MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cf09bc45a7101670e26f9468d7425a42880ee539626b1653216c4ceb4a89b7fb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuasarRAT


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cf09bc45a7101670e26f9468d7425a42880ee539626b1653216c4ceb4a89b7fb
SHA3-384 hash: c93d194f5db4fe4c3f532d31485da7b5baf8d884fc3334dc77a06e106f1adb5d57b5b373aaceb1020f4d170bc853f2da
SHA1 hash: c7659c9e1b683d7044267b6960a30ca6473ca945
MD5 hash: 6998368a7e9f5e063f5b5a0090112545
humanhash: video-yankee-black-ink
File name:Timsistem_Product_Specifications - 2020.07.17.exe
Download: download sample
Signature QuasarRAT
Create hunting rule
File size:777'728 bytes
First seen:2020-07-17 15:37:13 UTC
Last seen:2020-07-17 17:23:29 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 27d51e235cad906c9b906ace63cad627 (3 x MassLogger, 1 x QuasarRAT, 1 x AgentTesla)
ssdeep 12288:o+eY4CTOV6w0mZP3fSyTF+4ISgm3Jz7VQrCCD5fwWRbvDtcBUaw47kUKuXLrK0:nN4P4w06fZF+OgkOf37aBUN5uXb
Threatray 1'755 similar samples on MalwareBazaar
TLSH 3EF4BF32E7F14833C1631A795C1B5268A837FE103A3869876BE55C0C5F3968D39DA29F
Reporter abuse_ch
Tags:exe QuasarRAT


