General
-
Target
Venom.exe.exe
-
Size
4KB
-
Sample
240430-d9btyabd53
-
MD5
a26e4919eb47e0c23e8c38da0f3488db
-
SHA1
43ffb3c3a21c8ae376380fb6d419f46391f2f595
-
SHA256
31216d4c09b0bfa5deba86b4dd6206a2ba7a6f35ecb82cd81015ec51ceefa3b6
-
SHA512
3f8b07aca6d77c41a29576bd4bb9ca190edf6fbf0775f7d8db1cf86230d863f9b458cc4fad9a94d252354f99a59c779f0acf30bb417d5abb7bd4eab6ac95291e
-
SSDEEP
96:xjd8wOXOT7ZTKfAcQZ8o7+S7+w/8d3ojSrl:RuwOXOTFKfOh1/8dR
Static task
static1
Behavioral task
behavioral1
Sample
Venom.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
Venom.exe
Resource
win10v2004-20240419-en
Malware Config
Extracted
quasar
1.4.1
Office04
93.123.85.108:4782
e14b8f59-979b-4ebf-8602-dd3c4d6c301e
-
encryption_key
534734397C0FA9A1D28F061AD75DF4100BFF5787
-
install_name
Msconfig.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Targets
-
-
Target
Venom.exe.exe
-
Size
4KB
-
MD5
a26e4919eb47e0c23e8c38da0f3488db
-
SHA1
43ffb3c3a21c8ae376380fb6d419f46391f2f595
-
SHA256
31216d4c09b0bfa5deba86b4dd6206a2ba7a6f35ecb82cd81015ec51ceefa3b6
-
SHA512
3f8b07aca6d77c41a29576bd4bb9ca190edf6fbf0775f7d8db1cf86230d863f9b458cc4fad9a94d252354f99a59c779f0acf30bb417d5abb7bd4eab6ac95291e
-
SSDEEP
96:xjd8wOXOT7ZTKfAcQZ8o7+S7+w/8d3ojSrl:RuwOXOTFKfOh1/8dR
-
Quasar payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-