quasar | 6542a4adb925c38ae9fd6ddd0d5f838ac60b90e2db1e71ed71916fd6a988feb6 | Triage

Submit
Reports

Overview

overview

Static

static

fpsFIX.exe

windows10-1703-x64

Sharing

General

Target

fpsFIX.exe
Size

534KB
Sample

240209-bmxf1sdf8s
MD5

68e20c59e6398f9fe522cc509d440698
SHA1

5259db943f684f654c66ca277b28c410877494ad
SHA256

6542a4adb925c38ae9fd6ddd0d5f838ac60b90e2db1e71ed71916fd6a988feb6
SHA512

c25860340c9fd2b60a61490837febbe87d7912487cf6fbed0d31bd943c561767302be89c0309bc6e19df391e25adff5c4f6186a1b7f7fd181732c95da9a1ad09
SSDEEP

6144:N8fGtiZAjx7ZgCUODKULTMMkbKGofLPRU9BZIbHtZLLLK1hI8MjXOZ3y7z2Qnp3Q:yexVgCUU5/MMdKB0Z/G1hyW3ApRa

Score

10^/10

quasar venomrat office04 evasion rat rootkit spyware stealer trojan

Static task

static1

office04 quasar

4 signatures

Behavioral task

behavioral1

Sample

fpsFIX.exe

Resource

win10-20231215-en

quasar venomrat office04 evasion rat rootkit spyware stealer trojan

windows10-1703-x64

15 signatures

150 seconds

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

Office04

C2

127.0.0.1:4782

4.tcp.us-cal-1.ngrok.io:12688

Mutex

VNM_MUTEX_c2q7y2ayYutZ2XaYe7

Attributes

encryption_key
JuBNDSQCyglnSfq0cvJE
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Venom Client Startup
subdirectory
SubDir

Targets

- Target
  
  fpsFIX.exe
- Size
  
  534KB
- MD5
  
  68e20c59e6398f9fe522cc509d440698
- SHA1
  
  5259db943f684f654c66ca277b28c410877494ad
- SHA256
  
  6542a4adb925c38ae9fd6ddd0d5f838ac60b90e2db1e71ed71916fd6a988feb6
- SHA512
  
  c25860340c9fd2b60a61490837febbe87d7912487cf6fbed0d31bd943c561767302be89c0309bc6e19df391e25adff5c4f6186a1b7f7fd181732c95da9a1ad09
- SSDEEP
  
  6144:N8fGtiZAjx7ZgCUODKULTMMkbKGofLPRU9BZIbHtZLLLK1hI8MjXOZ3y7z2Qnp3Q:yexVgCUU5/MMdKB0Z/G1hyW3ApRa
Score

10^/10

quasar venomrat office04 evasion rat rootkit spyware stealer trojan
- Contains code to disable Windows Defender
  A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- VenomRAT
  VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
  rat rootkit stealer venomrat
- Executes dropped EXE
- Windows security modification
  evasion trojan
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
behavioral1

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

Windows Service

Privilege Escalation

Create or Modify System Process

Windows Service

Defense Evasion

Modify Registry

Impair Defenses

Disable or Modify Tools

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

quasarvenomratoffice04evasionratrootkitspywarestealertrojan

© 2018-2024

Terms | Privacy