quasar | ed07371994b2bce11a662df8ab5603ed80a73c30cdd4f29d922eae221320a39b | Triage

Submit
Reports

Overview

overview

Static

static

9b664d1737...de.exe

windows7-x64

9b664d1737...de.exe

windows10-2004-x64

Sharing

General

Target

9b664d1737e4b08517167fff2d19bade
Size

535KB
Sample

231222-qfkk7shaa6
MD5

9b664d1737e4b08517167fff2d19bade
SHA1

dbbc1588618273813ca9f3de2708f4f4b7934029
SHA256

ed07371994b2bce11a662df8ab5603ed80a73c30cdd4f29d922eae221320a39b
SHA512

955e24ab139489a2835f553d6e58ebeb2af7dae20317c6510e3289a902bbf2a7ed329776dfc7afaa948d61fd0cd47b7216017003eaa410d4d07348e19848484c
SSDEEP

12288:VuxMRH2MMvs5v5iX7K+k2dV++kQgog5Y:VWu2MMv5++kRc

Score

10^/10

quasar venomrat hacked evasion rat rootkit spyware stealer trojan

Static task

static1

4 signatures

Behavioral task

behavioral1

Sample

9b664d1737e4b08517167fff2d19bade.exe

Resource

win7-20231215-en

quasar venomrat hacked evasion rat rootkit spyware stealer trojan

windows7-x64

18 signatures

150 seconds

Behavioral task

behavioral2

Sample

9b664d1737e4b08517167fff2d19bade.exe

Resource

win10v2004-20231222-en

quasar hacked spyware trojan

windows10-2004-x64

7 signatures

150 seconds

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

Hacked

C2

Cheaper-60753.portmap.host:62240

Mutex

VNM_MUTEX_7KSPEPYRO6LRW25BBT

Attributes

encryption_key
SPWhfeGvCah4GWzpm6Am
install_name
Host Process for Windows Tasks.exe
log_directory
Microsoft
reconnect_delay
1000
startup_key
Host Process for Windows Services
subdirectory
MIcrosoft

Targets

- Target
  
  9b664d1737e4b08517167fff2d19bade
- Size
  
  535KB
- MD5
  
  9b664d1737e4b08517167fff2d19bade
- SHA1
  
  dbbc1588618273813ca9f3de2708f4f4b7934029
- SHA256
  
  ed07371994b2bce11a662df8ab5603ed80a73c30cdd4f29d922eae221320a39b
- SHA512
  
  955e24ab139489a2835f553d6e58ebeb2af7dae20317c6510e3289a902bbf2a7ed329776dfc7afaa948d61fd0cd47b7216017003eaa410d4d07348e19848484c
- SSDEEP
  
  12288:VuxMRH2MMvs5v5iX7K+k2dV++kQgog5Y:VWu2MMv5++kRc
Score

10^/10

quasar venomrat hacked evasion rat rootkit spyware stealer trojan
- Contains code to disable Windows Defender
  A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- VenomRAT
  VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
  rat rootkit stealer venomrat
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
  evasion trojan
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

Persistence

Create or Modify System Process

Windows Service

Scheduled Task/Job

Privilege Escalation

Create or Modify System Process

Windows Service

Scheduled Task/Job

Defense Evasion

Modify Registry

Impair Defenses

Disable or Modify Tools

Credential Access

Discovery

System Information Discovery

Remote System Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

quasarvenomrathackedevasionratrootkitspywarestealertrojan

behavioral2

quasarhackedspywaretrojan

© 2018-2024

Terms | Privacy