quasar | c0c546bbb3489141ce05c48cf79f03ef55b8adc2b55f768d9fa6830f15237b66 | Triage

Submit
Reports

Overview

overview

Static

static

04990099.exe

windows7-x64

04990099.exe

windows10-2004-x64

Sharing

General

Target

04990099.exe
Size

916KB
Sample

230603-ssbvyahf21
MD5

14f404145a2e342fc8dea1d7410d0977
SHA1

3cf14a3afa0b3a35de831093f2ced8cb8d37d298
SHA256

c0c546bbb3489141ce05c48cf79f03ef55b8adc2b55f768d9fa6830f15237b66
SHA512

e40065061d0b834423a3f03038b7ad34289d96b73d9c9e60164e67596d2333f0e40ec54b8a960b7d9ed639611b11c3fb1deb60689a4015bc3c97c7397e8fbd61
SSDEEP

24576:VUcziHVcYBjF3ZLNfBzVHps1LusJLK1lkgoLE:nziHVcYBjF3ZLNfBzVHpsLk1lk

Score

10^/10

quasar venom client persistence spyware trojan

Static task

static1

venom client quasar

3 signatures

Behavioral task

behavioral1

Sample

04990099.exe

Resource

win7-20230220-en

quasar venom client persistence spyware trojan

windows7-x64

13 signatures

150 seconds

Behavioral task

behavioral2

Sample

04990099.exe

Resource

win10v2004-20230220-en

quasar venom client persistence spyware trojan

windows10-2004-x64

16 signatures

150 seconds

Malware Config

Extracted

Family

quasar

Version

2.8.0.1

Botnet

Venom Client

C2

soon-lp.at.ply.gg:17209

Mutex

JbBKKHh20tjHitewKR

Attributes

encryption_key
ZqvCSKfIZ294q5dIHRWw
install_name
Venom.exe
log_directory
Logs
reconnect_delay
3000
startup_key
WinHost

Targets

- Target
  
  04990099.exe
- Size
  
  916KB
- MD5
  
  14f404145a2e342fc8dea1d7410d0977
- SHA1
  
  3cf14a3afa0b3a35de831093f2ced8cb8d37d298
- SHA256
  
  c0c546bbb3489141ce05c48cf79f03ef55b8adc2b55f768d9fa6830f15237b66
- SHA512
  
  e40065061d0b834423a3f03038b7ad34289d96b73d9c9e60164e67596d2333f0e40ec54b8a960b7d9ed639611b11c3fb1deb60689a4015bc3c97c7397e8fbd61
- SSDEEP
  
  24576:VUcziHVcYBjF3ZLNfBzVHps1LusJLK1lkgoLE:nziHVcYBjF3ZLNfBzVHpsLk1lk
Score

10^/10

quasar venom client persistence spyware trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

Impact

Tasks

static1

venom clientquasar

behavioral1

quasarvenom clientpersistencespywaretrojan

behavioral2

quasarvenom clientpersistencespywaretrojan

© 2018-2024

Terms | Privacy