MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 31f0e68a0fb8a6e1714ade7379d486d56aa1421d2f22ff3d632c1fe24f59457a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


N-W0rm


Vendor detections: 16


Intelligence 16 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 31f0e68a0fb8a6e1714ade7379d486d56aa1421d2f22ff3d632c1fe24f59457a
SHA3-384 hash: 3ea52d4ca91df6eb129f8b492a325c1bf419ea341376598aff7bdc8c2b7da3b65467412c5593035f96d96d237d42c931
SHA1 hash: 95ea06961562ddfa77f645be03f95d08d1cdb2e0
MD5 hash: 311c6835775d900f12ece1d138aee2a6
humanhash: high-item-hawaii-nine
File name:311c6835775d900f12ece1d138aee2a6.exe
Download: download sample
Signature N-W0rm
Create hunting rule
File size:304'128 bytes
First seen:2024-05-03 01:00:15 UTC
Last seen:2024-05-03 01:31:17 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep 6144:9eQCIpHePBK7UOYz1mhJCtWY9XcNfPHDpu74NpgtcZRg/+wPO:0ae5mYzcLC0YuF8kHX/g/
Threatray 80 similar samples on MalwareBazaar
TLSH T158542340AE610A64CEAC9BF49AD7C9A1036D9C3F4A235A1B44D8A083FFD772515C7BB4
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 0000000000000000 (872 x AgentTesla, 496 x Formbook, 296 x RedLineStealer)
Reporter abuse_ch
Tags:exe N-W0rm


Avatar
abuse_ch
N-W0rm C2:
147.185.221.19:33587

Intelligence

File Origin
# of uploads :
2
# of downloads :
350
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
quasar
Create hunting rule
ID:
1
File name:
31f0e68a0fb8a6e1714ade7379d486d56aa1421d2f22ff3d632c1fe24f59457a.exe
Verdict:
Malicious activity
Analysis date:
2024-05-03 01:02:03 UTC
Tags:
evasion rat quasar remote
Link:
https://app.any.run/tasks/659ddf11-4ae2-48da-9408-619b3659b564

