{
	"id": "d0d69f14-ce3e-4069-a77a-c3f4661dc1df",
	"created_at": "2026-04-06T00:17:50.551269Z",
	"updated_at": "2026-04-10T13:12:36.565297Z",
	"deleted_at": null,
	"sha1_hash": "e20d4a86631d905166dcf39d903bcc1e4920b58b",
	"title": "VERMIN: Quasar RAT and Custom Malware Used In Ukraine",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 676776,
	"plain_text": "VERMIN: Quasar RAT and Custom Malware Used In Ukraine\r\nBy Juan Cortes, Tom Lancaster\r\nPublished: 2018-01-29 · Archived: 2026-04-05 17:58:56 UTC\r\nSummary\r\nPalo Alto Networks Unit 42 has discovered a new malware family written using the Microsoft .NET Framework which the\r\nauthors call \"VERMIN\"; an ironic term for a RAT (Remote Access Tool). Cursory investigation into the malware showed\r\nthe attackers not only had flair for malware naming, but also for choosing interesting targets for their malware: nearly all the\r\ntargeting we were able to uncover related to activity in Ukraine.\r\nPivoting further on the initial samples we discovered, and their infrastructure, revealed a modestly sized campaign going\r\nback to late 2015 using both Quasar RAT and VERMIN.\r\nThis blog shows the links between the activity observed, a walkthrough of the analysis of the VERMIN malware, and IOCs\r\nfor all activity discovered.\r\nIt all began with a tweet\r\nOur initial interest was piqued through a tweet from a fellow researcher who had identified some malware with an\r\ninteresting theme relating to the Ukrainian Ministry of Defense as a lure.\r\nFigure 1 – The decoy document displayed to users when executing the initial malware sample\r\n \r\nThe sample was an SFX exe which displayed a decoy document to users before continuing to execute the malware; the hash\r\nof the file is given below.\r\nSHA256 31a1419d9121f55859ecf2d01f07da38bd37bb11d0ed9544a35d5d69472c358e\r\n \r\nThe malware was notable for its rare use of HTTP encapsulated SOAP, an XML based protocol used for exchanging\r\nstructured information, for command and control (C2), which is something not often seen in malware samples. Using\r\nAutoFocus, we were quickly able to find similar samples, by pivoting on the artifacts the malware created during a sandbox\r\nrun, resulting in 7 other samples as shown in Figure 2.\r\nFigure 2 – Pivoting in AutoFocus makes it easy to find similar malware samples.\r\n \r\nUsing the Maltego for AutoFocus transforms, we were then able to take the newly discovered samples and look at the C2\r\ninfrastructure in an attempt to see if we could link the samples together and in turn see if these C2’s were contacted by\r\nhttps://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/\r\nPage 1 of 10\n\nmalware. We quickly built up a picture of a campaign spanning just over 2 years with a modest C2 infrastructure:\r\nFigure 3 – Further analysis using AutoFocus \u0026 other data sources allows us to link up the activity discovered so far.\r\nThe malware samples we discovered fell largely into two buckets: Quasar Rat and VERMIN. Quasar RAT is an open-source\r\nmalware family which has been used in several other attack campaigns including criminal and espionage motivated attacks.