quasar | ce140c5a412462747256fb0c54a6d4ffd98a891fba26164a62fd2349c3f44982 | Triage

Submit
Reports

Overview

overview

Static

static

3

813f353b12...18.exe

windows7-x64

813f353b12...18.exe

windows10-2004-x64

Sharing

General

Target

813f353b1285bcaea41f868746ab9fdd_JaffaCakes118
Size

618KB
Sample

240529-taflvaba4y
MD5

813f353b1285bcaea41f868746ab9fdd
SHA1

301209445bdfd758b1f647bdbcf1609ee07296e7
SHA256

ce140c5a412462747256fb0c54a6d4ffd98a891fba26164a62fd2349c3f44982
SHA512

1ef96e09c43a7c71395112c2a867e60259483585deeb60c122482d4e943b7eef7f432196eb62387655d819d29e8c64c98cf49b04623ff185924135b8aa128d38
SSDEEP

12288:LlZyWuK5AwBaCPY5OtC36PdbidyQPdF58SxXnkXnmHuYYOm:WZlwBaCPtC3+e4S1k0D

Score

10^/10

quasar venomrat windows defender security evasion persistence rat rootkit spyware stealer trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe

Resource

win7-20240508-en

quasar venomrat windows defender security evasion persistence rat rootkit spyware stealer trojan

windows7-x64

19 signatures

150 seconds

Behavioral task

behavioral2

Sample

813f353b1285bcaea41f868746ab9fdd_JaffaCakes118.exe

Resource

win10v2004-20240508-en

quasar venomrat windows defender security evasion persistence rat rootkit spyware stealer trojan

windows10-2004-x64

16 signatures

150 seconds

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

Windows Defender Security

C2

vilvaraj-32652.portmap.io:32652

Mutex

VNM_MUTEX_XoAJ77Kcpkuyjz4MJK

Attributes

encryption_key
5nIMwmTRG5wyVhouaxGb
install_name
Windows Defender Security.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Windows Defender Security
subdirectory
SubDir

Targets

- Target
  
  813f353b1285bcaea41f868746ab9fdd_JaffaCakes118
- Size
  
  618KB
- MD5
  
  813f353b1285bcaea41f868746ab9fdd
- SHA1
  
  301209445bdfd758b1f647bdbcf1609ee07296e7
- SHA256
  
  ce140c5a412462747256fb0c54a6d4ffd98a891fba26164a62fd2349c3f44982
- SHA512
  
  1ef96e09c43a7c71395112c2a867e60259483585deeb60c122482d4e943b7eef7f432196eb62387655d819d29e8c64c98cf49b04623ff185924135b8aa128d38
- SSDEEP
  
  12288:LlZyWuK5AwBaCPY5OtC36PdbidyQPdF58SxXnkXnmHuYYOm:WZlwBaCPtC3+e4S1k0D
Score

10^/10

quasar venomrat windows defender security evasion persistence rat rootkit spyware stealer trojan
- Contains code to disable Windows Defender
  A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- VenomRAT
  VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
  rat rootkit stealer venomrat
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Scheduled Task/Job

Defense Evasion

Impair Defenses

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Remote System Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

quasarvenomratwindows defender securityevasionpersistenceratrootkitspywarestealertrojan

behavioral2

quasarvenomratwindows defender securityevasionpersistenceratrootkitspywarestealertrojan

© 2018-2024

Terms | Privacy