quasar | fbc4fd5e3d3f2b5ccd26807e9e73498b3a3699e7efe35c624fbebcdc2c0c6314 | Triage

Submit
Reports

Overview

overview

Static

static

3

2957c39376...18.exe

windows7-x64

2957c39376...18.exe

windows10-2004-x64

Sharing

General

Target

2957c39376a38df6aefaee72674c92af_JaffaCakes118
Size

757KB
Sample

240509-lh19hsdg94
MD5

2957c39376a38df6aefaee72674c92af
SHA1

f32007bbb1c99bda6e4c97b4a695e87913fd87b1
SHA256

fbc4fd5e3d3f2b5ccd26807e9e73498b3a3699e7efe35c624fbebcdc2c0c6314
SHA512

8cecae621972be05ab9be0071689fcf29028f63b1519c4698d531bc754af7363f7bc21dbfb1d97e75914d884ecf4e1264ff20b2903f7b11c45dc88a77ec5dcbc
SSDEEP

12288:cgvSXyMjLJFlHSXDe/XDsKI+6lHE50yzXcpimSZRtvifjP8HQQaf8+TX:cTJmXyzsKOlHEOyzXcpRSZRNIjPrF

Score

10^/10

quasar venomrat office04 persistence rat rootkit spyware stealer trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

2957c39376a38df6aefaee72674c92af_JaffaCakes118.exe

Resource

win7-20240508-en

quasar persistence spyware trojan

windows7-x64

9 signatures

150 seconds

Behavioral task

behavioral2

Sample

2957c39376a38df6aefaee72674c92af_JaffaCakes118.exe

Resource

win10v2004-20240508-en

quasar venomrat office04 persistence rat rootkit spyware stealer trojan

windows10-2004-x64

14 signatures

150 seconds

Malware Config

Extracted

Family

quasar

Attributes

reconnect_delay
3000

Extracted

Family

quasar

Version

2.1.0.0

Botnet

Office04

C2

myconect.ddns.net:6606

Mutex

VNM_MUTEX_bW2Pm17MwUNvIYeCrf

Attributes

encryption_key
skMcIyTXgvAaYya6lzLD
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Venom Client Startup
subdirectory
SubDir

Targets

- Target
  
  2957c39376a38df6aefaee72674c92af_JaffaCakes118
- Size
  
  757KB
- MD5
  
  2957c39376a38df6aefaee72674c92af
- SHA1
  
  f32007bbb1c99bda6e4c97b4a695e87913fd87b1
- SHA256
  
  fbc4fd5e3d3f2b5ccd26807e9e73498b3a3699e7efe35c624fbebcdc2c0c6314
- SHA512
  
  8cecae621972be05ab9be0071689fcf29028f63b1519c4698d531bc754af7363f7bc21dbfb1d97e75914d884ecf4e1264ff20b2903f7b11c45dc88a77ec5dcbc
- SSDEEP
  
  12288:cgvSXyMjLJFlHSXDe/XDsKI+6lHE50yzXcpimSZRtvifjP8HQQaf8+TX:cTJmXyzsKOlHEOyzXcpRSZRNIjPrF
Score

10^/10

quasar persistence spyware trojan venomrat office04 rat rootkit stealer
- Contains code to disable Windows Defender
  A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- VenomRAT
  VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
  rat rootkit stealer venomrat
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

quasarpersistencespywaretrojan

behavioral2

quasarvenomratoffice04persistenceratrootkitspywarestealertrojan

© 2018-2024

Terms | Privacy