quasar | 735cbb15792d8be93c653fd2febafc249e57b29faa25aaafb99b42b310bca104

General

Target

320c9b7f61e1a20f89d2b4514d1545f0_JaffaCakes118
Size

485KB
Sample

240511-bx71hadf81
MD5

320c9b7f61e1a20f89d2b4514d1545f0
SHA1

36d91c66517c404317ddf5b596c4e5f841005c9c
SHA256

735cbb15792d8be93c653fd2febafc249e57b29faa25aaafb99b42b310bca104
SHA512

65d6d236b510f9cf0273b822c3cdad76afcdc5cb0f4c6dc9a2502eb5ea68238810dbe4c8ec332e36270984d77a1c1a7fe2c444c361f725f8a32ce040f990c276
SSDEEP

12288:3dol1WDRTnx09/amkvj9LEuoJTtBhDSA3Lu7Yp8B4mi:Nmkd6/aTu5tfWAbuo8H

Score

10^/10

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

Office04

C2

myconect.ddns.net:6606

Mutex

VNM_MUTEX_8vaggmzqQMqTBMXSZ7

Attributes

encryption_key
qRvtw4YHx2BDHavO4SeK
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Venom Client Startup
subdirectory
SubDir

Targets

- Target
  
  320c9b7f61e1a20f89d2b4514d1545f0_JaffaCakes118
- Size
  
  485KB
- MD5
  
  320c9b7f61e1a20f89d2b4514d1545f0
- SHA1
  
  36d91c66517c404317ddf5b596c4e5f841005c9c
- SHA256
  
  735cbb15792d8be93c653fd2febafc249e57b29faa25aaafb99b42b310bca104
- SHA512
  
  65d6d236b510f9cf0273b822c3cdad76afcdc5cb0f4c6dc9a2502eb5ea68238810dbe4c8ec332e36270984d77a1c1a7fe2c444c361f725f8a32ce040f990c276
- SSDEEP
  
  12288:3dol1WDRTnx09/amkvj9LEuoJTtBhDSA3Lu7Yp8B4mi:Nmkd6/aTu5tfWAbuo8H
Score

10^/10

quasar venomrat office04 rat rootkit spyware stealer trojan
- Contains code to disable Windows Defender
  A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- VenomRAT
  VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
  rat rootkit stealer venomrat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Drops desktop.ini file(s)
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Contains code to disable Windows Defender

Quasar RAT

Quasar payload

VenomRAT

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Drops desktop.ini file(s)

Looks up external IP address via web service

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2