quasar | 317318d266640fa0575567b71cc5ba18e1cca5d8205e544037e6e730a3795e87 | Triage

Submit
Reports

Overview

overview

Static

static

3

017d1ddeb4...18.exe

windows7-x64

017d1ddeb4...18.exe

windows10-2004-x64

Sharing

General

Target

017d1ddeb4f16982eda16fe8f07c63e6_JaffaCakes118
Size

2.6MB
Sample

240622-f48mtszerh
MD5

017d1ddeb4f16982eda16fe8f07c63e6
SHA1

ac0bca32f8eb453aad9df1b9fb0ca6dad9d70556
SHA256

317318d266640fa0575567b71cc5ba18e1cca5d8205e544037e6e730a3795e87
SHA512

d0439cdcea450461ce8f61121b86fada72abd52d13251e47d76949aa9ce370c8bc64169be96719e7010411fe92d8194db9835df1825490da4bc283b1660886bc
SSDEEP

49152:sslxW0qtwxdh9Q7Wm1kX8sp1ua2oUHXN5Wr7Pf:nlwTtWhs1a8KOVHXNgXf

Score

10^/10

quasar venomrat rat evasion rat rootkit spyware stealer trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

017d1ddeb4f16982eda16fe8f07c63e6_JaffaCakes118.exe

Resource

win7-20240508-en

quasar venomrat rat evasion rat rootkit spyware stealer trojan

windows7-x64

18 signatures

150 seconds

Behavioral task

behavioral2

Sample

017d1ddeb4f16982eda16fe8f07c63e6_JaffaCakes118.exe

Resource

win10v2004-20240611-en

quasar venomrat rat evasion rat rootkit spyware stealer trojan

windows10-2004-x64

17 signatures

150 seconds

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

RAT

C2

23.105.131.178:7812

Mutex

VNM_MUTEX_It9SqdFDNndEItXfKp

Attributes

encryption_key
txgQXKaATimN7DY8jnPH
install_name
Windows Defender Security.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Windows Update
subdirectory
Microsoft

Targets

- Target
  
  017d1ddeb4f16982eda16fe8f07c63e6_JaffaCakes118
- Size
  
  2.6MB
- MD5
  
  017d1ddeb4f16982eda16fe8f07c63e6
- SHA1
  
  ac0bca32f8eb453aad9df1b9fb0ca6dad9d70556
- SHA256
  
  317318d266640fa0575567b71cc5ba18e1cca5d8205e544037e6e730a3795e87
- SHA512
  
  d0439cdcea450461ce8f61121b86fada72abd52d13251e47d76949aa9ce370c8bc64169be96719e7010411fe92d8194db9835df1825490da4bc283b1660886bc
- SSDEEP
  
  49152:sslxW0qtwxdh9Q7Wm1kX8sp1ua2oUHXN5Wr7Pf:nlwTtWhs1a8KOVHXNgXf
Score

10^/10

quasar venomrat rat evasion rat rootkit spyware stealer trojan
- Contains code to disable Windows Defender
  A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- VenomRAT
  VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
  rat rootkit stealer venomrat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
  evasion trojan
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Scheduled Task

Persistence

Create or Modify System Process

Windows Service

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Create or Modify System Process

Windows Service

Scheduled Task/Job

Scheduled Task

Defense Evasion

Impair Defenses

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

Remote System Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

quasarvenomratratevasionratrootkitspywarestealertrojan

behavioral2

quasarvenomratratevasionratrootkitspywarestealertrojan

© 2018-2024

Terms | Privacy