General
-
Target
9b664d1737e4b08517167fff2d19bade
-
Size
535KB
-
Sample
231222-qfkk7shaa6
-
MD5
9b664d1737e4b08517167fff2d19bade
-
SHA1
dbbc1588618273813ca9f3de2708f4f4b7934029
-
SHA256
ed07371994b2bce11a662df8ab5603ed80a73c30cdd4f29d922eae221320a39b
-
SHA512
955e24ab139489a2835f553d6e58ebeb2af7dae20317c6510e3289a902bbf2a7ed329776dfc7afaa948d61fd0cd47b7216017003eaa410d4d07348e19848484c
-
SSDEEP
12288:VuxMRH2MMvs5v5iX7K+k2dV++kQgog5Y:VWu2MMv5++kRc
Malware Config
Extracted
quasar
2.1.0.0
Hacked
Cheaper-60753.portmap.host:62240
VNM_MUTEX_7KSPEPYRO6LRW25BBT
-
encryption_key
SPWhfeGvCah4GWzpm6Am
-
install_name
Host Process for Windows Tasks.exe
-
log_directory
Microsoft
-
reconnect_delay
1000
-
startup_key
Host Process for Windows Services
-
subdirectory
MIcrosoft
Targets
-
-
Target
9b664d1737e4b08517167fff2d19bade
-
Size
535KB
-
MD5
9b664d1737e4b08517167fff2d19bade
-
SHA1
dbbc1588618273813ca9f3de2708f4f4b7934029
-
SHA256
ed07371994b2bce11a662df8ab5603ed80a73c30cdd4f29d922eae221320a39b
-
SHA512
955e24ab139489a2835f553d6e58ebeb2af7dae20317c6510e3289a902bbf2a7ed329776dfc7afaa948d61fd0cd47b7216017003eaa410d4d07348e19848484c
-
SSDEEP
12288:VuxMRH2MMvs5v5iX7K+k2dV++kQgog5Y:VWu2MMv5++kRc
Score10/10-
Contains code to disable Windows Defender
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Modifies Windows Defender Real-time Protection settings
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar payload
-
VenomRAT
VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
-
Executes dropped EXE
-
Loads dropped DLL
-
Windows security modification
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-