General
-
Target
99862073a5f3df00516a49e3b78057b1
-
Size
635KB
-
Sample
240213-qlkhdsca79
-
MD5
99862073a5f3df00516a49e3b78057b1
-
SHA1
46ac6d3ec2cb7d90d946a1470b5dff98eecee011
-
SHA256
bb1956f934dfbebe914a54e3445b5fbafac60e2672794a5e14ed4d1999d5aed2
-
SHA512
d0d248502db680f17ed2e8d750d809796320c41395284df0df9967fac852f6b39a05df33f5054cc8e45ba116c61eb2c112e3038a26b3fada34056e36f1400629
-
SSDEEP
12288:Z+ifBbFriWGl7gO03m4sRqJ2IOEEVR/7r+pKnoqsxWbvoyF3db6e0Rqs+8s7b:csBxrd4lA7OvR/fqKoqsxsvoyFtbsqsK
Malware Config
Extracted
quasar
2.1.0.0
Windows firewall
23.105.131.187:7812
VNM_MUTEX_zGeT5SjdI1pYgFyiav
-
encryption_key
3kpwI2tkVNrXY2Mm5wlR
-
install_name
Windows Security.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Windows Update
-
subdirectory
Windows Firewall Updates
Targets
-
-
Target
99862073a5f3df00516a49e3b78057b1
-
Size
635KB
-
MD5
99862073a5f3df00516a49e3b78057b1
-
SHA1
46ac6d3ec2cb7d90d946a1470b5dff98eecee011
-
SHA256
bb1956f934dfbebe914a54e3445b5fbafac60e2672794a5e14ed4d1999d5aed2
-
SHA512
d0d248502db680f17ed2e8d750d809796320c41395284df0df9967fac852f6b39a05df33f5054cc8e45ba116c61eb2c112e3038a26b3fada34056e36f1400629
-
SSDEEP
12288:Z+ifBbFriWGl7gO03m4sRqJ2IOEEVR/7r+pKnoqsxWbvoyF3db6e0Rqs+8s7b:csBxrd4lA7OvR/fqKoqsxsvoyFtbsqsK
Score10/10-
Contains code to disable Windows Defender
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Modifies Windows Defender Real-time Protection settings
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar payload
-
VenomRAT
VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Windows security modification
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1