Extracted

• • Target

    aa48fe6b5774a66cab06338fa55d17de

  • Size

    16.7MB

  • MD5

    aa48fe6b5774a66cab06338fa55d17de

  • SHA1

    a734431bb537225596ef3ea0674944b2ecd6fe22

  • SHA256

    4576693687b188ea748add6660d7eee2dd3bdb86a60a9cf8dc99c0d191d61303

  • SHA512

    9e7e64ce6c54ac98e54ee8f7eb576849bad99ec4281786023b948deb65067917929099a56f802079cda98761733184f7981a164a1200b5062a26fd3d176eb680

  • SSDEEP

    393216:dRwHfrE1h2ye2vmGpEeaQrg8OUEsf3iCZOuko4xgWL74hwtG1ZtJRjHYX:8HfrEKgJeehrSW3NOVoudPliZtTHYX

  Score

  10^/10

  quasarvenomratoffice04evasionratrootkitspywarestealertrojanpersistence

  • Contains code to disable Windows Defender

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Modifies Windows Defender Real-time Protection settings

    evasiontrojan

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar

  • Quasar payload

  • VenomRAT

    VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.

    ratrootkitstealervenomrat

  • Nirsoft

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself

  • Executes dropped EXE

  • Loads dropped DLL

  • Windows security modification

    evasiontrojan

  • Adds Run key to start application

    persistence

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory

  behavioral1behavioral2