MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 efacb905cbe59645ce57ea6ac46d32add5f48278aefd411bf4f53116ca0fb0e0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



QuasarRAT


Vendor detections: 13


Intelligence 13 IOCs YARA 17 File information Comments

SHA256 hash: efacb905cbe59645ce57ea6ac46d32add5f48278aefd411bf4f53116ca0fb0e0
SHA3-384 hash: 0ffa8bea1da4a7d1c8e62912f5f33849f96f44a9be3c6313863e96737713ece349a952a1cbba39a16fc1bcef930f067b
SHA1 hash: a1aea30e16b3bbf15baf1fbb78499adcc5e11d97
MD5 hash: b0b78da613422be0de8de2e2a2d0ce68
humanhash: alanine-dakota-spring-princess
File name:efacb905cbe59645ce57ea6ac46d32add5f48278aefd411bf4f53116ca0fb0e0
Download: download sample
Signature QuasarRAT
File size:2'111'264 bytes
First seen:2021-09-28 09:07:34 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash afcdf79be1557326c854b6e20cb900a7 (368 x AgentTesla, 309 x RemcosRAT, 262 x NanoCore)
ssdeep 24576:su6J33O0c+JY5UZ+XC0kGso6FaI1IXgM6YmenKKSUlmDaGJTA4Pqa6jUvOkQwKYQ:2u0c++OCvkGs9Fap5aLKLkDl+dUvO9Yu
TLSH T12CA5BE41A3DC82A1CE6A4372BA36DB219B777C692634F70E1ED83D7A3E723521518353
File icon (PE):PE icon
dhash icon d4c4c4d8ccd4f0cc (20 x AgentTesla, 14 x Loki, 10 x QuasarRAT)
Reporter @JAMESWT_MHT
Tags:exe QuasarRAT

