Overview

overview

10

Static

static

10

Paypal cracker.exe

windows7-x64

10

Paypal cracker.exe

windows10-2004-x64

libeay32.dll

windows7-x64

3

libeay32.dll

windows10-2004-x64

3

libssl32.dll

windows7-x64

3

libssl32.dll

windows10-2004-x64

3

msvcr71.dll

windows7-x64

3

msvcr71.dll

windows10-2004-x64

3

ssleay32.dll

windows7-x64

3

ssleay32.dll

windows10-2004-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    PayPal_BruteChecker.zip

  • Size

    3.7MB

  • Sample

    241231-pdyjlszkgy

  • MD5

    9b0d7d535cc97c8f4a30e74704d5de44

  • SHA1

    20a75baacd6917dc03065a2c2606439efee70012

  • SHA256

    537a88d2c2c8cee418e6b1da94d655caa0ece2beb6c04fe1f96aeb199d87eded

  • SHA512

    ab62dc66361905d0157a2eb65f198884c8d2bcd1260f0a3c85e6d971c596b66d634131c05e44f7681430a0c1229fce38c8ee6d24c0d61893fb588967e0111ee2

  • SSDEEP

    98304:sM0xz+O+1+0NEnls8+M7XbZJ/0CXKLAXbz54YEa2m:v8+1+0NCe8XbnWoRdEQ

Score
10/10
quasarvenomratwindows securitydiscoverypersistenceratrootkitspywarestealertrojan

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

windows security

C2

quasarrat220-24487.portmap.io:24487

Mutex

VNM_MUTEX_mOPqShedZxvAqgLrWL

Attributes
  • encryption_key

    7mvA2TfKjvMIY0zZeMKF

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Venom Client Startup

  • subdirectory

    SubDir

Targets

    • Target

      Paypal cracker.exe

    • Size

      6.6MB

    • MD5

      5627dd16f023b8be51ed365d2fb6fee5

    • SHA1

      fcccce747bf6c824233cfda366798fa0467d3daf

    • SHA256

      2e2f6fe5b310d843656af43b60c0faddf6eb0f329efc8353272437db44b5f247

    • SHA512

      e475f903d2afd4c1b985f368f77610270df54bb8207130f6339e59595777718cfadadbb732775523a11aa035cbbf3c6d81896a33d84b40f6c01f182a1654f637

    • SSDEEP

      98304:xRlI+LjNr86mjj/UYviu26bbyKS2myX0rPpIh1KcV:xRlVmj72wblTmyEpG17V

    Score
    10/10
    quasarvenomratwindows securitydiscoverypersistenceratrootkitspywarestealertrojan

    • Contains code to disable Windows Defender

      A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

      trojanspywarequasar

    • Quasar family

      quasar

    • Quasar payload

    • VenomRAT

      VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.

      ratrootkitstealervenomrat

    • Venomrat family

      venomrat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      libeay32.dll

    • Size

      988KB

    • MD5

      177bda0c92482dfa2c162a3750932b9c

    • SHA1

      cb3b8a465fb55e9e0b4bb5a3298a481557a799d5

    • SHA256

      17a4b75ef43a4fdeedaef86c39bead6719144e3e368b55898b79ecb371012854

    • SHA512

      d6900cbcd53d2993ea639e70fe7d0b29595153c4ef54eb9c4a264c22963ca64d551dd633ce1c5d657bd371ddeebcff00419d50a13e423d44f25c8ac9f8ccf3d0

    • SSDEEP

      12288:baTkV9YfAjvnC+pcU0MfHJQXA7WpVn2UNKQbox5b6j6iHk:bOBcnJpcTMve5pV9sQbsejrHk

    Score
    3/10
    discovery
    behavioral3behavioral4

    • Target

      libssl32.dll

    • Size

      242KB

    • MD5

      0fe22a92ca281ce90559b271c59720e0

    • SHA1

      ff15840b0e0915137b26bbd7cccf20842ce4f70c

    • SHA256

      697dbe0b9635f723568d0911d1c48a91c326f116f674003b26d5653ec157b4de

    • SHA512

      2f3394341134a93a9c9f29f09a8c9e28e9942c452f828db7c734631d4c01ca0088150d329e9e4f3e1d9f50fa68fbb91b45670c43dd26c82cc3e04a0ddd100d9c

    • SSDEEP

      3072:Bah7VLBox0RGusHgbCdFoccseuoejw6J2focByGhQQDuXtrxYpGwyzTjAOj:8pVFoDusAOA95ulJg8GctrxYpmvAOj

    Score
    3/10
    discovery
    behavioral5behavioral6

    • Target

      msvcr71.dll

    • Size

      340KB

    • MD5

      5d70d744b237a3a1f57c475600764c3e

    • SHA1

      87bad3d29394b08459d164a6047657a3f9498f60

    • SHA256

      525b896a6de9d1c400a61d09cbd1248376f64559da5ef22380600efefdd06078

    • SHA512

      730e876de54596e5ef9e7e14a5eb74efd1661659ebb06c0be8ff7055d62103d5fedd11c07ccf1a2b958c46542cff580ce3a22d4d313cb8ed8b82e6ba6db3571a

    • SSDEEP

      6144:PcV9z83OtqxnEYmt3NEnvfF+Tbmbw6An8FMciFMNrb3YgxxpbCAOxO2ElvlE:Poz83OtIEzW+/m/AyF7bCrO/E

    Score
    3/10
    discovery
    behavioral7behavioral8

    • Target

      ssleay32.dll

    • Size

      192KB

    • MD5

      5023f4c4aaaa1b6e9d992d6bbdcd340b

    • SHA1

      2165b4a8089a7c00dc586c983e8548653a4e0ce4

    • SHA256

      59b1be1072dd4aca5ddcf9b66d5df8bec327b4891925ba2339fe6ac6a1bf6d19

    • SHA512

      c2885d8a8daac7ff83991dd81c6b2993c874081ea8877511aedd61e31829b26d33d8d9e433c7c72dd79d4cdf5d2a6e484b980117549770df1d2f2f522f8a0758

    • SSDEEP

      3072:whsCnSceRcwwWbLhF8KzwtF1TKXpE2y5jfFKRz+AAWeZJHR7u9Ea3Q0du1f:5TRVwWblFrzw31TKRatKVjqJHW3/d

    Score
    3/10
    discovery
    behavioral10behavioral9

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Modify Registry

3
T1112

Credential Access

Discovery

Query Registry

1
T1012

Remote System Discovery

1
T1018

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Internet Connection Discovery

1
T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks