Extracted

• • Target

    CATALOGUE2024.GBLTD.bat

  • Size

    1.1MB

  • MD5

    d276007d99a3f3aa1f0c9d85857f580b

  • SHA1

    d2a920b76ceb676c5cced1504bea5056824c942d

  • SHA256

    4b32b987a1815005b4cce599f2691cf7600433da1886a3e4d79fa80ac85df8d7

  • SHA512

    ba1fb1e882c3d4f86d2cb02fe2b7883de1b47bb16fb9e3e418d36a77f8d1e87fb13a4df2557db909ee0b4896f38fda0026ca8002d19c1b26e89c090bec906639

  • SSDEEP

    24576:peq3eRCl8rvXzpmsCraU8hgHjUBE5zxLv0SPuvi3lnQUpxLJY:IRCirbjU8hgDU6CWoiWixO

  Score

  10^/10

  quasarvenomratshanjqhandohdbt4discoveryevasionexecutionratrootkitspywarestealertrojan

  • Contains code to disable Windows Defender

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Modifies Windows Defender Real-time Protection settings

    evasiontrojan

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar

  • Quasar payload

  • VenomRAT

    VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.

    ratrootkitstealervenomrat

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself

  • Executes dropped EXE

  • Loads dropped DLL

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext

  behavioral1behavioral2