MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 707bb653348d222860771a6117aa869ab2a032f6cdfe0d29a251374462e59058. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuasarRAT


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 707bb653348d222860771a6117aa869ab2a032f6cdfe0d29a251374462e59058
SHA3-384 hash: 53c4796cfe2e3b4d4d84277ba0e580a577af2af1114fc0d2f3522aea3dea55bee4d17aeda961f441608ed5a18416d23e
SHA1 hash: 9d4ac7c3db2d51fe71aa2249e228f5f5a4d54d4a
MD5 hash: fb6d84ef009530fe590ff062bb674c6f
humanhash: high-sodium-september-south
File name:New_Bank_Information.exe
Download: download sample
Signature QuasarRAT
Create hunting rule
File size:786'944 bytes
First seen:2020-07-28 15:45:02 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 20e6d5abed83baa72fa27d4f775f9f3c (7 x AgentTesla, 5 x MassLogger, 1 x QuasarRAT)
ssdeep 12288:6H8TTCvLmK25X5CK7jQMuG6sh8ktgNYoVNXsDcTHFmXn0kgjIS3qo2i:scojK7LuBl6gNYoVVtHgX0FKoz
Threatray 1'708 similar samples on MalwareBazaar
TLSH E8F4BF62F2E04933D1672A7C9F1B5768AC39BE103B2959466FF41C4C4F39383356A2A7
Reporter abuse_ch
Tags:exe Hostwinds QuasarRAT RAT


Avatar
abuse_ch
Malspam distributing QuasarRAT:

HELO: hwsrv-751170.hostwindsdns.com
Sending IP: 142.11.236.230
From: Accounts Stally <accounts@timsistem-rs.com>
Reply-To: accounts@timsistem-rs.com
Subject: FW: Re: Please Confirm Change Of Bank Details
Attachment: New_Bank_Information.zip (contains "New_Bank_Information.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
106
Origin country :
n/a
Vendor Threat Intelligence
Detection:
QuasarRAT
Create hunting rule
Link:
https://www.capesandbox.com/analysis/33872/
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

