General

  • Target

    Pagamento.js

  • Size

    169KB

  • Sample

    230529-28sm3adh58

  • MD5

    c0871f07733a3727e82c64aacda9a85b

  • SHA1

    bf364b5b56ee65351a0bc5bca249ddeed5705e76

  • SHA256

    3eafb742af9d3a8bbbe4bd90b19d175ea4b698505cc5623594d0f13ba883692e

  • SHA512

    56f29de9c7b558ad3e24ee52378ce297bccfcc95bdeb74f3ec463493fe25dd2f869f1d74ede8238fe82b9bb11b9f088d47dea1df53f2a0a1b3a7a6c0ad29217e

  • SSDEEP

    3072:zbT1AJM/EaZ8ok36/EI4+ZQSU2bokXPXliq3kJIAsKLfbT1AJM/EaZ8ok36/EI4c:zbZ0M/EaZ8ok36RftbokX0bZ0M/EaZ8M

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://propagandaetrafego.com/b.jpg

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://propagandaetrafego.com/v1.txt

Extracted

Family

quasar

Version

2.7.0.0

Botnet

OP23

C2

vhf.sytes.net:4783

15.235.109.170:4782

Mutex

2vrOj8wCud9msk5z8w

Attributes
  • encryption_key

    ywxbR3BS4B6Rtb7nv9vB

  • install_name

    Venom.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Venom Client Startup

Targets

    • Target

      Pagamento.js

    • Size

      169KB

    • MD5

      c0871f07733a3727e82c64aacda9a85b

    • SHA1

      bf364b5b56ee65351a0bc5bca249ddeed5705e76

    • SHA256

      3eafb742af9d3a8bbbe4bd90b19d175ea4b698505cc5623594d0f13ba883692e

    • SHA512

      56f29de9c7b558ad3e24ee52378ce297bccfcc95bdeb74f3ec463493fe25dd2f869f1d74ede8238fe82b9bb11b9f088d47dea1df53f2a0a1b3a7a6c0ad29217e

    • SSDEEP

      3072:zbT1AJM/EaZ8ok36/EI4+ZQSU2bokXPXliq3kJIAsKLfbT1AJM/EaZ8ok36/EI4c:zbZ0M/EaZ8ok36RftbokX0bZ0M/EaZ8M

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Quasar payload

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Tasks