quasar | e4b0894af3fb7948dd92288339cf2fda627c26ec25b4d37c1620f6c005c0c01c | Triage

Submit
Reports

Overview

overview

Static

static

3

a500424ebd...18.exe

windows7-x64

a500424ebd...18.exe

windows10-2004-x64

Sharing

General

Target

a500424ebd54b1e006ccad65266562e3_JaffaCakes118
Size

303KB
Sample

240613-l5g46atgmf
MD5

a500424ebd54b1e006ccad65266562e3
SHA1

18be3591da1c3d79aee29026c30c67567e3b2bad
SHA256

e4b0894af3fb7948dd92288339cf2fda627c26ec25b4d37c1620f6c005c0c01c
SHA512

c197f02534c15b82f81def7d60349fba1e72c0b82d8b11fe64856a7ae7833e9d9d70d723bac8e1809ceda2cc9c76eb87025199230ba08ebc89bde2f6b71931ec
SSDEEP

6144:7VPN+C5cB6NYR+perZTyhGupmUfr7MUYbW2KrFrg30RSsBWRzPDzWrkpeF4+:JPN+C5cB6pGTggGHUUrdgEAsotMk

Score

10^/10

quasar venomrat office04 rat rootkit spyware stealer trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

a500424ebd54b1e006ccad65266562e3_JaffaCakes118.exe

Resource

win7-20231129-en

quasar venomrat office04 rat rootkit spyware stealer trojan

windows7-x64

13 signatures

150 seconds

Behavioral task

behavioral2

Sample

a500424ebd54b1e006ccad65266562e3_JaffaCakes118.exe

Resource

win10v2004-20240611-en

quasar venomrat office04 rat rootkit spyware stealer trojan

windows10-2004-x64

12 signatures

150 seconds

Malware Config

Extracted

Family

quasar

Attributes

reconnect_delay
3000

Extracted

Family

quasar

Version

2.1.0.0

Botnet

Office04

C2

myconect.ddns.net:6606

Mutex

VNM_MUTEX_bW2Pm17MwUNvIYeCrf

Attributes

encryption_key
skMcIyTXgvAaYya6lzLD
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Venom Client Startup
subdirectory
SubDir

Targets

- Target
  
  a500424ebd54b1e006ccad65266562e3_JaffaCakes118
- Size
  
  303KB
- MD5
  
  a500424ebd54b1e006ccad65266562e3
- SHA1
  
  18be3591da1c3d79aee29026c30c67567e3b2bad
- SHA256
  
  e4b0894af3fb7948dd92288339cf2fda627c26ec25b4d37c1620f6c005c0c01c
- SHA512
  
  c197f02534c15b82f81def7d60349fba1e72c0b82d8b11fe64856a7ae7833e9d9d70d723bac8e1809ceda2cc9c76eb87025199230ba08ebc89bde2f6b71931ec
- SSDEEP
  
  6144:7VPN+C5cB6NYR+perZTyhGupmUfr7MUYbW2KrFrg30RSsBWRzPDzWrkpeF4+:JPN+C5cB6pGTggGHUUrdgEAsotMk
Score

10^/10

quasar venomrat office04 rat rootkit spyware stealer trojan
- Contains code to disable Windows Defender
  A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- VenomRAT
  VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
  rat rootkit stealer venomrat
- Executes dropped EXE
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

quasarvenomratoffice04ratrootkitspywarestealertrojan

behavioral2

quasarvenomratoffice04ratrootkitspywarestealertrojan

© 2018-2025

Terms | Privacy