quasar | 6ca5561637075df7fc371638c56e9ecd3ba4967979e396619d5b9dfb69a10743 | Triage

Submit
Reports

Overview

overview

Static

static

3

4b9d9e8512...18.exe

windows7-x64

4b9d9e8512...18.exe

windows10-2004-x64

Sharing

General

Target

4b9d9e8512113210558953f19c7e6c2a_JaffaCakes118
Size

709KB
Sample

240516-r5elxshh27
MD5

4b9d9e8512113210558953f19c7e6c2a
SHA1

a79f5b32c87cce6413c36741810dcc859ce42cac
SHA256

6ca5561637075df7fc371638c56e9ecd3ba4967979e396619d5b9dfb69a10743
SHA512

317244156c931561f2fe22999571a524cbf1050756d9584d0dba9aeb82ad76f8572dbc96447a100c9bc76d31adbcdfaaf4d5dd0c26e8efbabe2b984161709f87
SSDEEP

12288:rkcj3Ez4oa3NX7ebbUxvFwSxTk+MRH8Sn9vTUpAYT2MHCTX:5oeabONwwTOHp9KAYi04

Score

10^/10

quasar venomrat svhost rat rootkit spyware stealer trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

4b9d9e8512113210558953f19c7e6c2a_JaffaCakes118.exe

Resource

win7-20240221-en

quasar venomrat svhost rat rootkit spyware stealer trojan

windows7-x64

16 signatures

150 seconds

Behavioral task

behavioral2

Sample

4b9d9e8512113210558953f19c7e6c2a_JaffaCakes118.exe

Resource

win10v2004-20240426-en

quasar venomrat svhost rat rootkit spyware stealer trojan

windows10-2004-x64

17 signatures

150 seconds

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

svhost

C2

myconect.ddns.net:6606

Mutex

VNM_MUTEX_ND6PULLW5ZVLwo1nwR

Attributes

encryption_key
yaa63tXY4j55os5llHHd
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Venom Client Startup
subdirectory
SubDir

Targets

- Target
  
  4b9d9e8512113210558953f19c7e6c2a_JaffaCakes118
- Size
  
  709KB
- MD5
  
  4b9d9e8512113210558953f19c7e6c2a
- SHA1
  
  a79f5b32c87cce6413c36741810dcc859ce42cac
- SHA256
  
  6ca5561637075df7fc371638c56e9ecd3ba4967979e396619d5b9dfb69a10743
- SHA512
  
  317244156c931561f2fe22999571a524cbf1050756d9584d0dba9aeb82ad76f8572dbc96447a100c9bc76d31adbcdfaaf4d5dd0c26e8efbabe2b984161709f87
- SSDEEP
  
  12288:rkcj3Ez4oa3NX7ebbUxvFwSxTk+MRH8Sn9vTUpAYT2MHCTX:5oeabONwwTOHp9KAYi04
Score

10^/10

quasar venomrat svhost rat rootkit spyware stealer trojan
- Contains code to disable Windows Defender
  A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- VenomRAT
  VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
  rat rootkit stealer venomrat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Drops desktop.ini file(s)
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

quasarvenomratsvhostratrootkitspywarestealertrojan

behavioral2

quasarvenomratsvhostratrootkitspywarestealertrojan

© 2018-2024

Terms | Privacy