quasar | 90e165246c0518ce77a98adbe2cd589bdc75d162f23fde3e7f837882b8facd2f

General

Target

3e5b3579e97745512e8766b9c89aba66_JaffaCakes118
Size

503KB
Sample

240513-h9z9rafc68
MD5

3e5b3579e97745512e8766b9c89aba66
SHA1

43a67810e5278a542f6a4d8eb86040b64e34fb35
SHA256

90e165246c0518ce77a98adbe2cd589bdc75d162f23fde3e7f837882b8facd2f
SHA512

d967309ba2e26e71c692850c04aae9a90880614848c021e332d06d4de123c02cf07768b42503d065cde9187e3d56b1637d16b775f2c755a7b1ae01632000dc6c
SSDEEP

12288:mY9OgcjseeEyx6a7AX8EmUfsgHYYKDWHe3odvByqTX:mgcjsfH6aamUfUfWDvcA

Score

10^/10

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

svhost

C2

myconect.ddns.net:6606

Mutex

VNM_MUTEX_ND6PULLW5ZVLwo1nwR

Attributes

encryption_key
yaa63tXY4j55os5llHHd
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Venom Client Startup
subdirectory
SubDir

Targets

- Target
  
  3e5b3579e97745512e8766b9c89aba66_JaffaCakes118
- Size
  
  503KB
- MD5
  
  3e5b3579e97745512e8766b9c89aba66
- SHA1
  
  43a67810e5278a542f6a4d8eb86040b64e34fb35
- SHA256
  
  90e165246c0518ce77a98adbe2cd589bdc75d162f23fde3e7f837882b8facd2f
- SHA512
  
  d967309ba2e26e71c692850c04aae9a90880614848c021e332d06d4de123c02cf07768b42503d065cde9187e3d56b1637d16b775f2c755a7b1ae01632000dc6c
- SSDEEP
  
  12288:mY9OgcjseeEyx6a7AX8EmUfsgHYYKDWHe3odvByqTX:mgcjsfH6aamUfUfWDvcA
Score

10^/10

quasar venomrat svhost rat rootkit spyware stealer trojan
- Contains code to disable Windows Defender
  A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- VenomRAT
  VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
  rat rootkit stealer venomrat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Drops desktop.ini file(s)
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Contains code to disable Windows Defender

Quasar RAT

Quasar payload

VenomRAT

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Drops desktop.ini file(s)

Looks up external IP address via web service

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2