\r\nBut a reasonable number of the samples were the new malware family, VERMIN. Looking at the samples in our cluster we\r\ncould see the themes of the dropper files were similar to our first sample. Notably, most of the other files we discovered did\r\nnot come bundled with a decoy document and instead were simply the malware and dropper compiled with icons matching\r\npopular document viewing tools, such as Microsoft Word. Names of some of the other dropper binaries observed are given\r\nbelow, with the original Ukrainian on the left and the translated English (via Google) on the right:\r\nOriginal Name (Ukrainian) Translated Name (if applicable)\r\nВаш_ сертиф_кати для отримання безоплатно_ вторинно_\r\nдопомоги.exe\r\nYour certificate for free_receive\r\nhelp.exe\r\nдоповідь2.exe report2.exe\r\nдоповідь забезпечення паливом 08.06.17.exe\r\nfuel supply report 08.06.17.exe\r\n \r\nlg_svet_smeta2016-2017cod.exe.\r\n \r\nN/A\r\nlugansk_2273_21.04.2017.exe\r\n \r\nN/A\r\nОтчет-районы_2кв-л-2016.exe Report-areas_2kv-l-2016.exe\r\nGiven the interesting targeting themes and the discovery of a new malware family, we decided to take a peek at what\r\n“VERMIN” was capable of and document it here.\r\nDissecting VERMIN\r\nFor this walkthrough, we’ll be going through the analysis of the following sample:\r\nSHA256 98073a58101dda103ea03bbd4b3554491d227f52ec01c245c3782e63c0fdbc07\r\nCompile Timestamp 2017-07-04 12:46:43 UTC\r\n \r\nAnalyzing the malware dynamically quickly gave us a name for the malware, based on the PDB string present in the\r\nmemory of the sample:\r\nhttps://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/\r\nPage 2 of 10\n\nZ:\\Projects\\Vermin\\TaskScheduler\\obj\\Release\\Licenser.pdb\r\nAs is the case with many of the samples from the threat actors behind VERMIN, our sample is packed initially with the\r\npopular .NET obfuscation tool ConfuserEx. Using a combination of tools, we were able to unpack and deobfuscate the\r\nmalware.\r\nFollowing initial execution, the malware first checks if the installed input language in the system is equal to any of the\r\nfollowing:\r\nru - Russian\r\nuk - Ukrainian\r\nru-ru - Russian\r\nuk-ua - Ukrainian\r\nIf none of the languages above is found the malware calls “Application.Exit()”, however despite its name, this API call\r\ndoesn’t actually successfully terminate the application, and instead the malware will continue to run.  It’s likely the author\r\nintended to terminate the application, in which case a call like “System.Environment.Exit()” would have been a better\r\nchoice. The fact that this functionality does not work as intended suggests that if author tested the malware before\r\ndeployment, they were likely to be doing so on systems where the language matches the list above, since otherwise they\r\nwould notice that the function is not working as expected.\r\nAfter passing the installed language check the malware proceeds to decrypt an embedded resource using the following logic:\r\nIt retrieves the final four bytes of the encrypted resource.\r\nThese four bytes are a CRC32 sum, and the malware then proceeds to brute force what 6-byte values will give this\r\nCRC32 sum.\r\nOnce it finds this array of 6 bytes it performs an MD5 hash sum on the bytes, this value is used as the key.\r\nThe first 16bytes of the encrypted resource are then used as the IV for decryption\r\nFinally, using AES it decrypts the embedded resource.\r\nA script mirroring this routine can be found in appendix C.\r\nAfter decrypting the embedded resource, the malware passes several hardcoded arguments to the newly decrypted binary\r\nand performs a simple setup routine before continuing execution.  