quasar | c2361c29db867d86c9f6d361b3d3394d0d847775ebcb84422c095369ccde5acd | Triage

Sharing

General

Target

9f052ffa940763ede6b28dc1ebd4757e
Size

654KB
Sample

231222-qkpqqafgeq
MD5

9f052ffa940763ede6b28dc1ebd4757e
SHA1

0a4f3e7f6a573c0fe321ebf46aee344e08a28e25
SHA256

c2361c29db867d86c9f6d361b3d3394d0d847775ebcb84422c095369ccde5acd
SHA512

ebc566c0794b9edd8a7373636c065e3d67ee0156b33969a30950116b984cad81c352d96290cf4607fec7d3c2bf2e7a1d87f6231db6543a74df26da63ff5cbbbc
SSDEEP

12288:c6bJhnrd2Qsm/+/dnGz7O0Y244sMYcoFMVyMg+Yy1Wcwemn58GVuv:ckJhngpn9kNsMwbMgkK58guv

Score

10^/10

quasar venomrat sep05 evasion persistence rat rootkit spyware stealer trojan

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

SEP05

C2

23.105.131.187:7812

Mutex

VNM_MUTEX_ea14HLQ5adxyrFdD2X

Attributes

encryption_key
jUWfdDb1toPE0KAlGJWH
install_name
Windows Security.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Windows Update Service
subdirectory
Windows Security Update

Targets

- Target
  
  9f052ffa940763ede6b28dc1ebd4757e
- Size
  
  654KB
- MD5
  
  9f052ffa940763ede6b28dc1ebd4757e
- SHA1
  
  0a4f3e7f6a573c0fe321ebf46aee344e08a28e25
- SHA256
  
  c2361c29db867d86c9f6d361b3d3394d0d847775ebcb84422c095369ccde5acd
- SHA512
  
  ebc566c0794b9edd8a7373636c065e3d67ee0156b33969a30950116b984cad81c352d96290cf4607fec7d3c2bf2e7a1d87f6231db6543a74df26da63ff5cbbbc
- SSDEEP
  
  12288:c6bJhnrd2Qsm/+/dnGz7O0Y244sMYcoFMVyMg+Yy1Wcwemn58GVuv:ckJhngpn9kNsMwbMgkK58guv
Score

10^/10

persistence quasar venomrat sep05 evasion rat rootkit spyware stealer trojan
- Contains code to disable Windows Defender
  A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- VenomRAT
  VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
  rat rootkit stealer venomrat
- Executes dropped EXE
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Scheduled Task/Job

Defense Evasion

Impair Defenses

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Remote System Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

quasarvenomratsep05evasionpersistenceratrootkitspywarestealertrojan