Overview

overview

10

Static

static

3

Android Tester.exe

windows7-x64

10

Android Tester.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Android Tester.rar

  • Size

    22.7MB

  • Sample

    231011-jvym2sae91

  • MD5

    ff883648412b9f2abeff45444ec2588a

  • SHA1

    b85c125e3f7e6037b51afefdc8e30a50f344fa1c

  • SHA256

    164dc81c3d8ac61c788cf466d83487f5878f96915f4a18939d278e249cbdc949

  • SHA512

    39ea447aa99a1d8731b1d20679506592aa5ce4a6a0f625f9b8c01b2bb21de1f1f6fa24da4beb34bef0c8714376167a6cd0279f83fd6f8728975cf021358e1708

  • SSDEEP

    393216:KQLrjCTVOeSCIRClQ2PfWpeN15t4jpnTxk1ACCWEWI2q5VuDXTlxv9S6V6ey:KkPC0eSZwPtuTx/qU+xv9S

Score
10/10
quasarvenomratoffice04evasionpersistenceratrootkitspywarestealertrojan

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

Office04

C2

nibiru3.duckdns.org:7777

Mutex

VNM_MUTEX_ubQkq789WptLUo6CNl

Attributes
  • encryption_key

    GaGctuJ4ar1CIDW3hoKN

  • install_name

    Winstep.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Winstep SpeedLaunch

  • subdirectory

    Winstep SpeedLaunch

Targets

    • Target

      Android Tester.exe

    • Size

      22.7MB

    • MD5

      f39cec8c25192d89cab82d32e2645b98

    • SHA1

      8165bc234cfd0fc6dda711d5c032d7c97bb6ee5d

    • SHA256

      82df477a1e5e4105c96c8820385bcd3c1bd54995967d29d2e639d040db5b1574

    • SHA512

      6f194968ceaad61f43ee5a48e433e916746fc485b6e60eb24c67e98e83ea76e8e57f52e4047007d4b58fba1fc38e447ca4dc2942e140e41e3c985538c713d524

    • SSDEEP

      393216:yQLrjCTVOeSCIRClQ2PfWpeN15t4jpnTxk1ACCWEWI2q5VuDXTlxv9S6V6eX:ykPC0eSZwPtuTx/qU+xv93

    Score
    10/10
    quasarvenomratoffice04evasionpersistenceratrootkitspywarestealertrojan

    • Contains code to disable Windows Defender

      A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

      trojanspywarequasar

    • Quasar payload

    • VenomRAT

      VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.

      ratrootkitstealervenomrat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks