quasar | 5bfd4a2a53142c78b5ad8eb5ca2f14bb28fa648b2ce1d2169d837346f2673004

General

Target

61eabb5f86336fe941185bf0a37a8472_JaffaCakes118
Size

538KB
Sample

240521-d87j8agg31
MD5

61eabb5f86336fe941185bf0a37a8472
SHA1

c733162ee7b9c8622d06258f676c846e99689199
SHA256

5bfd4a2a53142c78b5ad8eb5ca2f14bb28fa648b2ce1d2169d837346f2673004
SHA512

b2d458c865ada84666405636c40a70724d433d1bc9bcdfc830ff9b9b05c1ee08cafd2bbb2e59cd8820c0c247bee2dec432493e6aade925c30ea00a6f9b33efdd
SSDEEP

12288:oghbus5MJCyVyV4mqcS0KRBY+gSwQUuuGsTvZv/cDTX:HFu5V7tcUShSl1uGCZv/c/

Score

10^/10

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

svhost

C2

myconect.ddns.net:6606

Mutex

VNM_MUTEX_ND6PULLW5ZVLwo1nwR

Attributes

encryption_key
yaa63tXY4j55os5llHHd
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Venom Client Startup
subdirectory
SubDir

Targets

- Target
  
  61eabb5f86336fe941185bf0a37a8472_JaffaCakes118
- Size
  
  538KB
- MD5
  
  61eabb5f86336fe941185bf0a37a8472
- SHA1
  
  c733162ee7b9c8622d06258f676c846e99689199
- SHA256
  
  5bfd4a2a53142c78b5ad8eb5ca2f14bb28fa648b2ce1d2169d837346f2673004
- SHA512
  
  b2d458c865ada84666405636c40a70724d433d1bc9bcdfc830ff9b9b05c1ee08cafd2bbb2e59cd8820c0c247bee2dec432493e6aade925c30ea00a6f9b33efdd
- SSDEEP
  
  12288:oghbus5MJCyVyV4mqcS0KRBY+gSwQUuuGsTvZv/cDTX:HFu5V7tcUShSl1uGCZv/c/
Score

10^/10

quasar venomrat svhost rat rootkit spyware stealer trojan
- Contains code to disable Windows Defender
  A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- VenomRAT
  VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
  rat rootkit stealer venomrat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Drops desktop.ini file(s)
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

Sharing

General

Malware Config

Extracted

Targets

Contains code to disable Windows Defender

Quasar RAT

Quasar payload

VenomRAT

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Drops desktop.ini file(s)

Looks up external IP address via web service

MITRE ATT&CK Matrix ATT&CK v13

Tasks

static1

behavioral1

behavioral2