Overview

overview

10

Static

static

1

e775da7c0b...23.vbs

windows7-x64

10

e775da7c0b...23.vbs

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    11989941315.zip

  • Size

    4KB

  • Sample

    230927-k887dahf2y

  • MD5

    19fb11428e632c5b6161f3f8341fcae2

  • SHA1

    eb4d594bb600f7d1dfa88befd164de88910901f1

  • SHA256

    c1db9e5e071025c583f23a3223762422e6caa9c23ad1cbdfd0ce7a73d668ced0

  • SHA512

    c4be9699e30a00aaf9544bc3f207f60394261f6067b665af6245f14d653c3deafe7f547b998e168d643329c2d96a6b3370171ce460e328c137c194c3dce4dc76

  • SSDEEP

    96:duiAVpa919mNBE3EkoqvMIUgHAQUSuZMyuBgn3uplUqxdyrQzkuT1k0uDe:UiAzaZABPko9BgHAQUZ3olUqqrxDe

Score
10/10
quasarvenom clientspywaretrojan

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://textbin.net/raw/ezjmofz3s6

Extracted

Family

quasar

Version

2.7.0.0

Botnet

Venom Client

C2

crazydns.linkpc.net:3000

Mutex

ER5Ojs5Por1j5joXR6

Attributes
  • encryption_key

    HHtj6qkHuyo7mzRB7Q0O

  • install_name

    Venom.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Venom Client Startup

Targets

    • Target

      e775da7c0b55fe06c5de02e116243cb82155d6dc462c220280becaa5b8334123

    • Size

      163KB

    • MD5

      11f76a33d09caf69b8ade7f6f2410bf3

    • SHA1

      e8058ec22549d5d144389b3feaa4f594df1f6d20

    • SHA256

      e775da7c0b55fe06c5de02e116243cb82155d6dc462c220280becaa5b8334123

    • SHA512

      59bd6405abff46700f10136ceb12a887d0403e3f61e7ba55f3787ade85595f7def2062bed401f9f304f04d9727cda87e0189f42980c90a1f195844e087c92a2c

    • SSDEEP

      3072:iKfIfffo4fffff/oofTffgoff4ZyRKNP85LQG:m

    Score
    10/10
    quasarvenom clientspywaretrojan

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

      trojanspywarequasar

    • Quasar payload

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1
T1053

Persistence

Scheduled Task/Job

1
T1053

Privilege Escalation

Scheduled Task/Job

1
T1053

Defense Evasion

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks