Overview

overview

10

Static

static

3

Telegram Desktop.rar

windows7-x64

10

Telegram Desktop.rar

windows10-1703-x64

3

Telegram Desktop.rar

windows10-2004-x64

7

Telegram Desktop.rar

windows11-21h2-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Telegram Desktop.rar

  • Size

    802.5MB

  • Sample

    240312-vjzazsgc32

  • MD5

    c27b7a4ff8387a553aa8ece1233f6f70

  • SHA1

    436290ab35fd3e4de206d9a260c249f4ee14b4cc

  • SHA256

    29d1b3fbd0c2615f298de1abbbb110757c4ed6a04b4e3957212e0d8796c37b44

  • SHA512

    4793d7a3c3ed65cab477c75406dd56d416baa952f25b2812b673922bffc8ac76ae4844de21946ac7e281230c4e42ae8f8ab2f37e374de2e0ab5e5309642ff99d

  • SSDEEP

    12582912:fpcYZCKX/IwdHf9eeXZRvu2zVVx3LziQSLoULgG8LfQa6FWQwUyu0VJARhNzVTI:Rc4X/h/1Jdu2zjxLzicU0GoILJnaJks

Score
10/10
quasarvenomratbitcoindevilians02evasionpersistencepyinstallerratrootkitspywarestealertrojan

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

BITCOIN

C2

23.105.131.186:7812

Mutex

VNM_MUTEX_jTeJaJnI35a3HyFP0B

Attributes
  • encryption_key

    370UTlW1JPDmtk3VcEH8

  • install_name

    Window Security.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Windows Update

  • subdirectory

    windows Security Update 32

Extracted

Family

quasar

Version

2.1.0.0

Botnet

devilians02

C2

150.136.114.11:2222

Mutex

VNM_MUTEX_KAFL0oh3oOLVnswazh

Attributes
  • encryption_key

    Wi8wlts7Jd3enUchOiDe

  • install_name

    Fake btc sender.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Fake btc sender

  • subdirectory

    SubDir

Targets

    • Target

      Telegram Desktop.rar

    • Size

      802.5MB

    • MD5

      c27b7a4ff8387a553aa8ece1233f6f70

    • SHA1

      436290ab35fd3e4de206d9a260c249f4ee14b4cc

    • SHA256

      29d1b3fbd0c2615f298de1abbbb110757c4ed6a04b4e3957212e0d8796c37b44

    • SHA512

      4793d7a3c3ed65cab477c75406dd56d416baa952f25b2812b673922bffc8ac76ae4844de21946ac7e281230c4e42ae8f8ab2f37e374de2e0ab5e5309642ff99d

    • SSDEEP

      12582912:fpcYZCKX/IwdHf9eeXZRvu2zVVx3LziQSLoULgG8LfQa6FWQwUyu0VJARhNzVTI:Rc4X/h/1Jdu2zjxLzicU0GoILJnaJks

    Score
    10/10
    quasarvenomratbitcoindevilians02evasionpersistencepyinstallerratrootkitspywarestealertrojan

    • Contains code to disable Windows Defender

      A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

      trojanspywarequasar

    • Quasar payload

    • VenomRAT

      VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.

      ratrootkitstealervenomrat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Tasks