quasar | 6a1e31b04adc8e779095fb61f7e3cafc8866f644865ee64ee1d02210f7db3766

General

Target

3a7117d0c950b44d5464cd6841dd95cd_JaffaCakes118
Size

472KB
Sample

240512-q6kznacd46
MD5

3a7117d0c950b44d5464cd6841dd95cd
SHA1

b0dd2745f822d1e43300fa1ccb11749fdfcf1260
SHA256

6a1e31b04adc8e779095fb61f7e3cafc8866f644865ee64ee1d02210f7db3766
SHA512

a8c3ce748eee0ef88ce737d853d26d3f9e49bb7cfbbf7c67dfebfa7451279010f67c552f3f49275788db21f423ebfa845f2726892bdc2596af36682b7791ab25
SSDEEP

6144:wYd3flbbsDpd0DHo5AqYOy8oE0B7mEuZe35o4LILBWflzgWErnrXnzmjdoBqZg:wYd901AqoES7mEuZmi4LILBelztqmi

Score

10^/10

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

svhost

C2

myconect.ddns.net:6606

Mutex

VNM_MUTEX_ND6PULLW5ZVLwo1nwR

Attributes

encryption_key
yaa63tXY4j55os5llHHd
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Venom Client Startup
subdirectory
SubDir

Targets

- Target
  
  3a7117d0c950b44d5464cd6841dd95cd_JaffaCakes118
- Size
  
  472KB
- MD5
  
  3a7117d0c950b44d5464cd6841dd95cd
- SHA1
  
  b0dd2745f822d1e43300fa1ccb11749fdfcf1260
- SHA256
  
  6a1e31b04adc8e779095fb61f7e3cafc8866f644865ee64ee1d02210f7db3766
- SHA512
  
  a8c3ce748eee0ef88ce737d853d26d3f9e49bb7cfbbf7c67dfebfa7451279010f67c552f3f49275788db21f423ebfa845f2726892bdc2596af36682b7791ab25
- SSDEEP
  
  6144:wYd3flbbsDpd0DHo5AqYOy8oE0B7mEuZe35o4LILBWflzgWErnrXnzmjdoBqZg:wYd901AqoES7mEuZmi4LILBelztqmi
Score

10^/10

quasar venomrat svhost rat rootkit spyware stealer trojan
- Contains code to disable Windows Defender
  A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- VenomRAT
  VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
  rat rootkit stealer venomrat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Contains code to disable Windows Defender

Quasar RAT

Quasar payload

VenomRAT

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Looks up external IP address via web service

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2