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: hwsrv-751170.hostwindsdns.com
Sending IP: 142.11.236.230
From: Dusan Tim <info@beghelliasia.com>
Reply-To: dusan.ilic@timsistem-rs.com
Subject: Product Inquiry
Attachment: Timsistem_Product_Specifications - 2020.07.17.zip (contains "Timsistem_Product_Specifications - 2020.07.17.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
103
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/27437/
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Connection attempt to an infection source
Result
Threat name:
Quasar
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/389108
Signature
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Contains functionality to detect sleep reduction / modifications
Creates files in alternative data streams (ADS)
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Drops VBS files to the startup folder
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Drops script at startup location
Sigma detected: Suspicious Svchost Process
Sigma detected: System File Execution Location Anomaly
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Quasar RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 246748 Sample: Timsistem_Product_Specifica... Startdate: 19/07/2020 Architecture: WINDOWS Score: 100 98 cdn.onenote.net 2->98 100 canonicalizer.ucsuri.tcs 2->100 102 2 other IPs or domains 2->102 114 Malicious sample detected (through community Yara rule) 2->114 116 Multi AV Scanner detection for submitted file 2->116 118 Yara detected Quasar RAT 2->118 120 8 other signatures 2->120 15 Timsistem_Product_Specifications - 2020.07.17.exe 2->15         started        18 wscript.exe 1 2->18         started        20 taskmgr.exe 2->20         started        22 2 other processes 2->22 signatures3 process4 signatures5 160 Writes to foreign memory regions 15->160 162 Allocates memory in foreign processes 15->162 164 Queues an APC in another process (thread injection) 15->164 24 notepad.exe 5 15->24         started        28 taskmgr.exe 18->28         started        166 Maps a DLL or memory area into another process 20->166 168 Sample uses process hollowing technique 20->168 30 taskmgr.exe 22->30         started        32 taskmgr.exe 22->32         started        34 taskmgr.exe 22->34         started        process6 file7 92 C:\Users\user\AppData\Roaming\...\taskmgr.exe, PE32 24->92 dropped 94 C:\Users\user\...\taskmgr.exe:Zone.Identifier, ASCII 24->94 dropped 148 Creates files in alternative data streams (ADS) 24->148 150 Drops VBS files to the startup folder 24->150 36 taskmgr.exe 24->36         started        152 Maps a DLL or memory area into another process 28->152 39 taskmgr.exe 28->39         started        42 taskmgr.exe 28->42         started        signatures8 process9 dnsIp10 122 Multi AV Scanner detection for dropped file 36->122 124 Detected unpacking (changes PE section rights) 36->124 126 Detected unpacking (creates a PE file in dynamic memory) 36->126 130 5 other signatures 36->130 44 taskmgr.exe 16 6 36->44         started        48 taskmgr.exe 36->48         started        50 MusNotifyIcon.exe 36->50         started        104 ip-api.com 39->104 128 Hides that the sample has been downloaded from the Internet (zone.identifier) 39->128 signatures11 process12 dnsIp13 108 ip-api.com 208.95.112.1, 49676, 49677, 49678 TUT-ASUS United States 44->108 158 Hides that the sample has been downloaded from the Internet (zone.identifier) 44->158 52 svchost.exe 44->52         started        55 schtasks.exe 1 44->55         started        57 taskmgr.exe 48->57         started        signatures14 process15 signatures16 132 Multi AV Scanner detection for dropped file 52->132 134 Machine Learning detection for dropped file 52->134 136 Writes to foreign memory regions 52->136 140 2 other signatures 52->140 59 notepad.exe 2 52->59         started        61 conhost.exe 55->61         started        138 Maps a DLL or memory area into another process 57->138 63 taskmgr.exe 57->63         started        67 taskmgr.exe 57->67         started        process17 dnsIp18 69 taskmgr.exe 59->69         started        110 ip-api.com 63->110 112 Hides that the sample has been downloaded from the Internet (zone.identifier) 63->112 72 cmd.exe 63->72         started        signatures19 process20 signatures21 142 Maps a DLL or memory area into another process 69->142 74 taskmgr.exe 4 69->74         started        79 taskmgr.exe 69->79         started        81 conhost.exe 72->81         started        83 chcp.com 72->83         started        process22 dnsIp23 106 ip-api.com 74->106 96 C:\Windows\SysWOW64\SubDir\svchost.exe, PE32 74->96 dropped 154 Drops executables to the windows directory (C:\Windows) and starts them 74->154 156 Hides that the sample has been downloaded from the Internet (zone.identifier) 74->156 85 svchost.exe 74->85         started        88 schtasks.exe 74->88         started        file24 signatures25 process26 signatures27 144 Writes to foreign memory regions 85->144 146 Allocates memory in foreign processes 85->146 90 conhost.exe 88->90         started        process28
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cf09bc45a7101670e26f9468d7425a42880ee539626b1653216c4ceb4a89b7fb/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-07-17 15:39:06 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=z4e3yrnhcalhbytpsrunoqs2ikea5zjzmjvrmuzbnrgowsujw75q._file
Verdict:
malicious
Label(s):
hawkeyekeylogger
Create hunting rule
Similar samples:
26cb425375a7613736c367866d0b79b8b7d8845437ec88e87bc83146445f892e
QuasarRAT
2df82d12b3e4627ffb2f7c0e6c8371f23c4beabb935f93b2c88389953fc07027
QuasarRAT
40ac8e128b78d30d49accda865a6ca90a23cf7b7e5f31042c7df55a9fe1b5af4
QuasarRAT
707bb653348d222860771a6117aa869ab2a032f6cdfe0d29a251374462e59058
QuasarRAT
7276f014cbee4a7ffd297a0e90472bfa17b024932cb6371a06c0845e143b88e1
QuasarRAT
b29a1b48648aacf2fe60861692bd0991cf226956ea986b687972667496e1d7d7
QuasarRAT
b3d36e86a478b5223968e34ca51bff54002eb9b1a01ef26d8b657d49dd4dd831
QuasarRAT
bbf62b7d87429bb832abb5c8f37635c05be6724eaab9afd13a7780595919f3a2
QuasarRAT
d6031bb15fd16cac9b514985035e18f08f0beaaa0542a66274467cb66e76a8fd
QuasarRAT
e2d6b8bc603260f1a7564a044523d230c31c8d873deabb579cae90b88f1b92b9
QuasarRAT
+ 1'745 additional samples on MalwareBazaar
Result
Malware family:
quasar
Create hunting rule
Score:
  10/10
Tags:
upx trojan spyware family:quasar
Link:
https://tria.ge/reports/200717-habvcmhrpx/
Behaviour
NTFS ADS
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Creates scheduled task(s)
Drops file in System32 directory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Drops startup file
Executes dropped EXE
UPX packed file
Quasar RAT
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Unknown
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cf09bc45a7101670e26f9468d7425a42880ee539626b1653216c4ceb4a89b7fb

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

QuasarRAT

zip 60af4d13b9f45c65f7d5c1855564e84b414d3395b54e1ab9c7699251fd6ad36e

QuasarRAT

Executable exe cf09bc45a7101670e26f9468d7425a42880ee539626b1653216c4ceb4a89b7fb

(this sample)

  
Dropped by
MD5 45a379f3636c40b781804d68fe56a14d
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/27437/
  
Dropped by
SHA256 60af4d13b9f45c65f7d5c1855564e84b414d3395b54e1ab9c7699251fd6ad36e

Comments