quasar | 164dc81c3d8ac61c788cf466d83487f5878f96915f4a18939d278e249cbdc949 | Triage

Submit
Reports

Overview

overview

Static

static

3

Android Tester.exe

windows7-x64

Android Tester.exe

windows10-2004-x64

Sharing

General

Target

ff883648412b9f2abeff45444ec2588a.bin
Size

22.7MB
Sample

230930-cl3r3sga4t
MD5

ff883648412b9f2abeff45444ec2588a
SHA1

b85c125e3f7e6037b51afefdc8e30a50f344fa1c
SHA256

164dc81c3d8ac61c788cf466d83487f5878f96915f4a18939d278e249cbdc949
SHA512

39ea447aa99a1d8731b1d20679506592aa5ce4a6a0f625f9b8c01b2bb21de1f1f6fa24da4beb34bef0c8714376167a6cd0279f83fd6f8728975cf021358e1708
SSDEEP

393216:KQLrjCTVOeSCIRClQ2PfWpeN15t4jpnTxk1ACCWEWI2q5VuDXTlxv9S6V6ey:KkPC0eSZwPtuTx/qU+xv9S

Score

10^/10

quasar venomrat office04 evasion rat rootkit spyware stealer trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

Android Tester.exe

Resource

win7-20230831-en

quasar venomrat office04 evasion rat rootkit spyware stealer trojan

windows7-x64

19 signatures

150 seconds

Behavioral task

behavioral2

Sample

Android Tester.exe

Resource

win10v2004-20230915-en

quasar venomrat office04 evasion rat rootkit spyware stealer trojan

windows10-2004-x64

19 signatures

150 seconds

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

Office04

C2

nibiru3.duckdns.org:7777

Mutex

VNM_MUTEX_ubQkq789WptLUo6CNl

Attributes

encryption_key
GaGctuJ4ar1CIDW3hoKN
install_name
Winstep.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Winstep SpeedLaunch
subdirectory
Winstep SpeedLaunch

Targets

- Target
  
  Android Tester.exe
- Size
  
  22.7MB
- MD5
  
  f39cec8c25192d89cab82d32e2645b98
- SHA1
  
  8165bc234cfd0fc6dda711d5c032d7c97bb6ee5d
- SHA256
  
  82df477a1e5e4105c96c8820385bcd3c1bd54995967d29d2e639d040db5b1574
- SHA512
  
  6f194968ceaad61f43ee5a48e433e916746fc485b6e60eb24c67e98e83ea76e8e57f52e4047007d4b58fba1fc38e447ca4dc2942e140e41e3c985538c713d524
- SSDEEP
  
  393216:yQLrjCTVOeSCIRClQ2PfWpeN15t4jpnTxk1ACCWEWI2q5VuDXTlxv9S6V6eX:ykPC0eSZwPtuTx/qU+xv93
Score

10^/10

quasar venomrat office04 evasion rat rootkit spyware stealer trojan
- Contains code to disable Windows Defender
  A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- VenomRAT
  VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
  rat rootkit stealer venomrat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
  evasion trojan
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

Persistence

Create or Modify System Process

Windows Service

Scheduled Task/Job

Privilege Escalation

Create or Modify System Process

Windows Service

Scheduled Task/Job

Defense Evasion

Modify Registry

Impair Defenses

Disable or Modify Tools

Credential Access

Discovery

Query Registry

System Information Discovery

Remote System Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

quasarvenomratoffice04evasionratrootkitspywarestealertrojan

behavioral2

quasarvenomratoffice04evasionratrootkitspywarestealertrojan

© 2018-2024

Terms | Privacy