa2X

Attributes
  • encryption_key

    Xs9khGbxnXFgwtiuru4Q

  • install_name

    Venom.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Venom Client Startup

Targets

    • Target

      11dbce37dfbc51c96c4f699c51e3c1bb7626cb7efcdbb9408cc500428a48827e.exe

    • Size

      1.0MB

    • MD5

      d1c929278c8a9455e511c54af3fa83f0

    • SHA1

      d84ec50973b36bd214cd43ebb1baac6b2cdc8b83

    • SHA256

      11dbce37dfbc51c96c4f699c51e3c1bb7626cb7efcdbb9408cc500428a48827e

    • SHA512

      b1aeff9ffc7a76d80ba6e3999ed2a47b10d42e9d2bbe690617b71d59762ba64040088dc5b18905634c59bfb84dd85023e8619303386877f5f71969eb21b9b8d8

    • SSDEEP

      24576:M+ynkc1ZzBvtrZHFjMKY2SrtxeloGEoUDwc81iwJZ:pynkc1ZzBvtrZHFjMKY2+xeloGEzDx8l

    Score
    10/10
    quasarvenom clientpersistencespywaretrojan

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

      trojanspywarequasar

    • Quasar payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks