MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bbf62b7d87429bb832abb5c8f37635c05be6724eaab9afd13a7780595919f3a2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuasarRAT


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bbf62b7d87429bb832abb5c8f37635c05be6724eaab9afd13a7780595919f3a2
SHA3-384 hash: f9b01ec203871844b904ddd220a1bccbb029ceb5184f8c3839ccc5d105a5e0d6ca8777e73755da5876121876a7d27edf
SHA1 hash: dcba20338c5dbde13a8189f0d154e3d650cca99c
MD5 hash: bf7fe4334d0b4363d70bd997460588a3
humanhash: yellow-mountain-vermont-maryland
File name:Timsistem_Product_Specifications - 2020.07.16.exe
Download: download sample
Signature QuasarRAT
Create hunting rule
File size:758'272 bytes
First seen:2020-07-16 06:15:11 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 9f24c32fbb9fcdef16773efcde23b409 (3 x AgentTesla, 2 x NanoCore, 1 x QuasarRAT)
ssdeep 12288:E1bl3SKiQ9X5M1EL6GgmV5hT82Hnb6tY1CoO4SOSWGbz3hLkbLvhu:OVoQ9EWe23Q0b6tYbO4e3t
Threatray 1'761 similar samples on MalwareBazaar
TLSH 8DF4BF6EF2AC4473D163167C9C3B9778A836BE1039285D872BE55C4C6F39381396B287
Reporter abuse_ch
Tags:exe QuasarRAT RAT


Avatar
abuse_ch
Malspam distributing QuasarRAT:

HELO: hwsrv-751170.hostwindsdns.com
Sending IP: 142.11.236.230
From: Dusan Tim <info@beghelliasia.com>
Reply-To: dusan.ilic@timsistem-rs.com
Subject: Product Inquiry
Attachment: Timsistem_Product_Specifications - 2020.07.16.zip (contains "Timsistem_Product_Specifications - 2020.07.16.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
86
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/26318/
Detection(s):
Win.Malware.Daqc-6598201-0
Create hunting rule

PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a file in the %AppData% subdirectories
Creating a process from a recently created file
Using the Windows Management Instrumentation requests
DNS request
Sending an HTTP GET request
Creating a file in the Windows subdirectories
Enabling the 'hidden' option for recently created files
Deleting a recently created file
Replacing files
Searching for the window
Possible injection to a system process
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Forced shutdown of a system process
Unauthorized injection to a system process
Enabling autorun with Startup directory
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bbf62b7d87429bb832abb5c8f37635c05be6724eaab9afd13a7780595919f3a2/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-07-16 03:17:08 UTC
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xp3cw7mhikn3qmvlwxepg5rvybn6m4sovk427uj2o6afswiz6ora._file
Verdict:
malicious
Label(s):
hawkeyekeylogger
Create hunting rule
Similar samples:
26cb425375a7613736c367866d0b79b8b7d8845437ec88e87bc83146445f892e
QuasarRAT
2df82d12b3e4627ffb2f7c0e6c8371f23c4beabb935f93b2c88389953fc07027
QuasarRAT
40ac8e128b78d30d49accda865a6ca90a23cf7b7e5f31042c7df55a9fe1b5af4
QuasarRAT
707bb653348d222860771a6117aa869ab2a032f6cdfe0d29a251374462e59058
QuasarRAT
7276f014cbee4a7ffd297a0e90472bfa17b024932cb6371a06c0845e143b88e1
QuasarRAT
b29a1b48648aacf2fe60861692bd0991cf226956ea986b687972667496e1d7d7
QuasarRAT
b3d36e86a478b5223968e34ca51bff54002eb9b1a01ef26d8b657d49dd4dd831
QuasarRAT
cf09bc45a7101670e26f9468d7425a42880ee539626b1653216c4ceb4a89b7fb
QuasarRAT
d6031bb15fd16cac9b514985035e18f08f0beaaa0542a66274467cb66e76a8fd
QuasarRAT
e2d6b8bc603260f1a7564a044523d230c31c8d873deabb579cae90b88f1b92b9
QuasarRAT
+ 1'751 additional samples on MalwareBazaar
Result
Malware family:
quasar
Create hunting rule
Score:
  10/10
Tags:
upx trojan spyware family:quasar
Link:
https://tria.ge/reports/200716-5rmank748n/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Creates scheduled task(s)
NTFS ADS
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Drops file in System32 directory
Looks up external IP address via web service
Drops startup file
Loads dropped DLL
Executes dropped EXE
UPX packed file
Quasar RAT
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

QuasarRAT

zip a700c208e84d5427566a321f204bce16f8b7d5a3655bd76b6637920f46289172

QuasarRAT

Executable exe bbf62b7d87429bb832abb5c8f37635c05be6724eaab9afd13a7780595919f3a2

(this sample)

  
Dropped by
MD5 501dfc869027ce8fd3329fbd9a79612d
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/26318/
  
Dropped by
SHA256 a700c208e84d5427566a321f204bce16f8b7d5a3655bd76b6637920f46289172

Comments