quasar | c6820f426b28b93295ca3b768780e8b372424fb72e94b5d0c094b030f53d4721 | Triage

Submit
Reports

Overview

overview

Static

static

3

ItroublveTSC.exe

windows7-x64

ItroublveTSC.exe

windows10-2004-x64

Sharing

General

Target

ItroublveTSC.exe
Size

2.0MB
Sample

240408-kxczssdd58
MD5

7c2da2ae36228b8b66ec5e5029e90d08
SHA1

d636baf89fd305a1f694611097ac6e7bcb1f244c
SHA256

c6820f426b28b93295ca3b768780e8b372424fb72e94b5d0c094b030f53d4721
SHA512

93cbc698211b0ab0f96ab3f0eb8d393bcd04580418e08fc6df9b935a7cdd091b619a0edab4771b4c887264b0eef6846e6e08a7be24a8681848a1885206a29960
SSDEEP

49152:DL+qgtiXBVLcHD/QmJqRsVEzCeePMAnUD:OzcBVYHDjcyVMukAUD

Score

10^/10

quasar venomrat office04 evasion rat rootkit spyware stealer trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

ItroublveTSC.exe

Resource

win7-20240221-en

quasar venomrat office04 evasion rat rootkit spyware stealer trojan

windows7-x64

21 signatures

150 seconds

Behavioral task

behavioral2

Sample

ItroublveTSC.exe

Resource

win10v2004-20240226-en

quasar venomrat office04 evasion rat rootkit spyware stealer trojan

windows10-2004-x64

19 signatures

150 seconds

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

Office04

C2

zaidtheboii-50153.portmap.host:50153

Mutex

VNM_MUTEX_fNWmZ9wa8oprRXUo73

Attributes

encryption_key
PJRTtGrfOi1c09c0GCYT
install_name
OneDrive.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Microsoft One Drive
subdirectory
Microsoft One Drive

Targets

- Target
  
  ItroublveTSC.exe
- Size
  
  2.0MB
- MD5
  
  7c2da2ae36228b8b66ec5e5029e90d08
- SHA1
  
  d636baf89fd305a1f694611097ac6e7bcb1f244c
- SHA256
  
  c6820f426b28b93295ca3b768780e8b372424fb72e94b5d0c094b030f53d4721
- SHA512
  
  93cbc698211b0ab0f96ab3f0eb8d393bcd04580418e08fc6df9b935a7cdd091b619a0edab4771b4c887264b0eef6846e6e08a7be24a8681848a1885206a29960
- SSDEEP
  
  49152:DL+qgtiXBVLcHD/QmJqRsVEzCeePMAnUD:OzcBVYHDjcyVMukAUD
Score

10^/10

quasar venomrat office04 evasion rat rootkit spyware stealer trojan
- Contains code to disable Windows Defender
  A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- VenomRAT
  VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
  rat rootkit stealer venomrat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
  evasion trojan
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

Persistence

Create or Modify System Process

Windows Service

Scheduled Task/Job

Privilege Escalation

Create or Modify System Process

Windows Service

Scheduled Task/Job

Defense Evasion

Modify Registry

Impair Defenses

Disable or Modify Tools

Credential Access

Discovery

Query Registry

System Information Discovery

Remote System Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

quasarvenomratoffice04evasionratrootkitspywarestealertrojan

behavioral2

quasarvenomratoffice04evasionratrootkitspywarestealertrojan

© 2018-2024

Terms | Privacy