quasar | 1c5bb8ac1735f400b18f16ed5daab07575ba4aaedb4da31ca5cd89205bb40141

General

Target

91086ef2437049d4cfcb66149acf0d95
Size

653KB
Sample

240205-e14zsscdar
MD5

91086ef2437049d4cfcb66149acf0d95
SHA1

ac9cfed7ccfcd8676b437e753abdf7fc06981f71
SHA256

1c5bb8ac1735f400b18f16ed5daab07575ba4aaedb4da31ca5cd89205bb40141
SHA512

effe216b30c6371065d467e585f95db5106c35376a8fe430880a4e965c3a7927fb0453945036b19a6e0e7ec3d4a1290eee6e2445b68cd748086082da29db8046
SSDEEP

12288:bYBbFriWGl7gO03m4sRqJ2IOEEVR/7r+pKnoqsxWbvoyF3db6e0Rqs4J7S:MBxrd4lA7OvR/fqKoqsxsvoyFtbsqsJ

Score

10^/10

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

Windows firewall

C2

23.105.131.187:7812

Mutex

VNM_MUTEX_zGeT5SjdI1pYgFyiav

Attributes

encryption_key
3kpwI2tkVNrXY2Mm5wlR
install_name
Windows Security.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Windows Update
subdirectory
Windows Firewall Updates

Targets

- Target
  
  91086ef2437049d4cfcb66149acf0d95
- Size
  
  653KB
- MD5
  
  91086ef2437049d4cfcb66149acf0d95
- SHA1
  
  ac9cfed7ccfcd8676b437e753abdf7fc06981f71
- SHA256
  
  1c5bb8ac1735f400b18f16ed5daab07575ba4aaedb4da31ca5cd89205bb40141
- SHA512
  
  effe216b30c6371065d467e585f95db5106c35376a8fe430880a4e965c3a7927fb0453945036b19a6e0e7ec3d4a1290eee6e2445b68cd748086082da29db8046
- SSDEEP
  
  12288:bYBbFriWGl7gO03m4sRqJ2IOEEVR/7r+pKnoqsxWbvoyF3db6e0Rqs4J7S:MBxrd4lA7OvR/fqKoqsxsvoyFtbsqsJ
Score

10^/10

quasar venomrat windows firewall evasion persistence rat rootkit spyware stealer trojan
- Contains code to disable Windows Defender
  A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- VenomRAT
  VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
  rat rootkit stealer venomrat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2