General

  • Target

    dec50393ebe75e7a9b14f7c14bf75a7ffe083bac7361bbbcf0f2be554c966ff3

  • Size

    968KB

  • Sample

    240527-d533maeg6s

  • MD5

    c82a3da38e0debb9a378f1dc3777c33e

  • SHA1

    aa6c7428f186d9498ca705b9c0d58736757a632e

  • SHA256

    dec50393ebe75e7a9b14f7c14bf75a7ffe083bac7361bbbcf0f2be554c966ff3

  • SHA512

    628cda89421e6327ba5a274d28386faf0b56c35f52dc237bbc310aef2a20ec5d5b7fb1bc4f22d610981ce5c6a9733bfc16568f473eb23b43094637b1db969cc1

  • SSDEEP

    24576:FmtpMM4Qevjz8fSEhQKQWxUg9RzZtNMiTRqfLj:EpviIOYxUQRzZtNyj

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

Windows Security

C2

37.0.14.203:7812

Mutex

VNM_MUTEX_2r4e6JnVsMyKl6Aod6

Attributes
  • encryption_key

    7m3r0pz1Q0GDX0J3KjKp

  • install_name

    Windows Security.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Windows Updated

  • subdirectory

    Win32

Targets

    • Target

      dec50393ebe75e7a9b14f7c14bf75a7ffe083bac7361bbbcf0f2be554c966ff3

    • Size

      968KB

    • MD5

      c82a3da38e0debb9a378f1dc3777c33e

    • SHA1

      aa6c7428f186d9498ca705b9c0d58736757a632e

    • SHA256

      dec50393ebe75e7a9b14f7c14bf75a7ffe083bac7361bbbcf0f2be554c966ff3

    • SHA512

      628cda89421e6327ba5a274d28386faf0b56c35f52dc237bbc310aef2a20ec5d5b7fb1bc4f22d610981ce5c6a9733bfc16568f473eb23b43094637b1db969cc1

    • SSDEEP

      24576:FmtpMM4Qevjz8fSEhQKQWxUg9RzZtNMiTRqfLj:EpviIOYxUQRzZtNyj

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

    • Contains code to disable Windows Defender

      A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

    • Modifies Windows Defender Real-time Protection settings

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Quasar payload

    • StormKitty

      StormKitty is an open source info stealer written in C#.

    • StormKitty payload

    • VenomRAT

      VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.

    • Async RAT payload

    • Detects Windows executables referencing non-Windows User-Agents

    • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

    • Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion

    • Detects executables containing URLs to raw contents of a Github gist

    • Detects executables containing artifacts associated with disabling Widnows Defender

    • Detects executables embedding registry key / value combination indicative of disabling Windows Defender features

    • Detects executables referencing Discord tokens regular expressions

    • Detects executables referencing Windows vault credential objects. Observed in infostealers

    • Detects executables referencing credit card regular expressions

    • Detects executables referencing many VPN software clients. Observed in infosteslers

    • Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

    • Detects executables using Telegram Chat Bot

    • Detects executables with interest in wireless interface using netsh

    • Detects file containing reversed ASEP Autorun registry keys

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Windows security modification

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Matrix ATT&CK v13

Execution

Scheduled Task/Job

1
T1053

Persistence

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Scheduled Task/Job

1
T1053

Privilege Escalation

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Scheduled Task/Job

1
T1053

Defense Evasion

Modify Registry

2
T1112

Impair Defenses

2
T1562

Disable or Modify Tools

2
T1562.001

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Remote System Discovery

1
T1018

Tasks