General

  • Target

    d53df5b6b080ba24773ca16c7a8b70eeb783ead278712e0c5b44abc84805e60e.exe

  • Size

    534KB

  • Sample

    240614-cf6a1s1eme

  • MD5

    9e14775490cee79c73cb45c2f24f7a73

  • SHA1

    ddd6c7485a5e64a66a0a7598777abdafa7a63950

  • SHA256

    d53df5b6b080ba24773ca16c7a8b70eeb783ead278712e0c5b44abc84805e60e

  • SHA512

    1c0aec61a64400bcf18f6f0e5a950c68b7a25492b07290e3793a759f616c1b361ed6472d260d0f379b691567216a1f9e53af53b2dc89711df618a4463c8d0317

  • SSDEEP

    12288:ijxIhDXIsMzz2ze1gejMd3mD88i2i3PdjfAag06:i9+IsM55O3glgPO

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

windows security

C2

quasarrat220-24487.portmap.io:24487

Mutex

VNM_MUTEX_mOPqShedZxvAqgLrWL

Attributes
  • encryption_key

    7mvA2TfKjvMIY0zZeMKF

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Venom Client Startup

  • subdirectory

    SubDir

Targets

    • Target

      d53df5b6b080ba24773ca16c7a8b70eeb783ead278712e0c5b44abc84805e60e.exe

    • Size

      534KB

    • MD5

      9e14775490cee79c73cb45c2f24f7a73

    • SHA1

      ddd6c7485a5e64a66a0a7598777abdafa7a63950

    • SHA256

      d53df5b6b080ba24773ca16c7a8b70eeb783ead278712e0c5b44abc84805e60e

    • SHA512

      1c0aec61a64400bcf18f6f0e5a950c68b7a25492b07290e3793a759f616c1b361ed6472d260d0f379b691567216a1f9e53af53b2dc89711df618a4463c8d0317

    • SSDEEP

      12288:ijxIhDXIsMzz2ze1gejMd3mD88i2i3PdjfAag06:i9+IsM55O3glgPO

    • Contains code to disable Windows Defender

      A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Quasar payload

    • VenomRAT

      VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.

    • Detects Windows executables referencing non-Windows User-Agents

    • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

    • Detects executables containing artifacts associated with disabling Widnows Defender

    • Detects executables embedding registry key / value combination indicative of disabling Windows Defender features

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks