General
-
Target
Pagamento.js
-
Size
169KB
-
Sample
230529-28sm3adh58
-
MD5
c0871f07733a3727e82c64aacda9a85b
-
SHA1
bf364b5b56ee65351a0bc5bca249ddeed5705e76
-
SHA256
3eafb742af9d3a8bbbe4bd90b19d175ea4b698505cc5623594d0f13ba883692e
-
SHA512
56f29de9c7b558ad3e24ee52378ce297bccfcc95bdeb74f3ec463493fe25dd2f869f1d74ede8238fe82b9bb11b9f088d47dea1df53f2a0a1b3a7a6c0ad29217e
-
SSDEEP
3072:zbT1AJM/EaZ8ok36/EI4+ZQSU2bokXPXliq3kJIAsKLfbT1AJM/EaZ8ok36/EI4c:zbZ0M/EaZ8ok36RftbokX0bZ0M/EaZ8M
Static task
static1
Behavioral task
behavioral1
Sample
Pagamento.js
Resource
win7-20230220-en
Malware Config
Extracted
https://propagandaetrafego.com/b.jpg
Extracted
https://propagandaetrafego.com/v1.txt
Extracted
quasar
2.7.0.0
OP23
vhf.sytes.net:4783
15.235.109.170:4782
2vrOj8wCud9msk5z8w
-
encryption_key
ywxbR3BS4B6Rtb7nv9vB
-
install_name
Venom.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Venom Client Startup
Targets
-
-
Target
Pagamento.js
-
Size
169KB
-
MD5
c0871f07733a3727e82c64aacda9a85b
-
SHA1
bf364b5b56ee65351a0bc5bca249ddeed5705e76
-
SHA256
3eafb742af9d3a8bbbe4bd90b19d175ea4b698505cc5623594d0f13ba883692e
-
SHA512
56f29de9c7b558ad3e24ee52378ce297bccfcc95bdeb74f3ec463493fe25dd2f869f1d74ede8238fe82b9bb11b9f088d47dea1df53f2a0a1b3a7a6c0ad29217e
-
SSDEEP
3072:zbT1AJM/EaZ8ok36/EI4+ZQSU2bokXPXliq3kJIAsKLfbT1AJM/EaZ8ok36/EI4c:zbZ0M/EaZ8ok36RftbokX0bZ0M/EaZ8M
-
Quasar payload
-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-