quasar | hxxps://github[.]com

Resubmissions

07-10-2023 07:19

231007-h5wqrsca56 10

06-10-2023 17:57

05-10-2023 13:51

04-10-2023 11:32

04-10-2023 11:01

04-10-2023 10:53

Sharing

Copy URL

Twitter E-mail

General

Target

https://github.com
Sample

231007-h5wqrsca56

Score

10^/10

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

Office04

nibiru3.duckdns.org:7777

Mutex

VNM_MUTEX_ubQkq789WptLUo6CNl

Attributes

encryption_key
GaGctuJ4ar1CIDW3hoKN
install_name
Winstep.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Winstep SpeedLaunch
subdirectory
Winstep SpeedLaunch

Targets

- Target
  
  https://github.com
Score

10^/10

quasar rhadamanthys venomrat xworm office04 agilenet discovery evasion persistence rat rootkit spyware stealer trojan upx
- Contains code to disable Windows Defender
  A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
- Deletes Windows Defender Definitions
  Uses mpcmdrun utility to delete all AV definitions.
  evasion
- Detect Xworm Payload
- Detect rhadamanthys stealer shellcode
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- Rhadamanthys
  Rhadamanthys is an info stealer written in C++ first seen in August 2022.
  stealer rhadamanthys
- VenomRAT
  VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
  rat rootkit stealer venomrat
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Looks for VirtualBox Guest Additions in registry
  evasion
- Modifies Windows Firewall
  evasion
- Sets service image path in registry
  persistence
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Obfuscated with Agile.Net obfuscator
  Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
  agilenet
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops autorun.inf file
  Malware can abuse Windows Autorun to spread further via attached volumes.
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1