The embedded resource contains all the main code for\r\ncommunications and functionality the RAT contains.\r\nFirst the malware attempts to decrypt all of the strings passed as parameters. If no arguments were supplied the malware\r\nattempts to read a configuration file from a pre-defined location expecting it to be base64-encoded and encrypted with 3-\r\nDES using a hardcoded key \"KJGJH\u0026^$f564jHFZ\":\r\nC:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\AddIns\\settings.dat\r\nIf arguments were supplied, they are saved and encrypted to the same location as above.\r\nParameters supplied are given below. Note that these are the actual variable names used by the malware author:\r\nserverIpList\r\nmypath\r\nkeyloggerPath\r\nmutex\r\nusername\r\npassword\r\nkeyloggerTaskName\r\nmyTaskName\r\nmyProcessName\r\nkeyLoggerProcessName\r\nmyTaskDecription\r\nmyTaskAuthor\r\nkeyLoggerTaskDecription\r\nkeyLoggerTaskAuthor\r\nThe decrypted resource is set to be run as a scheduled task every 30 minutes, indefinitely.\r\nAfter this, the malware is ready to start operations, and does so by collecting various information about the infected\r\nmachine, examples of collected information includes but is not limited to:\r\nMachine name\r\nUsername\r\nOS name via WMI query\r\nArchitecture: x64 vs x86 (64 vs. 32 bit)\r\nLocal IP Address\r\nChecks Anti-Virus installed via WMI query\r\nIf the Anti-Virus (AV) query determines any AV is installed the malware does not install the keylogger. The keylogger is\r\nembedded as a resource named ‘AdobePrintFr’. This binary is only packed with Confuser-Ex and is not further obfuscated.\r\nThe malware then sends its initial beacon using a SOAP envelope to establish a secure connection.  The author uses the\r\nhttps://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/\r\nPage 3 of 10\n\nWSHttpBinding() API - which allows the author to use WS-Addressing and purposely sets the WSMessageEncoding.Mtom\r\nto encode the SOAP messages. The author also sets up for using ‘Username’ authentication for communicating with its C2,\r\npresumably allowing the author easier control over the various infected hosts. A defanged exemplar request/response is\r\ngiven below:\r\nPOST /CS HTTP/1.1\r\nMIME-Version: 1.0\r\nContent-Type: multipart/related; type=\"application/xop+xml\";start=\"\u003chttp://tempuri.org/0\u003e\";boundary=\"uuid:ae621187-99b2-4b50-8a74-a33e8c7c0\r\nHost: akamainet024[.]info\r\nContent-Length: 1408\r\nExpect: 100-continue\r\nAccept-Encoding: gzip, deflate\r\nConnection: Keep-Alive\r\n--uuid:ae621187-99b2-4b50-8a74-a33e8c7c0990+id=3\r\nContent-ID: \u003chttp://tempuri.org/0\u003e\r\nContent-Transfer-Encoding: 8bit\r\nContent-Type: application/xop+xml;charset=utf-8;type=\"application/soap+xml\"\r\n\u003cs:Envelope xmlns:s=\"http://www.w3.org/2003/05/soap-envelope\" xmlns:a=\"http://www.w3.org/2005/08/addressing\"\u003e\u003cs:Header\u003e\u003ca:Action\r\ns:mustUnderstand=\"1\"\u003ehttp://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue\u003c/a:Action\u003e\u003ca:MessageID\u003eurn:uuid:159e7656-a3ea-4099-aa59-7ab\r\n\u003ca:Address\u003ehttp://www.w3.org/2005/08/addressing/anonymous\u003c/a:Address\u003e\u003c/a:ReplyTo\u003e\u003ca:To