SecuriteInfo.com.Artemis8870566BD821.16380.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Using the Windows Management Instrumentation requests
Sending an HTTP GET request
Creating a file in the Windows subdirectories
Enabling the 'hidden' option for recently created files
Creating a process from a recently created file
Creating a file
Deleting a recently created file
Setting a keyboard event handler
Creating a file in the %AppData% subdirectories
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Sending a TCP request to an infection source
Unauthorized injection to a system process
Enabling autorun with Startup directory
Result
Threat name:
Quasar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/400684
Signature
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to detect sleep reduction / modifications
Contains functionality to inject code into remote processes
Delayed program exit found
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Drops VBS files to the startup folder
Hides that the sample has been downloaded from the Internet (zone.identifier)
Installs a global keyboard hook
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queues an APC in another process (thread injection)
Sigma detected: Drops script at startup location
Sigma detected: Suspicious Svchost Process
System process connects to network (likely due to code injection or exploit)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Quasar RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 252663 Sample: New_Bank_Information.exe Startdate: 29/07/2020 Architecture: WINDOWS Score: 100 94 g.msn.com 2->94 110 Malicious sample detected (through community Yara rule) 2->110 112 Antivirus / Scanner detection for submitted sample 2->112 114 Multi AV Scanner detection for submitted file 2->114 116 6 other signatures 2->116 11 New_Bank_Information.exe 2->11         started        14 wscript.exe 2->14         started        16 New_Bank_Information.exe 2->16         started        signatures3 process4 signatures5 150 Detected unpacking (changes PE section rights) 11->150 152 Detected unpacking (creates a PE file in dynamic memory) 11->152 154 Detected unpacking (overwrites its own PE header) 11->154 162 4 other signatures 11->162 18 New_Bank_Information.exe 15 5 11->18         started        23 New_Bank_Information.exe 11->23         started        25 notepad.exe 1 11->25         started        27 New_Bank_Information.exe 14->27         started        156 Writes to foreign memory regions 16->156 158 Allocates memory in foreign processes 16->158 160 Maps a DLL or memory area into another process 16->160 29 New_Bank_Information.exe 2 16->29         started        31 notepad.exe 1 16->31         started        33 New_Bank_Information.exe 16->33         started        process6 dnsIp7 96 ip-api.com 208.95.112.1, 49713, 49716, 80 TUT-ASUS United States 18->96 84 C:\Windows\SysWOW64\SubDir\svchost.exe, PE32 18->84 dropped 86 C:\Users\...86ew_Bank_Information.exe.log, ASCII 18->86 dropped 132 Hides that the sample has been downloaded from the Internet (zone.identifier) 18->132 35 svchost.exe 18->35         started        38 schtasks.exe 1 18->38         started        40 New_Bank_Information.exe 23->40         started        134 Drops VBS files to the startup folder 25->134 136 Delayed program exit found 25->136 138 Writes to foreign memory regions 27->138 140 Allocates memory in foreign processes 27->140 142 Maps a DLL or memory area into another process 27->142 42 New_Bank_Information.exe 27->42         started        44 notepad.exe 27->44         started        46 New_Bank_Information.exe 27->46         started        file8 signatures9 process10 signatures11 118 Antivirus detection for dropped file 35->118 120 Multi AV Scanner detection for dropped file 35->120 122 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 35->122 130 2 other signatures 35->130 48 svchost.exe 14 4 35->48         started        52 svchost.exe 35->52         started        54 notepad.exe 1 35->54         started        56 conhost.exe 38->56         started        124 Writes to foreign memory regions 40->124 126 Allocates memory in foreign processes 40->126 128 Maps a DLL or memory area into another process 40->128 58 New_Bank_Information.exe 40->58         started        60 notepad.exe 40->60         started        62 New_Bank_Information.exe 40->62         started        64 New_Bank_Information.exe 42->64         started        process12 dnsIp13 90 79.134.225.69, 4782, 49718 FINK-TELECOM-SERVICESCH Switzerland 48->90 92 ip-api.com 48->92 98 System process connects to network (likely due to code injection or exploit) 48->98 100 Hides that the sample has been downloaded from the Internet (zone.identifier) 48->100 102 Installs a global keyboard hook 48->102 66 schtasks.exe 48->66         started        68 New_Bank_Information.exe 58->68         started        104 Writes to foreign memory regions 64->104 106 Allocates memory in foreign processes 64->106 108 Maps a DLL or memory area into another process 64->108 71 notepad.exe 64->71         started        74 New_Bank_Information.exe 64->74         started        signatures14 process15 file16 76 conhost.exe 66->76         started        144 Writes to foreign memory regions 68->144 146 Allocates memory in foreign processes 68->146 148 Maps a DLL or memory area into another process 68->148 78 notepad.exe 68->78         started        80 New_Bank_Information.exe 68->80         started        82 New_Bank_Information.exe 68->82         started        88 C:\Users\user\AppData\...\Java Update.vbs, ASCII 71->88 dropped signatures17 process18
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/707bb653348d222860771a6117aa869ab2a032f6cdfe0d29a251374462e59058/
Threat name:
Win32.Trojan.DataStealer
Create hunting rule
Status:
Malicious
First seen:
2020-07-28 15:46:13 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ob53muzururcqydxdjqrpkugtkzkamxwzx7a2kncke3uiyxfsbma._file
Verdict:
malicious
Label(s):
hawkeyekeylogger
Create hunting rule
Similar samples:
0fadb9fa2742735b1d7001fd5511627318e45fc51d8798f5b9f4bb20cfbd70e8
QuasarRAT
26cb425375a7613736c367866d0b79b8b7d8845437ec88e87bc83146445f892e
QuasarRAT
2df82d12b3e4627ffb2f7c0e6c8371f23c4beabb935f93b2c88389953fc07027
QuasarRAT
40ac8e128b78d30d49accda865a6ca90a23cf7b7e5f31042c7df55a9fe1b5af4
QuasarRAT
7276f014cbee4a7ffd297a0e90472bfa17b024932cb6371a06c0845e143b88e1
QuasarRAT
b3d36e86a478b5223968e34ca51bff54002eb9b1a01ef26d8b657d49dd4dd831
QuasarRAT
bbf62b7d87429bb832abb5c8f37635c05be6724eaab9afd13a7780595919f3a2
QuasarRAT
cf09bc45a7101670e26f9468d7425a42880ee539626b1653216c4ceb4a89b7fb
QuasarRAT
d6031bb15fd16cac9b514985035e18f08f0beaaa0542a66274467cb66e76a8fd
QuasarRAT
e2d6b8bc603260f1a7564a044523d230c31c8d873deabb579cae90b88f1b92b9
QuasarRAT
+ 1'698 additional samples on MalwareBazaar
Result
Malware family:
quasar
Create hunting rule
Score:
  10/10
Tags:
upx spyware trojan family:quasar
Link:
https://tria.ge/reports/200728-aaf5wse2b6/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Creates scheduled task(s)
Suspicious behavior: MapViewOfSection
Drops file in System32 directory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Loads dropped DLL
Reads user/profile data of web browsers
Drops startup file
UPX packed file
Executes dropped EXE
Quasar RAT
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Tinba
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/707bb653348d222860771a6117aa869ab2a032f6cdfe0d29a251374462e59058

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

QuasarRAT

zip 3b3a39cbf39fc5adb8190ab84e1bf061e861c7f393d48d7a1b1ab830d80ada9c

QuasarRAT

Executable exe 707bb653348d222860771a6117aa869ab2a032f6cdfe0d29a251374462e59058

(this sample)

  
Dropped by
MD5 8e787eae68fef205e769cc5352050eef
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 3b3a39cbf39fc5adb8190ab84e1bf061e861c7f393d48d7a1b1ab830d80ada9c
Cape
Cape
https://www.capesandbox.com/analysis/33872/

Comments