quasar | c2361c29db867d86c9f6d361b3d3394d0d847775ebcb84422c095369ccde5acd | Triage

Sharing

General

Target

9f052ffa940763ede6b28dc1ebd4757e
Size

654KB
Sample

231222-qkpqqafgeq
MD5

9f052ffa940763ede6b28dc1ebd4757e
SHA1

0a4f3e7f6a573c0fe321ebf46aee344e08a28e25
SHA256

c2361c29db867d86c9f6d361b3d3394d0d847775ebcb84422c095369ccde5acd
SHA512

ebc566c0794b9edd8a7373636c065e3d67ee0156b33969a30950116b984cad81c352d96290cf4607fec7d3c2bf2e7a1d87f6231db6543a74df26da63ff5cbbbc
SSDEEP

12288:c6bJhnrd2Qsm/+/dnGz7O0Y244sMYcoFMVyMg+Yy1Wcwemn58GVuv:ckJhngpn9kNsMwbMgkK58guv

Score

10^/10

quasar venomrat sep05 evasion persistence rat rootkit spyware stealer trojan

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

SEP05

C2

23.105.131.187:7812

Mutex

VNM_MUTEX_ea14HLQ5adxyrFdD2X

Attributes

encryption_key
jUWfdDb1toPE0KAlGJWH
install_name
Windows Security.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Windows Update Service
subdirectory
Windows Security Update

Targets

- Target
  
  9f052ffa940763ede6b28dc1ebd4757e
- Size
  
  654KB
- MD5
  
  9f052ffa940763ede6b28dc1ebd4757e
- SHA1
  
  0a4f3e7f6a573c0fe321ebf46aee344e08a28e25
- SHA256
  
  c2361c29db867d86c9f6d361b3d3394d0d847775ebcb84422c095369ccde5acd
- SHA512
  
  ebc566c0794b9edd8a7373636c065e3d67ee0156b33969a30950116b984cad81c352d96290cf4607fec7d3c2bf2e7a1d87f6231db6543a74df26da63ff5cbbbc
- SSDEEP
  
  12288:c6bJhnrd2Qsm/+/dnGz7O0Y244sMYcoFMVyMg+Yy1Wcwemn58GVuv:ckJhngpn9kNsMwbMgkK58guv
Score

10^/10

persistence quasar venomrat sep05 evasion rat rootkit spyware stealer trojan
- Contains code to disable Windows Defender
  A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- VenomRAT
  VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
  rat rootkit stealer venomrat
- Executes dropped EXE
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

Persistence

Create or Modify System Process

Windows Service

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Create or Modify System Process

Windows Service

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

Impair Defenses

Disable or Modify Tools

Credential Access

Discovery

Remote System Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

behavioral2

quasarvenomratsep05evasionpersistenceratrootkitspywarestealertrojan