quasar | 7c5919ffcd3234d3c520120fbbeb9204e11ca3adfbfc175175a1e087492cbbba | Triage

Submit
Reports

Overview

overview

Static

static

2lz.exe

windows7-x64

2lz.exe

windows10-2004-x64

Sharing

General

Target

2lz.exe
Size

5.9MB
Sample

240613-b5tsvazcph
MD5

12f9b68ed66fed9a1e3c1c2319c837c6
SHA1

e423cbd003c718b6fa268de83806dae6a9fe88c3
SHA256

7c5919ffcd3234d3c520120fbbeb9204e11ca3adfbfc175175a1e087492cbbba
SHA512

b649639d2363f135f694f8d5968a6b7adabd76ef793a3fb9313b1c142a0e749be33a5831c4d0cbc32ea170a2100f693755b378280f252dd50bd1ddf008b1ba53
SSDEEP

98304:pMI+LjNr86mjj/UYviu26bbyKS2myX0rPgIh:p8Vmj72wblTmyEgG

Score

10^/10

quasar venomrat windows security rat rootkit spyware stealer trojan

Static task

static1

4 signatures

Behavioral task

behavioral1

Sample

2lz.exe

Resource

win7-20240611-en

quasar venomrat windows security rat rootkit spyware stealer trojan

windows7-x64

15 signatures

150 seconds

Behavioral task

behavioral2

Sample

2lz.exe

Resource

win10v2004-20240611-en

quasar venomrat windows security rat rootkit spyware stealer trojan

windows10-2004-x64

14 signatures

150 seconds

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

windows security

C2

quasarrat220-24487.portmap.io:24487

Mutex

VNM_MUTEX_mOPqShedZxvAqgLrWL

Attributes

encryption_key
7mvA2TfKjvMIY0zZeMKF
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Venom Client Startup
subdirectory
SubDir

Targets

- Target
  
  2lz.exe
- Size
  
  5.9MB
- MD5
  
  12f9b68ed66fed9a1e3c1c2319c837c6
- SHA1
  
  e423cbd003c718b6fa268de83806dae6a9fe88c3
- SHA256
  
  7c5919ffcd3234d3c520120fbbeb9204e11ca3adfbfc175175a1e087492cbbba
- SHA512
  
  b649639d2363f135f694f8d5968a6b7adabd76ef793a3fb9313b1c142a0e749be33a5831c4d0cbc32ea170a2100f693755b378280f252dd50bd1ddf008b1ba53
- SSDEEP
  
  98304:pMI+LjNr86mjj/UYviu26bbyKS2myX0rPgIh:p8Vmj72wblTmyEgG
Score

10^/10

quasar venomrat windows security rat rootkit spyware stealer trojan
- Contains code to disable Windows Defender
  A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- VenomRAT
  VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
  rat rootkit stealer venomrat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

Persistence

Scheduled Task/Job

Privilege Escalation

Scheduled Task/Job

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Remote System Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

quasarvenomratwindows securityratrootkitspywarestealertrojan

behavioral2

quasarvenomratwindows securityratrootkitspywarestealertrojan

© 2018-2024

Terms | Privacy