quasar | f1f367c2bd3c1bc93a4c4a3081a3aa1072eb7a50d13927e3b5bc03c310248d3a

General

Target

dbdca8a3ffa33284e03a1a7bd57e12ad_JaffaCakes118
Size

709KB
Sample

240912-fqbqyasepr
MD5

dbdca8a3ffa33284e03a1a7bd57e12ad
SHA1

facc92651a792c4c8abe606ca47424b4f042224b
SHA256

f1f367c2bd3c1bc93a4c4a3081a3aa1072eb7a50d13927e3b5bc03c310248d3a
SHA512

727cd27bfb0ffc7a9f76fd02417de92a34ef4a1ed341953b1f5c6f78f851c83d5de390d3168df89367196a3de25eb370be1c3867affc94ae6520dff22d36bd94
SSDEEP

12288:UJr8tk+8yQiFDmBhfyW8vXAo+bcRkkOHia0crMIsTX:Wx+5QhfP5x7Nm

Score

10^/10

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

svhost

C2

myconect.ddns.net:6606

Mutex

VNM_MUTEX_ND6PULLW5ZVLwo1nwR

Attributes

encryption_key
yaa63tXY4j55os5llHHd
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Venom Client Startup
subdirectory
SubDir

Targets

- Target
  
  dbdca8a3ffa33284e03a1a7bd57e12ad_JaffaCakes118
- Size
  
  709KB
- MD5
  
  dbdca8a3ffa33284e03a1a7bd57e12ad
- SHA1
  
  facc92651a792c4c8abe606ca47424b4f042224b
- SHA256
  
  f1f367c2bd3c1bc93a4c4a3081a3aa1072eb7a50d13927e3b5bc03c310248d3a
- SHA512
  
  727cd27bfb0ffc7a9f76fd02417de92a34ef4a1ed341953b1f5c6f78f851c83d5de390d3168df89367196a3de25eb370be1c3867affc94ae6520dff22d36bd94
- SSDEEP
  
  12288:UJr8tk+8yQiFDmBhfyW8vXAo+bcRkkOHia0crMIsTX:Wx+5QhfP5x7Nm
Score

10^/10

quasar venomrat svhost discovery rat rootkit spyware stealer trojan
- Contains code to disable Windows Defender
  A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- VenomRAT
  VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
  rat rootkit stealer venomrat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Drops desktop.ini file(s)
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Contains code to disable Windows Defender

Quasar RAT

Quasar payload

VenomRAT

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Drops desktop.ini file(s)

Looks up external IP address via web service

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2