Intelligence


File Origin
# of uploads :
1
# of downloads :
47
Origin country :
IT IT
Mail intelligence
No data
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Creating a process from a recently created file
Launching a process
Unauthorized injection to a recently created process
Creating a file
Enabling the 'hidden' option for recently created files
Creating a process with a hidden window
Connection attempt
Sending an HTTP POST request
Using the Windows Management Instrumentation requests
Launching a service
DNS request
Sending an HTTP GET request
Creating a file in the %AppData% subdirectories
Setting a keyboard event handler
Running batch commands
Delayed writing of the file
Connection attempt to an infection source
Query of malicious DNS domain
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Result
Threat name:
AZORult Quasar Ramnit
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Signature
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
AutoIt script contains suspicious strings
Binary is likely a compiled AutoIt script file
Contains functionality to inject code into remote processes
Contains VNC / remote desktop functionality (version string found)
Detected AZORult Info Stealer
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
May check the online IP address of the machine
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Svchost Process
Uses known network protocols on non-standard ports
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Azorult
Yara detected Azorult Info Stealer
Yara detected Quasar RAT
Yara detected Ramnit VNC Module
Behaviour
Behavior Graph:
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 492794 Sample: CVbJSUXraQ Startdate: 29/09/2021 Architecture: WINDOWS Score: 100 42 ip-api.com 2->42 46 Multi AV Scanner detection for domain / URL 2->46 48 Malicious sample detected (through community Yara rule) 2->48 50 Antivirus detection for dropped file 2->50 52 17 other signatures 2->52 8 CVbJSUXraQ.exe 5 2->8         started        12 SystemPropertiesPerformance.exe 1 2->12         started        signatures3 process4 file5 32 C:\Users\...\SystemPropertiesPerformance.exe, PE32 8->32 dropped 54 Detected AZORult Info Stealer 8->54 56 Binary is likely a compiled AutoIt script file 8->56 58 Contains functionality to inject code into remote processes 8->58 60 Uses schtasks.exe or at.exe to add and modify task schedules 8->60 14 vnc.exe 8->14         started        17 windef.exe 16 5 8->17         started        21 CVbJSUXraQ.exe 12 8->21         started        23 schtasks.exe 1 8->23         started        34 C:\Users\user\AppData\Local\Temp\windef.exe, PE32 12->34 dropped 36 C:\Users\user\AppData\Local\Temp\vnc.exe, PE32 12->36 dropped 62 Antivirus detection for dropped file 12->62 64 Injects a PE file into a foreign processes 12->64 signatures6 process7 dnsIp8 66 Antivirus detection for dropped file 14->66 68 Multi AV Scanner detection for dropped file 14->68 70 Machine Learning detection for dropped file 14->70 76 4 other signatures 14->76 25 svchost.exe 14->25         started        38 ip-api.com 208.95.112.1, 49744, 49746, 80 TUT-ASUS United States 17->38 30 C:\Users\user\AppData\Roaming\...\winsock.exe, PE32 17->30 dropped 72 May check the online IP address of the machine 17->72 74 Hides that the sample has been downloaded from the Internet (zone.identifier) 17->74 40 0x21.in 50.17.5.224, 49743, 8000 AMAZON-AESUS United States 21->40 28 conhost.exe 23->28         started        file9 signatures10 process11 dnsIp12 44 5.8.88.191, 443, 49747, 8080 KOMETA-ASRU Russian Federation 25->44
Threat name:
Win32.Trojan.Pwsx
Status:
Malicious
First seen:
2021-09-24 12:32:26 UTC
AV detection:
39 of 45 (86.67%)
Threat level:
  5/5
Result
Malware family:
Score:
  10/10
Tags:
family:azorult family:quasar botnet:ebayprofiles infostealer spyware trojan
Behaviour
Creates scheduled task(s)
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
autoit_exe
Enumerates connected drives
Looks up external IP address via web service
Maps connected drives based on registry
Loads dropped DLL
Executes dropped EXE
Azorult
Quasar Payload
Quasar RAT
Malware Config
C2 Extraction:
5.8.88.191:443
sockartek.icu:443
http://0x21.in:8000/_az/
Unpacked files
SH256 hash:
0fe774d249d7c3093dd6b8de1c9c045f6efd4553710d877828e871e1be0e54f4
MD5 hash:
8246d054df8814106a8c11ae6df1e946
SHA1 hash:
8e9e84bd726fd9042fb99139b8c7dd00fccdc0a2
Detections:
win_azorult_g1 win_azorult_auto
Parent samples :