s:mustUnderstand=\"1\"\u003ehttp://akamainet024.info/C\r\nContext=\"uuid-9a01748a-8acf-449e-9a3d-febcff2f2406-3\" xmlns:t=\"http://schemas.xmlsoap.org/ws/2005/02/trust\"\u003e\u003ct:TokenType\u003ehttp://schemas.x\r\n\u003ct:RequestType\u003ehttp://schemas.xmlsoap.org/ws/2005/02/trust/Issue\u003c/t:RequestType\u003e\u003ct:KeySize\u003e256\u003c/t:KeySize\u003e\u003ct:BinaryExchange ValueType=\"\r\nEncodingType=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary\"\u003eFgMBAFoBAABWAwFaCdyfpYsLZDbnCizlWg3iw2M80KiaWb+oIgzhJ1BvugAAGAAvADUABQAKwBPAFMAJwAoAM\r\n\u003c/t:BinaryExchange\u003e\u003c/t:RequestSecurityToken\u003e\u003c/s:Body\u003e\u003c/s:Envelope\u003e\r\n--uuid:ae621187-99b2-4b50-8a74-a33e8c7c0990+id=3--\r\nVERMIN collects all keystrokes and clipboard data and encrypts the data before storing it in the following folder:\r\n%appdata%\\Microsoft\\Proof\\Settings.{ED7BA470-8E54-465E-825C-99712043E01C}\\Profiles\\.\r\nEach file is saved with the following format: \"{0:dd-MM-yyyy}.txt\". The data is encrypted using the same method and 3-\r\nDES key, used to encrypt the configuration file.\r\nVermin supports the following commands:\r\nArchiveAndSplit\r\nCancelDownloadFile\r\nCancelUploadFile\r\nCheckIfProcessIsRunning\r\nCheckIfTaskIsRunning\r\nCreateFolder\r\nDeleteFiles\r\nDeleteFolder\r\nDownloadFile\r\nGetMonitors\r\nGetProcesses\r\nKillProcess\r\nReadDirectory\r\nRenameFile\r\nRenameFolder\r\nRunKeyLogger\r\nSetMicVolume\r\nShellExec\r\nStartAudioCapture\r\nStartCaptureScreen\r\nStopAudioCapture\r\nStopCaptureScreen\r\nhttps://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/\r\nPage 4 of 10\n\nUpdateBot\r\nUploadFile\r\nFor most of these commands, the malware requires “hands-on-keyboard” style one-to-one interactions.\r\nOften remote access tools written in .NET borrow and steal code from other tools due to the plethora of code available\r\nthrough open source; however, it appears that whilst some small segments of code may have been lifted from other tools,\r\nthis RAT is not a fork of a well-known malware family: it’s mostly original code.\r\nWe have linked all the samples we have been able to identify to the same cluster of activity: this strongly suggests the\r\nVERMIN malware is used exclusively by this threat actor and this threat actor alone.\r\n  Concluding thoughts\r\nWe were unable to definitively determine the aims of the attackers or the data stolen. However, given the limited number of\r\nsamples, the targeting themes observed, and the “hands-on-keyboard” requirement for most of the malwares’ operations\r\n(except for keylogging), it seems likely that the malware is used in targeted attacks in Ukraine.\r\nUkraine remains a ripe target for attacks, even gaining its own dedicated Wikipedia page for attacks observed in 2017. In\r\naddition to the high-profile attacks such as the Petya/NotPetya and BadRabbit,  which have been widely reported, there are\r\nlikely many smaller campaigns like the one described in this blog aimed to steal data to gain an information advantage for\r\nthe attackers’ sponsors.\r\nPalo Alto Networks defends our customers against the samples discussed in this blog in the following ways:\r\nWildfire identifies all samples mentioned in this article as malicious.\r\nTraps identifies all samples mentioned in this article as malicious.\r\nC2 domains used in this campaign are blocked via Threat Prevention.