General

  • Target

    828849f08b62df77ea83d35202ef5210_NeikiAnalytics.exe

  • Size

    534KB

  • Sample

    240518-d2sgqaab3x

  • MD5

    828849f08b62df77ea83d35202ef5210

  • SHA1

    a44599acea03322dee6129e8bc28da56a7edfc8f

  • SHA256

    828174bf347381e23da462e1d7532958389ecfb00639f6eb5f6001d9f6ac199b

  • SHA512

    54dfb7f51ce2fe101ec9033b66be916f0b08052da50c5134f5f8dcc96b5cc250c88679337b6a3a5265c58955d2f8bbfda9d4fd364088635cd6e2201585b5513a

  • SSDEEP

    6144:W8fGYJngzxsoIasFzFMkb7ShY97hNbE/55qiIqtqVh06vOGy3V8/GV0jivyabBYv:rkxfIayFMLqheh8KqVh06vDv

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

Office04

C2

0.tcp.sa.ngrok.io:19439

Mutex

VNM_MUTEX_c2q7y2ayYutZ2XaYe7

Attributes
  • encryption_key

    xzHeU68ynlwXnJHWc12M

  • install_name

    $77lol.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    $77lol

  • subdirectory

    SubDir

Targets

    • Target

      828849f08b62df77ea83d35202ef5210_NeikiAnalytics.exe

    • Size

      534KB

    • MD5

      828849f08b62df77ea83d35202ef5210

    • SHA1

      a44599acea03322dee6129e8bc28da56a7edfc8f

    • SHA256

      828174bf347381e23da462e1d7532958389ecfb00639f6eb5f6001d9f6ac199b

    • SHA512

      54dfb7f51ce2fe101ec9033b66be916f0b08052da50c5134f5f8dcc96b5cc250c88679337b6a3a5265c58955d2f8bbfda9d4fd364088635cd6e2201585b5513a

    • SSDEEP

      6144:W8fGYJngzxsoIasFzFMkb7ShY97hNbE/55qiIqtqVh06vOGy3V8/GV0jivyabBYv:rkxfIayFMLqheh8KqVh06vDv

    • Contains code to disable Windows Defender

      A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

    • Modifies Windows Defender Real-time Protection settings

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Quasar payload

    • VenomRAT

      VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Windows security modification

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks