General
-
Target
efbb56f8386d1881cc20a3de36686239
-
Size
16.8MB
-
Sample
231220-vg8fwahfdn
-
MD5
efbb56f8386d1881cc20a3de36686239
-
SHA1
b58ff7105f942a68c58cdc2fb80e3bf8d0a8de16
-
SHA256
10c0a60ca1b17282e0853e2134e7d67b604b1b38a66677fb99ef918672be2c79
-
SHA512
e2d9f182859273c9f13bdf3fd87fa5818676b1f7b41da556ac3c724ab75e50db64e7421632ca0e3d5b4d4d4f519d54484af1a3e4da919d665475a8715bc63311
-
SSDEEP
393216:hRwHfrE1h2ye2vmGpEeaQrg8OUEsf3iCZOuko4xgWL74hwtG1ZtJRjHYX:4HfrEKgJeehrSW3NOVoudPliZtTHYX
Malware Config
Extracted
quasar
2.1.0.0
Office04
smtp.yassine-bolard.nl:72
82.65.150.176:72
VNM_MUTEX_c2q7y2ayYutZ2XaYe7
-
encryption_key
V8QkE5vrgV4DVybE2MTP
-
install_name
$77Discord.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Discord
-
subdirectory
Discord
Targets
-
-
Target
efbb56f8386d1881cc20a3de36686239
-
Size
16.8MB
-
MD5
efbb56f8386d1881cc20a3de36686239
-
SHA1
b58ff7105f942a68c58cdc2fb80e3bf8d0a8de16
-
SHA256
10c0a60ca1b17282e0853e2134e7d67b604b1b38a66677fb99ef918672be2c79
-
SHA512
e2d9f182859273c9f13bdf3fd87fa5818676b1f7b41da556ac3c724ab75e50db64e7421632ca0e3d5b4d4d4f519d54484af1a3e4da919d665475a8715bc63311
-
SSDEEP
393216:hRwHfrE1h2ye2vmGpEeaQrg8OUEsf3iCZOuko4xgWL74hwtG1ZtJRjHYX:4HfrEKgJeehrSW3NOVoudPliZtTHYX
Score10/10-
Contains code to disable Windows Defender
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Modifies Windows Defender Real-time Protection settings
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar payload
-
VenomRAT
VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
-
Nirsoft
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Loads dropped DLL
-
Windows security modification
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-