\r\nAutoFocus customers can track samples related to this blog via the following tags:\r\nVERMIN\r\nVERMINKeylogger\r\nVERMINCampaign\r\n \r\nAppendix A – C2 Addresses\r\nakamaicdn[.]ru\r\ncdnakamai[.]ru\r\nwww.akamaicdn[.]ru\r\nwww.akamainet066[.]info\r\nwww.akamainet023[.]info\r\nwww.akamainet021[.]info\r\nakamainet023[.]info\r\nakamainet022[.]info\r\nakamainet021[.]info\r\nwww.akamainet022[.]info\r\nakamainet066[.]info\r\nakamainet024[.]info\r\nwww.cdnakamai[.]ru\r\nnotifymail[.]ru\r\nwww.notifymail[.]ru\r\nmailukr[.]net\r\ntech-adobe.dyndns[.]biz\r\nwww.mailukr[.]net\r\n185.158.153[.]222\r\n94.158.47[.]228\r\n195.78.105[.]23\r\n94.158.46[.]251\r\n188.227.75[.]189\r\n212.116.121[.]46\r\n185.125.46[.]24\r\n5.200.53[.]181\r\n  Appendix B – Malware Samples\r\nsha256 Family\r\n0157b43eb3c20928b77f8700ad8eb279a0aa348921df074cd22ebaff01edaae6 Quasar\r\n154ef5037e5de49a6e3c48ea7221a02a5df33c34420a586cbff6a46dc5026a91 Quasar\r\nhttps://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/\r\nPage 5 of 10\n\n24956d8edcf2a1fd26805ec58cfd1ee7498e1a59af8cc2f4b832a7ab34948c18 Quasar\r\n250cf8b44fc3ae86b467dd3a1c261a6c3d1645a8a21addfe7f2e2241ff8b79fc Quasar\r\n4c5e019e0e55a3fe378aa339d52c235c06ecc5053625a5d54d65c4ae38c6e3da Quasar\r\n92295b38daa4e44b9d257e56c5b271bbbf6a620312dc58e48e56473427170aa1 Quasar\r\n9ea00514c4ae9519a8938924b02826cfafeb75fc70f16c422aeadb8317a146c1 Quasar\r\na3c84c5f8d981653a2a391d29f32c8127fba8f0ab7da8815330a228205c99ba6 Quasar\r\n7b08b0d4d68ebf5238eaa8a40f815b83de372e345eb22cc3d50a4bb1869db78e Quasar\r\nf75861216f5716b0227733e6a093776f693361626efebe37618935b9c6e1bdfd Quasar\r\n51b0bb172c6e5eaa8e333fbf2451ae27094991b6330025374b9082ae8cd879cf Quasar\r\n46ae101a8dc8bf434d2c599aaabfb72a0843d21e2150a6c745c0c4a771c09da3 Quasar\r\n488db27f3d619b3067d95515a356997ea8e840c65daa2799bdd473dce93362f2 Quasar\r\n5a05d2171e6aeb5edd9d39c7f46cd3bf0e2ee3ee803431a58a9945a56ce935f6 Quasar\r\n6f4e20e421451c3d8490067f8424d7efbcc5edeb82f80bb5562c76d4adfb0181 Quasar\r\n9a81cffe79057d8d307910143efd1455f956f2de2c7cc8fb07a7c17000913d59 Quasar\r\nc84afdd28fa0923a09f6dd3af1e3821cdb07862b2796fa004cd3229bc6129cbe Quasar\r\n6cf63ae829984a47aca93f8a1261afe5a06930f04fab6f86f6f7f9631fde59ec Quasar\r\naa982fe7d28bbf55865047b16334efbe3fcb6bae06e5ed9cab544f1c8d307317 Quasar\r\n2963c5eacaad13ace807edd634a4a5896cb5536f961f43afcf8c1f25c08a5eef VERMIN\r\n677edb1a0a86c8bd0df150f2d9c5c3bc1d20d255b6f7944c4adcff3c45df4851 VERMIN\r\n74ba162eef84bf13d1d79cb26192a4692c09fed57f321230ddb7668a88e3935d VERMIN\r\ne1d917769267302d58a2fd00bc49d4aee5a472227a75f9366b46ce243e9cbef7 VERMIN\r\neb48a31f8f81635d24f343a09247284149884bd713d3bc1c0b9c936bca8bafd7 VERMIN\r\n15c52b01d2b9294e2dd4d9711cde99e10f11cd188e0d1e4fa9db78f9805626c3 VERMIN\r\n31a1419d9121f55859ecf2d01f07da38bd37bb11d0ed9544a35d5d69472c358e VERMIN\r\n5586fb423aff39a02cddf5e456a83a8301afe9ed78ecbc8de2cd852bc0cd498f VERMIN\r\n5ee12dd028f5f8c2c0eb76f28c2ce273423998b36f3fc20c9e291f39825601f9 VERMIN\r\neb48a31f8f81635d24f343a09247284149884bd713d3bc1c0b9c936bca8bafd7 VERMIN\r\n98073a58101dda103ea03bbd4b3554491d227f52ec01c245c3782e63c0fdbc07 VERMIN\r\nc5647603337a4e9bfbb2259c0aec7fa9868c87ded2ab74e9d233bdb2a3bb163e VERMIN\r\neb46b8978619a72f4b0d3ea8961dde527f8e27e89701ccd6e5643c33b103d901 VERMIN\r\nabd05a20b8aa21d58ee01a02ae804a0546fbf6811d71559423b6b5afdfbe7e64 VERMIN\r\nAppendix\r\nAppendix C – Python script to decode VERMIN resources\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n#!