quasar | ef7a777d354433cc1398552311446bbc0be13e34407ca6fd7a67e4c750e76183

General

Target

Tiktok-Share-Bot-By-Denmark.zip
Size

11.6MB
Sample

240409-xfgb4sec85
MD5

54bbebf31363300459fd1660bf5493b7
SHA1

c8ff555abf4a179a9bcb32c0e2d4fb502061bbbe
SHA256

ef7a777d354433cc1398552311446bbc0be13e34407ca6fd7a67e4c750e76183
SHA512

faeacb7860aec90cee53cb975d98bb6a1f01392c2a4914c27e6c259b05728def6352a9d2c82ff01d68056bd50df17a5b2cad7590725a127131844b0458a1b676
SSDEEP

196608:A7gyk60n8baTVsxzDJmXCoy86Q4/+VfB0g5hNF1SqAk3bfQzMzh:A7g/8GZsuSoy86QktOSqLM2h

Score

10^/10

Malware Config

Extracted

Family

quasar

Attributes

reconnect_delay
3000

Extracted

Family

redline

Botnet

AwsR

C2

siyatermi.duckdns.org:17044

Extracted

Family

quasar

Version

2.1.0.0

Botnet

V/R/B

C2

siyatermi.duckdns.org:1518

Mutex

VNM_MUTEX_mJ6pCWZMe3OMOha5bj

Attributes

encryption_key
g1Bi32PXFGwyBI9DJGTD
install_name
Start Process.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Browser Module
subdirectory
Sys Resources

Targets

- Target
  
  Tiktok Share Bot byDenmark.exe
- Size
  
  774KB
- MD5
  
  4e27884494531416bd41504c7e0ba4ac
- SHA1
  
  f806c283c32bb43380c2636e2382a70484ea4b89
- SHA256
  
  40278019afe364e36be0e88470cb626a5aba0f78c23b171b4eb30e80db159763
- SHA512
  
  e2e5c8be79d1e0ddb70d667e6fd79023e9e34306f9a987d661aa1e9d46c5c2fe574ec6d52f871483455f5be1f722d76b396a9121450d9e7c824d4648bbc445ce
- SSDEEP
  
  24576:ML2wAwspzLMrL8vuJB98x1i09m6qfsTtUzF/B:1wAwspzLMrxB98x1i09vJUzJB
Score

10^/10

quasar redline sectoprat venomrat awsr v/r/b evasion infostealer rat rootkit spyware stealer trojan
- Contains code to disable Windows Defender
  A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- SectopRAT
  SectopRAT is a remote access trojan first seen in November 2019.
  trojan rat sectoprat
- SectopRAT payload
- VenomRAT
  VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
  rat rootkit stealer venomrat
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Executes dropped EXE
- Windows security modification
  evasion trojan
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1
- Target
  
  data32.bin
- Size
  
  238KB
- MD5
  
  4e6a7ee0e286ab61d36c26bd38996821
- SHA1
  
  820674b4c75290f8f667764bfb474ca8c1242732
- SHA256
  
  f67daf4bf2ad0e774bbd53f243e66806397036e5fde694f3856b27bc0463c0a3
- SHA512
  
  f9d99d960afce980421e654d1d541c1fdb81252615c48eed5c4a5c962cb20123d06dbdf383a37a476aa41e4ffabca30e95a8735739c35f66efbaa1dee8a9ba8a
- SSDEEP
  
  3072:6sGTNBBPt3lBtx5ebLDCc0p00JakwEn0ZtAq0nHHdNwooe+6t3ieCx9UWPrcFw+z:ID5t3lBrGdkwFi3HHdN1Zt9CxVgeH
Score

1^/10
behavioral2
- Target
  
  libGLESV2.lib
- Size
  
  10.4MB
- MD5
  
  621c28cd39d9d6f9a3377b8da8a8849b
- SHA1
  
  5a025ed5f5baae77496e27fb2996fcb22d67ed40
- SHA256
  
  54c1dc44cd458da7ec96343973fa7f350df27517715f41483f9cab748d3a9203
- SHA512
  
  b5600b871ac950ec10d7bd0c38bb242a9921b1bccd2dacaa709471475a4c410eb2b43b693e2c18db40349f5c8e15b2c0ee93dde4eb3cbce2f47db880fe48033f
- SSDEEP
  
  196608:4nIMYy23CPc/V0VjfJcPE8Yw6QodKh7Ls85JxhVgE+uBd1ub:4nIRyEN08s8Yw6Qg1IgEzE
Score

10^/10

quasar redline sectoprat venomrat awsr v/r/b evasion infostealer rat rootkit spyware stealer trojan
- Contains code to disable Windows Defender
  A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- SectopRAT
  SectopRAT is a remote access trojan first seen in November 2019.
  trojan rat sectoprat
- SectopRAT payload
- VenomRAT
  VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
  rat rootkit stealer venomrat
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Executes dropped EXE
- Windows security modification
  evasion trojan
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral3
- Target
  
  libcef.bin
- Size
  
  211KB
- MD5
  
  59238144771807b1cbc407b250d6b2c3
- SHA1
  
  6c9f87cca7e857e888cb19ea45cf82d2e2d29695
- SHA256
  
  8baa5811836c0b4a64810f6a7d6e1d31d7f80350c69643dc9594f58fd0233a7b
- SHA512
  
  cf2f8b84526ae8a1445a2d8a2b9099b164f80a7b7290f68058583b0b235395d749ad0b726c4e36d5e901c18d6946fd9b0dd76c20016b65dc7a3977f68ee4a220
- SSDEEP
  
  3072:CFITGLr+kmeUE2+YA8zuxD1gb/uVVohUFVEovODl9ply5nk/7K1bjT5h3qs:CbLUEkAtvaumhUXvwl9P62
Score

1^/10
behavioral4