570f6415d2dec01d2fa1616a85636e20b8cb9bd437d4be605704f28568172e31
9b6bd1205d9c3f35fd1e97d34e831af1454faa78338d22cdf507d255250259bc
d9549ad3ed734261a0029adbed59926fed150f14d0e44fb85fa583a9fe6327f3
9ab585c5c9aa389cb859ce05381200cf0949d9543a9634d2cfcde9ff65fe874e
d6925f01c421c035fb4cdb32f6d1c143eede807c8ff264c691501213af9c5aa0
f52d1fc9f4b66a779a6c8c35b63f58546933f40ad39d15287009f44b14986bcb
ff87441fe213e765819165032d00061e5ca6a94905f213e6a4798bd35273a7c3
4d93f781c3e7509fb4a1f962a1752c4d36e5243cae382db1cdcc4064086035c2
8f2ad0a7a9bcd06a6f4dffe37c5bcba72e653f9752c2af2fd22176416cbe12b5
ff1fe4e3fd829fd0146c1e15dbbff49e610e67b6cd55d8135233675c28431f77
e04f76e1a3dae89b31aa188c667e177f38abc85daf2ee7dccaac9d79a2c25f05
454709c8e3b81f6fe53cf0937bb361d951b8ea05706adb0c9ad90118a9c157ee
d3fb7826cbcb6f33fbfcd59d74d77040265017d512477fe34d61f6fb3880b90a
486224ce113ae629b279a03505bd035a762144f3573113e9ca199b4272508cad
ef7887e2a018cf7d973e731609c48c0600cb47329e526f5d6bf50636624c786c
c48cecba8431d80cfa7c6a46e6e7e49de8d031816c09505527874ce113f95df2
4bfc73e59f71614b6344622009eceee0c8b5c0ecb6f9e617676c6d4fe6b76024
cf3223c925614fb3b773a1f3048605b1424e6e954a42065ea4834bbba02abe6d
d4d6982ec8929bd7f596b1c32cc19f8d95430b7e8dafb3994de890761ba1e9de
f28325f4da5423889167b710090cc10a524341a4ae4cd31d6c011f77756d9e17
562b5b8f2b94be983e46ef2e851570371473c03e324d3d951014579c8f566042
5285fc4f59a5847a66117240c59925f42dd6e5c7a17c2e90c49234d7913b6afb
4839f576da58bcfd097c24c5c3ff4d72029377dfd450420e99b745b3deda62bc
8f44f9b4e0716329638b3cf4b2470df57e199e9b66bb58e225aa767d9d48dd7e
94f9f632bad9fa9d923de55c08186af273b060d05bd305212fce8ec782bdad7f
6bb7ee8547b6d468228ef89c407d4abaee8067f0edb58d626b10ff7aba6c1ef3
aa5a4440dab4909f58308d8c80a2d2a0b2edfb56aa4e60aa67e83e9203773a07
4ce95594d4b615d8612589de57a0df0dfc3d059f0bc61f7df4d2bbeefe5323e4
540108c43aa0ca447ad443bdae4995b45c4cb52f523f7c31908f6b062f931a04
07db5ffae9143270d00563a1b95b456633a7c2fa07fe26cbe138a7b233dff180
381c28bd8d6e3538bcdea645faa825012355305a2ea5df8ad4f526b3750484e5
1d4a50a04f528b48ae1eec907ffae079186843b16e29f1488ff3fbc5e9f253f0
afe362f2b4c796b7177aea8bd909fedbe9e22b07dcec38234a454c47264e6b82
96eb8d5baeb832fcb780f73a0528b1ac2a4ae5b6a91517d727e38443129db0a5
7035da8898c0867d775597910d50f55a1428bc4588558319f70b1b219cb067be
f8a421f5b3771603d633527896e9e5d9f566ad88ecfb4f7204c7482966a1653c
ee6cf94ca7b7652517a776b59b503a8cb8c4f30136a28a3967d14b6d8fdd3597
40981ed2079d1c26fa7b1fb1640aa315dfdebd128741fdc1e3629d0e470e9238
ac0c1890dabbd2f119231b92b9a5f4174de5d7a335e91aad2836baf2a647d66c
5bafba82265fc0cd3b3b802850bfc982a7427239f87c364c881591c96c717cb5
6175df01c768533f5c4e3e3d1a49d0770a2dcca9c45ae2d150d95f4ff666b54f
466bd07ba5662c8787479a2ead7d90419ef31c4b61f36b9384968b9ea1822a10
c93d2d7d45d531ead9824e70925767ef0e8adc23f88f05baafb7e6435772db58
ccd68adcb8b8997dfabaf2d2b960d56a9d03e4ffaf8aff1cb6e0a83f948cf850
38da70826e367c9808b135717c5ea31e4e69ef03eef307e958773053508badf3
10bba880bc376e0d2f6578ba5aa30e2145730f9e5f49c95dc15d36f3cf9369b7
773a219eb43af7fb4a56992e11871dbd3463acae0f7a82f12efa25ac84248d13
422d646c28b4fda4b6291e868342895495b714cba76384d01b769db14ead4c79
760d1df67b31599e46ae064d183e44f511acfa7c2d5f6241fe96bf6e484e7dab
f699ae77419a80e03b5113a3f60b5e06a98b304db624c4d331e227555e51b563
3569516ca7fb25dbd76547a0d73e55e201838126e90b4f6aad641e29a87c67eb
4e2212b5c17f53f53984fa67051a2aa386147eba453d51f6bb6798b833c7ad1e
16c80a82f353e2d4ba539b68fd79b969045f03d5f51c0fe3cd0e63c909d69d31
02915d95d547fb99913510cb80de6f84bace739e40fc1aa4a5e5689e7a1ca4d2
efacb905cbe59645ce57ea6ac46d32add5f48278aefd411bf4f53116ca0fb0e0
d064d129468e2dc39658850f39237561aa02ed7c87715c4f3b37ec475904cf04
c468c0cee1e4f984dddcd81bfa0108b6f8fa97f6666ece1df8f912c52109feb9
f4b43bbc941d68dd3f835a9fc776c5b3e4e0e7442836bcd845d31c87acf64be7
SH256 hash:
4e8a99cd33c9e5c747a3ce8f1a3e17824846f4a8f7cb0631aebd0815db2ce3a4
MD5 hash:
b8ba87ee4c3fc085a2fed0d839aadce1
SHA1 hash:
b3a2e3256406330e8b1779199bb2b9865122d766
SH256 hash:
d450f677fa392721f94fddf9f54d67bacd4bb93716ad2be85acd1cfc057379f7
MD5 hash:
c15241ac2ec164aaa68f810a84a1471c
SHA1 hash:
8239a3c454419fb057cbfd879c1e9d4ba0e9515a
SH256 hash:
7050608d53f80269df951d00883ed79815c060ce7678a76b5c3f6a2a985beea9
MD5 hash:
b4a202e03d4135484d0e730173abcc72
SHA1 hash:
01b30014545ea526c15a60931d676f9392ea0c70
SH256 hash:
efacb905cbe59645ce57ea6ac46d32add5f48278aefd411bf4f53116ca0fb0e0
MD5 hash:
b0b78da613422be0de8de2e2a2d0ce68
SHA1 hash:
a1aea30e16b3bbf15baf1fbb78499adcc5e11d97
Malware family:
QuasarRAT
Verdict:
Malicious