/usr/local/bin/python\r\n__author__ = \"Juan C Cortes\"\r\n__version__ = \"1.0\"\r\n__email__ = \"jcortes@paloaltonetworks.com\"\r\nfrom random import randint\r\nimport zlib\r\nhttps://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/\r\nPage 6 of 10\n\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n20\r\n21\r\n22\r\n23\r\n24\r\n25\r\n26\r\n27\r\n28\r\n29\r\n30\r\n31\r\n32\r\n33\r\n34\r\n35\r\n36\r\n37\r\n38\r\n39\r\n40\r\n41\r\n42\r\n43\r\n44\r\n45\r\nimport binascii\r\nimport sys\r\nimport logging\r\nimport hashlib\r\nimport argparse\r\nimport os\r\nimport struct\r\nfrom tabulate import tabulate\r\nfrom Crypto import Random\r\nfrom Crypto.Cipher import AES\r\ndef parse_arguments():\r\n    \"\"\"Argument Parser\"\"\"\r\n    parser = argparse.ArgumentParser(\r\n        usage=\"Decrypt strings for VerminRAT\")\r\n    parser.add_argument(\r\n        \"-v\",\r\n        \"--verbosity\",\r\n        action=\"store_true\",\r\n        dest=\"vverbose\",\r\n        help=\"Print debugging information\")\r\n    parser.add_argument(\r\n        \"-o\",\r\n        \"--output\",\r\n        dest=\"output_file\",\r\n        type=str,\r\n        help=\"Output results file\")\r\n    parser.add_argument(\r\n        \"input\",\r\n        type=str,\r\n        action='store',\r\n        help=\"Input file of newline separated strings or single string\")\r\n    parser.add_argument(\r\n        \"-b\",\r\n        \"--blob\",\r\n        action='store_true',\r\n        help=\"Param use for decrypting blobs of data instead of strings. Blob is autosave to 'blob.out'\")\r\n    return parser\r\ndef write_out(output_list, headers, output_file=False):\r\n    \"\"\"\r\nhttps://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/\r\nPage 7 of 10\n\n46\r\n47\r\n48\r\n49\r\n50\r\n51\r\n52\r\n53\r\n54\r\n55\r\n56\r\n57\r\n58\r\n59\r\n60\r\n61\r\n62\r\n63\r\n64\r\n65\r\n66\r\n67\r\n68\r\n69\r\n70\r\n71\r\n72\r\n73\r\n74\r\n75\r\n76\r\n77\r\n78\r\n79\r\n80\r\n81\r\n82\r\n83\r\n84\r\n    Pretty outputs list\r\n    :param output_list: List to output\r\n    \"\"\"\r\n    print tabulate(output_list, headers, tablefmt=\"simple\")\r\n    print \"\"\r\n    if output_file:\r\n        with open(output_file, \"ab\") as file:\r\n            file.write(tabulate(output_list, headers, tablefmt=\"simple\"))\r\n            file.write(\"\\n\\n\")\r\ndef generateArray():\r\n    abyte = bytearray(6)\r\n    for i in range(0,6):\r\n       abyte[i] = randint(0, 0x7FFFFFFF) % 7\r\n    return abyte;\r\ndef parseEncrypteStr(encryptStr):\r\n    try:\r\n        decoded = encryptStr.decode('base64')\r\n        hardcoded_crc32 = decoded[-4:]\r\n        parsedEncrypted = decoded[16:-4]\r\n        iv = decoded[:16]\r\n        return hardcoded_crc32,parsedEncrypted,iv\r\n    except Exception as e:\r\n        print e\r\ndef bruteForceCRC32Value(valuecrc32):\r\n    while (True):\r\n        arry = generateArray()\r\n        crc32 = binascii.crc32(arry)\r\n        crc32 = crc32 % (1 \u003c\u003c 32)\r\n        if crc32 == valuecrc32:\r\n            return(arry)\r\ndef decryptStr(str,key,iv):\r\n    aes = AES.new(key, AES.MODE_CBC, iv)\r\n    blob = aes.decrypt(str)\r\n    return blob\r\ndef parsePlainText(str):\r\n    char = \"\"\r\n    for i in str:\r\n        if 0x20 \u003c= ord(i) \u003c= 0x127:\r\n            char += i\r\nhttps://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/\r\nPage 8 of 