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.Siggen20.26421.1858.26288.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Using the Windows Management Instrumentation requests
DNS request
Connection attempt
Sending an HTTP GET request
Creating a file in the %AppData% subdirectories
Launching a process
Enabling the 'hidden' option for recently created files
Sending a custom TCP request
Setting a keyboard event handler
Creating a window
Creating a file in the Windows subdirectories
Possible injection to a system process
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun by creating a file
Using obfuscated Powershell scripts
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
lolbin packed quasarrat update
Link:
https://www.filescan.io/uploads/6634374ffe18f197f0cae6ad/reports/2c0b3658-3e7e-4218-bdc6-751cd8f6912e/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/31f0e68a0fb8a6e1714ade7379d486d56aa1421d2f22ff3d632c1fe24f59457a
Malware family:
Quasar RAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9061f0a6-7e17-4070-ae9e-c81811725024
Result
Threat name:
Quasar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1435740
Signature
.NET source code contains process injector
.NET source code references suspicious native API functions
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Creates a thread in another existing process (thread injection)
Found suspicious powershell code related to unpacking or dynamic code loading
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hooks files or directories query functions (used to hide files and directories)
Hooks processes query functions (used to hide processes)
Hooks registry keys query functions (used to hide registry keys)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: Potential WinAPI Calls Via CommandLine
Snort IDS alert for network traffic
Suspicious powershell command line found
Uses schtasks.exe or at.exe to add and modify task schedules
Very long command line found
Writes to foreign memory regions
Yara detected Generic Downloader
Yara detected PersistenceViaHiddenTask
Yara detected Quasar RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1435740 Sample: 8PiY5IvjhI.exe Startdate: 03/05/2024 Architecture: WINDOWS Score: 100 87 raw.githubusercontent.com 2->87 89 ip-api.com 2->89 91 github.com 2->91 117 Snort IDS alert for network traffic 2->117 119 Malicious sample detected (through community Yara rule) 2->119 121 Antivirus / Scanner detection for submitted sample 2->121 123 16 other signatures 2->123 10 8PiY5IvjhI.exe 4 2->10         started        13 powershell.exe 2->13         started        16 powershell.exe 2->16         started        18 4 other processes 2->18 signatures3 process4 dnsIp5 83 C:\Users\user\AppData\Local\Temp\Update.exe, PE32 10->83 dropped 85 C:\Users\user\AppData\...\IDTOIPBYR_0.exe, PE32+ 10->85 dropped 21 Update.exe 15 6 10->21         started        26 IDTOIPBYR_0.exe 10->26         started        147 Writes to foreign memory regions 13->147 149 Modifies the context of a thread in another process (thread injection) 13->149 151 Found suspicious powershell code related to unpacking or dynamic code loading 13->151 28 dllhost.exe 13->28         started        30 conhost.exe 13->30         started        153 Injects a PE file into a foreign processes 16->153 32 conhost.exe 16->32         started        93 192.168.2.4, 138, 33587, 443 unknown unknown 18->93 95 140.82.112.4, 443, 49758 GITHUBUS United States 18->95 97 3 other IPs or domains 18->97 34 chrome.exe 18->34         started        36 schtasks.exe 18->36         started        38 schtasks.exe 18->38         started        40 2 other processes 18->40 file6 signatures7 process8 dnsIp9 99 ip-api.com 208.95.112.1, 49745, 49748, 80 TUT-ASUS United States 21->99 101 github.com 140.82.113.3, 443, 49746 GITHUBUS United States 21->101 103 raw.githubusercontent.com 185.199.109.133, 443, 49747, 49759 FASTLYUS Netherlands 21->103 79 C:\Users\user\...\WindowsDllRunHost.exe, PE32 21->79 dropped 81 C:\Users\user\AppData\Local\...