quasar | 2a2a56b751efe7cbdf1b8f7186135693ab65a3c2645f5567efbff977c42cfc56

General

Target

Arsium Ransomware Builder.7z
Size

3.4MB
Sample

250209-rtspeatpfm
MD5

42e9e45b77456883b7ed72875ecb4e1a
SHA1

b65a32f19300af39f7e19abbc8bad4436c129531
SHA256

2a2a56b751efe7cbdf1b8f7186135693ab65a3c2645f5567efbff977c42cfc56
SHA512

54f96e3385774ca330ca7491ea0dafd90804cd2cd036e318bc38c685f98d323b79f7bfe36ef96289db030c693daa064046c48394aa2d47cc0a4487c224acc19f
SSDEEP

98304:g+11eqPTtB9iolO8x0LH2f2BJNUwWgYIC6YQCgp+wamnK/Fqx:gs5P5B9iolOJi2BJ6SYICrZ0+7mnEwx

Score

10^/10

Malware Config

Extracted

Family

quasar

Version

1.4.0.0

Botnet

Steam

C2

Minecrafthosting6969-35389.portmap.io:35389

Mutex

EAojkiVMQ0sDtyACyi

Attributes

encryption_key
P5xHRD8P5ncR2T1uRpgp
install_name
Steam.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Steam
subdirectory
SubDir

Extracted

Family

quasar

Version

2.1.0.0

Botnet

Windows Security Notification

C2

gamingzone90-25909.portmap.io:25909

Mutex

VNM_MUTEX_Ejw8ka3f07tGEgQHA3

Attributes

encryption_key
qZLYnZOQyovJkVBseb5s
install_name
Windows Security Notification.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Windows Security Notification
subdirectory
SubDir

Targets

- Target
  
  Arsium Ransomware Builder.exe
- Size
  
  3.5MB
- MD5
  
  99bd2a5d346e6f119dca5392137d76ed
- SHA1
  
  66c4f7bfafa46820b5b096e8d7a1ee7cf58b9319
- SHA256
  
  6aab87e3a11a2fd55655f78effd7f1033d563ce15a06bf1cd4ec3a4d0937830f
- SHA512
  
  62aabb4e8125afea3c316e63a677e707090524aa130da5cc40aac689ccaa9e34527c1d613f375389fee4188a91bcbd28e27b8982bc8d998b45e994f6c460e4e6
- SSDEEP
  
  98304:QnmIT1y2JmONtNs4SDszKdXN4YS9gjf2h9FsYkSBW4Cc:Q3c2JmaLsz4zsKVijehH99BW4C
Score

10^/10

quasar venomrat steam windows security notification defense_evasion discovery evasion rat rootkit spyware stealer trojan
- Contains code to disable Windows Defender
  A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
- Modifies Windows Defender DisableAntiSpyware settings
  evasion trojan
- Modifies Windows Defender Real-time Protection settings
  defense_evasion trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar family
  quasar
- Quasar payload
- VenomRAT
  VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
  rat rootkit stealer venomrat
- Venomrat family
  venomrat
- Detected Nirsoft tools
  Free utilities often used by attackers which can steal passwords, product keys, etc.
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1