10\n\n85\r\n86\r\n87\r\n88\r\n89\r\n90\r\n91\r\n92\r\n93\r\n94\r\n95\r\n96\r\n97\r\n98\r\n99\r\n100\r\n101\r\n102\r\n103\r\n104\r\n105\r\n106\r\n107\r\n108\r\n109\r\n110\r\n111\r\n112\r\n113\r\n114\r\n115\r\n116\r\n117\r\n118\r\n119\r\n120\r\n121\r\n122\r\n123\r\n        else:\r\n            continue\r\n    return char\r\ndef parseUnicde(str):\r\n    try:\r\n        uni = \"\"\r\n        for i in range(0,len(str)/2):\r\n            uni += str[i]\r\n        return uni.decode('utf16')\r\n    except Exception as e:\r\n        print e\r\ndef main():\r\n    \"\"\"Main Method\"\"\"\r\n    args = parse_arguments().parse_args()\r\n    strs = []\r\n    if args.vverbose:\r\n        logging.basicConfig(\r\n            level=logging.DEBUG,\r\n            format=' %(asctime)s - %(levelname)s - %(message)s')\r\n    if args.blob and os.path.exists(args.input) != True:\r\n        b = args.input\r\n        crc32Hardcode, encryptedStr, iv = parseEncrypteStr(b)\r\n        crc32Hardcode = bytearray(crc32Hardcode)\r\n        crc32Hardcode = struct.unpack('\u003cI', crc32Hardcode)[0]\r\n        bruteArray = bruteForceCRC32Value(crc32Hardcode)\r\n        m = hashlib.md5()\r\n        m.update(bruteArray)\r\n        key = m.digest()\r\n        plain = decryptStr(encryptedStr, key, iv)\r\n        with open('blob.out', \"wb\") as file:\r\n            file.write(plain)\r\n    if os.path.exists(args.input) != True:\r\n        strs.append(args.input)\r\n    else:\r\n        with open(args.input, \"rb\") as open_file:\r\n            for line in open_file:\r\n                hash = line.rstrip()\r\n                strs.append(hash)\r\n    for s in strs:\r\nhttps://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/\r\nPage 9 of 10\n\n124\r\n125\r\n126\r\n127\r\n128\r\n129\r\n130\r\n131\r\n132\r\n133\r\n134\r\n135\r\n136\r\n137\r\n138\r\n        crc32Hardcode,encryptedStr,iv = parseEncrypteStr(s)\r\n        crc32Hardcode = bytearray(crc32Hardcode)\r\n        crc32Hardcode = struct.unpack('\u003cI', crc32Hardcode)[0]\r\n        bruteArray = bruteForceCRC32Value(crc32Hardcode)\r\n        m = hashlib.md5()\r\n        m.update(bruteArray)\r\n        key = m.digest()\r\n        plain = decryptStr(encryptedStr,key,iv)\r\n        parsestr = parsePlainText(plain)\r\n        unistr = parseUnicde(plain)\r\n        headers = [\"ASCII\",\"UNICODE\"]\r\n        outputlist = [[parsestr,unistr]]\r\n        write_out(outputlist, headers, args.output_file)\r\nif __name__ == '__main__':\r\n    main()\r\nSource: https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/\r\nhttps://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"MITRE",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/"
	],
	"report_names": [
		"unit42-vermin-quasar-rat-custom-malware-used-ukraine"
	],
	"threat_actors": [
		{
			"id": "31da1b1f-743b-40ef-bd17-1e07c5500392",
			"created_at": "2024-06-19T02:00:04.382822Z",
			"updated_at": "2026-04-10T02:00:03.655982Z",
			"deleted_at": null,
			"main_name": "UAC-0020",
			"aliases": [
				"SickSync",
				"Vermin"
			],
			"source_name": "MISPGALAXY:UAC-0020",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434670,
	"ts_updated_at": 1775826756,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e20d4a86631d905166dcf39d903bcc1e4920b58b.pdf",
		"text": "https://archive.orkl.eu/e20d4a86631d905166dcf39d903bcc1e4920b58b.txt",
		"img": "https://archive.orkl.eu/e20d4a86631d905166dcf39d903bcc1e4920b58b.jpg"
	}
}