YARA Signatures


MalareBazaar uses YARA rules from several public and non-public repositories, such as Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious proccess dumps they may create. Please note that only results from TLP:WHITE rules are being displayeyd.

Rule name:AutoIT_Compiled
Author:@bartblaze
Description:Identifies compiled AutoIT script (as EXE).
Rule name:Azorult
Author:kevoreilly
Description:Azorult Payload
Rule name:crime_win32_hvnc_banker_gen
Author:@VK_Intel
Description:Detects malware banker hidden VNC
Reference:https://twitter.com/VK_Intel/status/1247058432223477760
Rule name:crime_win32_hvnc_zloader1_hvnc_generic
Author:@VK_Intel
Description:Detects Zloader hidden VNC
Reference:https://twitter.com/malwrhunterteam/status/1240664014121828352
Rule name:dridex_halo_generated
Author:Halogen Generated Rule, Corsin Camichel
Rule name:HiddenVNC
Author:@bartblaze
Description:Identifies HiddenVNC, which can start remote sessions.
Rule name:INDICATOR_SUSPICIOUS_EXE_References_CryptoWallets
Author:ditekSHen
Description:Detects executables referencing many cryptocurrency mining wallets or apps. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_GENInfoStealer
Author:ditekSHen
Description:Detects executables containing common artifcats observed in infostealers
Rule name:MALWARE_Win_QuasarRAT
Author:ditekSHen
Description:QuasarRAT payload
Rule name:MAL_QuasarRAT_May19_1
Author:Florian Roth
Description:Detects QuasarRAT malware
Reference:https://blog.ensilo.com/uncovering-new-activity-by-apt10
Rule name:MAL_QuasarRAT_May19_1_RID2E1E
Author:Florian Roth
Description:Detects QuasarRAT malware
Reference:https://blog.ensilo.com/uncovering-new-activity-by-apt10
Rule name:Quasar
Author:JPCERT/CC Incident Response Group
Description:detect QuasarRAT in memory
Rule name:Quasar_RAT_1
Author:Florian Roth
Description:Detects Quasar RAT
Reference:https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
Rule name:Quasar_RAT_1_RID2B54
Author:Florian Roth
Description:Detects Quasar RAT
Reference:https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
Rule name:Quasar_RAT_2
Author:Florian Roth
Description:Detects Quasar RAT
Reference:https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
Rule name:Quasar_RAT_2_RID2B55
Author:Florian Roth
Description:Detects Quasar RAT
Reference:https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
Rule name:win_azorult_auto
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.azorult.

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments