General
-
Target
4b9d9e8512113210558953f19c7e6c2a_JaffaCakes118
-
Size
709KB
-
Sample
240516-r5elxshh27
-
MD5
4b9d9e8512113210558953f19c7e6c2a
-
SHA1
a79f5b32c87cce6413c36741810dcc859ce42cac
-
SHA256
6ca5561637075df7fc371638c56e9ecd3ba4967979e396619d5b9dfb69a10743
-
SHA512
317244156c931561f2fe22999571a524cbf1050756d9584d0dba9aeb82ad76f8572dbc96447a100c9bc76d31adbcdfaaf4d5dd0c26e8efbabe2b984161709f87
-
SSDEEP
12288:rkcj3Ez4oa3NX7ebbUxvFwSxTk+MRH8Sn9vTUpAYT2MHCTX:5oeabONwwTOHp9KAYi04
Malware Config
Extracted
quasar
2.1.0.0
svhost
myconect.ddns.net:6606
VNM_MUTEX_ND6PULLW5ZVLwo1nwR
-
encryption_key
yaa63tXY4j55os5llHHd
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Venom Client Startup
-
subdirectory
SubDir
Targets
-
-
Target
4b9d9e8512113210558953f19c7e6c2a_JaffaCakes118
-
Size
709KB
-
MD5
4b9d9e8512113210558953f19c7e6c2a
-
SHA1
a79f5b32c87cce6413c36741810dcc859ce42cac
-
SHA256
6ca5561637075df7fc371638c56e9ecd3ba4967979e396619d5b9dfb69a10743
-
SHA512
317244156c931561f2fe22999571a524cbf1050756d9584d0dba9aeb82ad76f8572dbc96447a100c9bc76d31adbcdfaaf4d5dd0c26e8efbabe2b984161709f87
-
SSDEEP
12288:rkcj3Ez4oa3NX7ebbUxvFwSxTk+MRH8Sn9vTUpAYT2MHCTX:5oeabONwwTOHp9KAYi04
Score10/10-
Contains code to disable Windows Defender
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar payload
-
VenomRAT
VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Drops desktop.ini file(s)
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-