General
-
Target
828849f08b62df77ea83d35202ef5210_NeikiAnalytics.exe
-
Size
534KB
-
Sample
240518-d2sgqaab3x
-
MD5
828849f08b62df77ea83d35202ef5210
-
SHA1
a44599acea03322dee6129e8bc28da56a7edfc8f
-
SHA256
828174bf347381e23da462e1d7532958389ecfb00639f6eb5f6001d9f6ac199b
-
SHA512
54dfb7f51ce2fe101ec9033b66be916f0b08052da50c5134f5f8dcc96b5cc250c88679337b6a3a5265c58955d2f8bbfda9d4fd364088635cd6e2201585b5513a
-
SSDEEP
6144:W8fGYJngzxsoIasFzFMkb7ShY97hNbE/55qiIqtqVh06vOGy3V8/GV0jivyabBYv:rkxfIayFMLqheh8KqVh06vDv
Malware Config
Extracted
quasar
2.1.0.0
Office04
0.tcp.sa.ngrok.io:19439
VNM_MUTEX_c2q7y2ayYutZ2XaYe7
-
encryption_key
xzHeU68ynlwXnJHWc12M
-
install_name
$77lol.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
$77lol
-
subdirectory
SubDir
Targets
-
-
Target
828849f08b62df77ea83d35202ef5210_NeikiAnalytics.exe
-
Size
534KB
-
MD5
828849f08b62df77ea83d35202ef5210
-
SHA1
a44599acea03322dee6129e8bc28da56a7edfc8f
-
SHA256
828174bf347381e23da462e1d7532958389ecfb00639f6eb5f6001d9f6ac199b
-
SHA512
54dfb7f51ce2fe101ec9033b66be916f0b08052da50c5134f5f8dcc96b5cc250c88679337b6a3a5265c58955d2f8bbfda9d4fd364088635cd6e2201585b5513a
-
SSDEEP
6144:W8fGYJngzxsoIasFzFMkb7ShY97hNbE/55qiIqtqVh06vOGy3V8/GV0jivyabBYv:rkxfIayFMLqheh8KqVh06vDv
Score10/10-
Contains code to disable Windows Defender
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Modifies Windows Defender Real-time Protection settings
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar payload
-
VenomRAT
VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Windows security modification
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-