quasar | c7a070b7e06000af25f9fe5f44cfacfd4ac4a02371369267ad10cf3beaed8d4b

General

Target

0fdee64f4eb558b0d6e1a5a568095e40
Size

880KB
Sample

231221-15eflacbhj
MD5

0fdee64f4eb558b0d6e1a5a568095e40
SHA1

55ca1696afa36ab5f36d3c2944a03bb988335d97
SHA256

c7a070b7e06000af25f9fe5f44cfacfd4ac4a02371369267ad10cf3beaed8d4b
SHA512

ddf3de5d0f69a29818f683c46ccd70891455f8781e46cf1ac37b740b67e74eea4408920ef3a54878707c81b74b2dc13337838a6521880a0c9f912cc7251bfe44
SSDEEP

24576:zhOjdWkJhngpn9kNsMwbMgkK589joyhkIS:zgjdbDnKkK3MgkK56

Score

10^/10

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

SEP05

C2

23.105.131.187:7812

Mutex

VNM_MUTEX_ea14HLQ5adxyrFdD2X

Attributes

encryption_key
jUWfdDb1toPE0KAlGJWH
install_name
Windows Security.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Windows Update Service
subdirectory
Windows Security Update

Targets

- Target
  
  0fdee64f4eb558b0d6e1a5a568095e40
- Size
  
  880KB
- MD5
  
  0fdee64f4eb558b0d6e1a5a568095e40
- SHA1
  
  55ca1696afa36ab5f36d3c2944a03bb988335d97
- SHA256
  
  c7a070b7e06000af25f9fe5f44cfacfd4ac4a02371369267ad10cf3beaed8d4b
- SHA512
  
  ddf3de5d0f69a29818f683c46ccd70891455f8781e46cf1ac37b740b67e74eea4408920ef3a54878707c81b74b2dc13337838a6521880a0c9f912cc7251bfe44
- SSDEEP
  
  24576:zhOjdWkJhngpn9kNsMwbMgkK589joyhkIS:zgjdbDnKkK3MgkK56
Score

10^/10

quasar venomrat sep05 evasion persistence rat rootkit spyware stealer trojan
- Contains code to disable Windows Defender
  A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- VenomRAT
  VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
  rat rootkit stealer venomrat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2