Extracted

• • Target

    99862073a5f3df00516a49e3b78057b1

  • Size

    635KB

  • MD5

    99862073a5f3df00516a49e3b78057b1

  • SHA1

    46ac6d3ec2cb7d90d946a1470b5dff98eecee011

  • SHA256

    bb1956f934dfbebe914a54e3445b5fbafac60e2672794a5e14ed4d1999d5aed2

  • SHA512

    d0d248502db680f17ed2e8d750d809796320c41395284df0df9967fac852f6b39a05df33f5054cc8e45ba116c61eb2c112e3038a26b3fada34056e36f1400629

  • SSDEEP

    12288:Z+ifBbFriWGl7gO03m4sRqJ2IOEEVR/7r+pKnoqsxWbvoyF3db6e0Rqs+8s7b:csBxrd4lA7OvR/fqKoqsxsvoyFtbsqsK

  Score

  10^/10

  quasarvenomratwindows firewallevasionpersistenceratrootkitspywarestealertrojan

  • Contains code to disable Windows Defender

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Modifies Windows Defender Real-time Protection settings

    evasiontrojan

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar

  • Quasar payload

  • VenomRAT

    VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.

    ratrootkitstealervenomrat

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Windows security modification

    evasiontrojan

  • Adds Run key to start application

    persistence

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext

  behavioral1behavioral2