\Install.exe, PE32 21->81 dropped 125 Antivirus detection for dropped file 21->125 127 Multi AV Scanner detection for dropped file 21->127 129 Machine Learning detection for dropped file 21->129 137 2 other signatures 21->137 42 WindowsDllRunHost.exe 14 4 21->42         started        46 Install.exe 1 21->46         started        48 schtasks.exe 1 21->48         started        50 schtasks.exe 1 21->50         started        131 Writes to foreign memory regions 28->131 133 Creates a thread in another existing process (thread injection) 28->133 135 Injects a PE file into a foreign processes 28->135 52 winlogon.exe 28->52 injected 54 lsass.exe 28->54 injected 105 www.google.com 142.250.65.164, 443, 49731, 49732 GOOGLEUS United States 34->105 56 conhost.exe 36->56         started        58 conhost.exe 38->58         started        file10 signatures11 process12 dnsIp13 107 147.185.221.19, 33587, 49751 SALSGIVERUS United States 42->107 139 Antivirus detection for dropped file 42->139 141 Multi AV Scanner detection for dropped file 42->141 143 Machine Learning detection for dropped file 42->143 145 2 other signatures 42->145 60 schtasks.exe 42->60         started        62 conhost.exe 48->62         started        64 conhost.exe 50->64         started        66 dllhost.exe 52->66         started        signatures14 process15 signatures16 69 conhost.exe 60->69         started        109 Injects code into the Windows Explorer (explorer.exe) 66->109 111 Writes to foreign memory regions 66->111 113 Creates a thread in another existing process (thread injection) 66->113 115 Injects a PE file into a foreign processes 66->115 71 svchost.exe 66->71 injected 73 dwm.exe 66->73 injected 75 svchost.exe 66->75 injected 77 17 other processes 66->77 process17
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/31f0e68a0fb8a6e1714ade7379d486d56aa1421d2f22ff3d632c1fe24f59457a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/31f0e68a0fb8a6e1714ade7379d486d56aa1421d2f22ff3d632c1fe24f59457a/
Threat name:
ByteCode-MSIL.Backdoor.QuasarRAT
Create hunting rule
Status:
Malicious
First seen:
2024-04-26 01:42:59 UTC
File Type:
PE (.Net Exe)
Extracted files:
6
AV detection:
22 of 24 (91.67%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ghyoncqpxctoc4kk3zzxtveg2vvkcqq5f4rp6pldfqp6et2ziv5a._file
Verdict:
malicious
Similar samples:
31f0e68a0fb8a6e1714ade7379d486d56aa1421d2f22ff3d632c1fe24f59457a
N-W0rm
39d8d782ab9d2c91b4816543515a5f3a366682a09f3edabe6e657e327d405699
N-W0rm
4b8b03e7573fcbe521e0ffa7952e7548ade8f6221bdb19b2a8d3a9473cef4417
N-W0rm
74aee30ce1fd2e305307be59aa6b15b8a33854af361242547826f3b77a6bb169
N-W0rm
758c9e9642b467c181548b07d7d47e32e2e37ce7298e0d89674fdbcbe13eb50e
N-W0rm
a83b168b629212e96ac8ef12adb96d9241a16c0f33a459777e31a5b1b458282e
N-W0rm
bfad8d68e76463d5af757d3952d34a7b8999ff3040462bea27d2e69303170560
N-W0rm
c7e478d6a0d15445645ef14a9ba15d8f68e5ad65614637d0d40660cbb7b4ab3d
N-W0rm
+ 70 additional samples on MalwareBazaar
Result
Malware family:
quasar
Create hunting rule
Score:
  10/10
Tags:
family:quasar botnet:rslavereel persistence spyware trojan
Link:
https://tria.ge/reports/240503-bc7t1aba51/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Creates scheduled task(s)
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Drops file in System32 directory
Suspicious use of SetThreadContext
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks BIOS information in registry
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Downloads MZ/PE file
Sets service image path in registry
Suspicious use of NtCreateUserProcessOtherParentProcess
Quasar RAT
Quasar payload
Malware Config
C2 Extraction:
147.185.221.19:33587
Unpacked files
SH256 hash:
bb450aec5b543dd30c3ce33c731340a3c601afa75ca2670dfc0bf547be064dd0
MD5 hash:
b551c695865c6d7f51346d324f7d4604
SHA1 hash:
dc8cc6bf41bf725fb8747c21d264dd7d9ec5ad72
Detections:
QuasarRAT
Create hunting rule
malware_windows_xrat_quasarrat
Create hunting rule
CN_disclosed_20180208_KeyLogger_1
Create hunting rule
cn_utf8_windows_terminal
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
Quasar_RAT_2
Create hunting rule
Quasar
Create hunting rule
Vermin_Keylogger_Jan18_1
Create hunting rule
MAL_QuasarRAT_May19_1
Create hunting rule
MALWARE_Win_QuasarRAT
Create hunting rule
Quasar_RAT_1
Create hunting rule
xRAT_1
Create hunting rule
win_quasarrat_j1
Create hunting rule
Link:
https://www.unpac.me/results/409cb91a-6665-4b37-84af-3f857cfab853/
SH256 hash:
7d520ade71bbd117074f1c071c68021edbf8c0ff79729cdca6a556eac338bafd
MD5 hash:
224ce6bc7b94e1843e1f1623d856e93b
SHA1 hash:
5a28a76369bc15982f0ba95c79e74c496db0df14
Link:
https://www.unpac.me/results/409cb91a-6665-4b37-84af-3f857cfab853/
SH256 hash:
cf96c8a9f59c0b524e48af04e4973bb1bb1660cf1723cc3c60691b0867a14359
MD5 hash:
0a70f4f96e1d6c3e3c01ead54c6b0795
SHA1 hash:
ca704158c256c7f5fe62c85cd01454fefa10bdfc
Link:
https://www.unpac.me/results/409cb91a-6665-4b37-84af-3f857cfab853/
SH256 hash:
31f0e68a0fb8a6e1714ade7379d486d56aa1421d2f22ff3d632c1fe24f59457a
MD5 hash:
311c6835775d900f12ece1d138aee2a6
SHA1 hash:
95ea06961562ddfa77f645be03f95d08d1cdb2e0
Link:
https://www.unpac.me/results/409cb91a-6665-4b37-84af-3f857cfab853/
Malware family:
QuasarRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/31f0e68a0fb8/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/31f0e68a0fb8a6e1714ade7379d486d56aa1421d2f22ff3d632c1fe24f59457a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments