Overview

overview

10

Static

static

3

Venom.exe

windows7-x64

10

Venom.exe

windows10-2004-x64

7

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Venom.exe.exe

  • Size

    4KB

  • Sample

    240430-d9btyabd53

  • MD5

    a26e4919eb47e0c23e8c38da0f3488db

  • SHA1

    43ffb3c3a21c8ae376380fb6d419f46391f2f595

  • SHA256

    31216d4c09b0bfa5deba86b4dd6206a2ba7a6f35ecb82cd81015ec51ceefa3b6

  • SHA512

    3f8b07aca6d77c41a29576bd4bb9ca190edf6fbf0775f7d8db1cf86230d863f9b458cc4fad9a94d252354f99a59c779f0acf30bb417d5abb7bd4eab6ac95291e

  • SSDEEP

    96:xjd8wOXOT7ZTKfAcQZ8o7+S7+w/8d3ojSrl:RuwOXOTFKfOh1/8dR

Score
10/10
quasaroffice04spywaretrojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

93.123.85.108:4782

Mutex

e14b8f59-979b-4ebf-8602-dd3c4d6c301e

Attributes
  • encryption_key

    534734397C0FA9A1D28F061AD75DF4100BFF5787

  • install_name

    Msconfig.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Targets

    • Target

      Venom.exe.exe

    • Size

      4KB

    • MD5

      a26e4919eb47e0c23e8c38da0f3488db

    • SHA1

      43ffb3c3a21c8ae376380fb6d419f46391f2f595

    • SHA256

      31216d4c09b0bfa5deba86b4dd6206a2ba7a6f35ecb82cd81015ec51ceefa3b6

    • SHA512

      3f8b07aca6d77c41a29576bd4bb9ca190edf6fbf0775f7d8db1cf86230d863f9b458cc4fad9a94d252354f99a59c779f0acf30bb417d5abb7bd4eab6ac95291e

    • SSDEEP

      96:xjd8wOXOT7ZTKfAcQZ8o7+S7+w/8d3ojSrl:RuwOXOTFKfOh1/8dR

    Score
    10/10
    quasaroffice04spywaretrojan

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

      trojanspywarequasar

    • Quasar payload

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1
T1064

Scheduled Task/Job

1
T1053

Persistence

Scheduled Task/Job

1
T1053

Privilege Escalation

Scheduled Task/Job

1
T1053

Defense Evasion

Scripting

1
T1064

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks