General
-
Target
Telegram Desktop.rar
-
Size
802.5MB
-
Sample
240312-vjzazsgc32
-
MD5
c27b7a4ff8387a553aa8ece1233f6f70
-
SHA1
436290ab35fd3e4de206d9a260c249f4ee14b4cc
-
SHA256
29d1b3fbd0c2615f298de1abbbb110757c4ed6a04b4e3957212e0d8796c37b44
-
SHA512
4793d7a3c3ed65cab477c75406dd56d416baa952f25b2812b673922bffc8ac76ae4844de21946ac7e281230c4e42ae8f8ab2f37e374de2e0ab5e5309642ff99d
-
SSDEEP
12582912:fpcYZCKX/IwdHf9eeXZRvu2zVVx3LziQSLoULgG8LfQa6FWQwUyu0VJARhNzVTI:Rc4X/h/1Jdu2zjxLzicU0GoILJnaJks
Malware Config
Extracted
quasar
2.1.0.0
BITCOIN
23.105.131.186:7812
VNM_MUTEX_jTeJaJnI35a3HyFP0B
-
encryption_key
370UTlW1JPDmtk3VcEH8
-
install_name
Window Security.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Windows Update
-
subdirectory
windows Security Update 32
Extracted
quasar
2.1.0.0
devilians02
150.136.114.11:2222
VNM_MUTEX_KAFL0oh3oOLVnswazh
-
encryption_key
Wi8wlts7Jd3enUchOiDe
-
install_name
Fake btc sender.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Fake btc sender
-
subdirectory
SubDir
Targets
-
-
Target
Telegram Desktop.rar
-
Size
802.5MB
-
MD5
c27b7a4ff8387a553aa8ece1233f6f70
-
SHA1
436290ab35fd3e4de206d9a260c249f4ee14b4cc
-
SHA256
29d1b3fbd0c2615f298de1abbbb110757c4ed6a04b4e3957212e0d8796c37b44
-
SHA512
4793d7a3c3ed65cab477c75406dd56d416baa952f25b2812b673922bffc8ac76ae4844de21946ac7e281230c4e42ae8f8ab2f37e374de2e0ab5e5309642ff99d
-
SSDEEP
12582912:fpcYZCKX/IwdHf9eeXZRvu2zVVx3LziQSLoULgG8LfQa6FWQwUyu0VJARhNzVTI:Rc4X/h/1Jdu2zjxLzicU0GoILJnaJks
Score10/10-
Contains code to disable Windows Defender
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Modifies Windows Defender Real-time Protection settings
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar payload
-
VenomRAT
VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Windows security modification
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1