MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0983be8cdf4f49585e9b284c8551b149555fe3ec3d636549eb5efd2cea4bf627. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

QuasarRAT

Vendor detections: 12

Intelligence 12 IOCs 1 YARA 15 File information Comments

SHA256 hash:	0983be8cdf4f49585e9b284c8551b149555fe3ec3d636549eb5efd2cea4bf627
SHA3-384 hash:	d24bcd84d54cde07fe9e431c7967569071b451655bafe3246905b15a91f20b7ffa26480a17ef0238afd31270c9bf7d1e
SHA1 hash:	0b4309f9798d08654e032bac3eba4969b93146b7
MD5 hash:	5bbf0e3c444e0a68083932202b08f46d
humanhash:	echo-mississippi-lemon-berlin
File name:	Quote SpecPDF.vbs
Download:	download sample
Signature	QuasarRAT Create hunting rule
File size:	2'673'055 bytes
First seen:	2022-04-21 12:40:50 UTC
Last seen:	Never
File type:	vbs
MIME type:	text/plain
ssdeep	49152:tOZlKqyBwpUg5EoqvI3SHpXNgwbyo3uL7mcpE:p
Threatray	16'656 similar samples on MalwareBazaar
TLSH	T14AC5F17698F37C99FEBE0A922A141C578C105F2F57D24608E6D27BE819E2C05EF290F5
Reporter	abuse_ch
Tags:	QuasarRAT RAT vbs

abuse_ch

QuasarRAT C2:
3.83.129.253:4747

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
3.83.129.253:4747	https://threatfox.abuse.ch/ioc/521651/

Intelligence

File Origin

# of uploads :

# of downloads :

246

Origin country :

n/a

Vendor Threat Intelligence

Detection:

QuasarStealer

Link:

https://www.capesandbox.com/analysis/265442/

Detection(s):

SecuriteInfo.com.Generic-EXE.UNOFFICIAL

SecuriteInfo.com.PUA.Base64EXE-2.UNOFFICIAL

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

control.exe obfuscated packed replace.exe update.exe

Link:

https://www.filescan.io/uploads/626150dfffe27d5119238164/reports/25db4d9a-299f-400a-afa7-2524be93f927/overview

Result

Verdict:

MALICIOUS

Details

Base64 Encoded URL

Detected an ANSI or UNICODE http:// or https:// base64 encoded URL prefix.

Result

Threat name:

AgentTesla Quasar

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/980653

Signature

.NET source code contains very large array initializations

Adds a directory exclusion to Windows Defender

Antivirus / Scanner detection for submitted sample

Benign windows process drops PE files

C2 URLs / IPs found in malware configuration

Found malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Installs a global keyboard hook

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments

Sigma detected: Suspicious Add Scheduled Task From User AppData Temp

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Uses the Telegram API (likely for C&C communication)

Writes to foreign memory regions

Yara detected AgentTesla

Yara detected AntiVM3

Yara detected Quasar RAT

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/0983be8cdf4f49585e9b284c8551b149555fe3ec3d636549eb5efd2cea4bf627/

Threat name:

Script-WScript.Trojan.Heuristic

Status:

Malicious

First seen:

2022-04-21 12:41:07 UTC

File Type:

Text (VBS)

AV detection:

12 of 42 (28.57%)

Threat level:

2/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=bgb35dg7j5evqxu3fbgikunrjfkv7y7mhvrwkspll36sz2sl6ytq._file

Verdict:

malicious

Label(s):

agenttesla

QuasarRAT

44ab3d116f6c6318067f89ccb838b5198b6544469ec27557ca1de3655a6ceb96

QuasarRAT

56d092c2d8c927f25843226203655bf07c46845fb927d7d2640120862989bfdf

QuasarRAT

75dc265d032be64eba35add54a98a93fc11568d4fa95f3c9a4e9700f094b4d52

QuasarRAT

82c6bcebf68686e31c276add1615229d2d8635cb15bae9c131293fc5b57617ea

QuasarRAT

ab5ea57fdd5bfa91a11db4d85f99a84e342ead177da5744dff012398d153f4ba

QuasarRAT

bf94ae3815c7d2790667030ff2322157d3b8589b55286f74c875c46f4339fa55

QuasarRAT

f251387bb1ec7acdd3634ab829ee4389a4b973cf699863f2769e7521d4e58a45

QuasarRAT

+ 16'646 additional samples on MalwareBazaar

Result

Malware family:

quasar

Score:

10/10

Tags:

family:agenttesla family:quasar botnet:office collection keylogger persistence spyware stealer suricata trojan

Link:

https://tria.ge/reports/220421-pwrh1safhl/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Adds Run key to start application

Looks up external IP address via web service

Checks computer location settings

Loads dropped DLL

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Executes dropped EXE

AgentTesla Payload

AgentTesla

Quasar Payload

Quasar RAT

suricata: ET MALWARE Generic AsyncRAT Style SSL Cert

suricata: ET MALWARE Observed Malicious SSL Cert (Quasar CnC)

Malware Config

C2 Extraction:

https://api.telegram.org/bot5127674234:AAHGscjRk7JCDDCItFO4GPZfan-K7Hc89Z8/sendDocument
3.83.129.253:4747

Malware family:

AgentTesla.v3

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/0983be8cdf4f/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

iSpy Keylogger

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/0983be8cdf4f49585e9b284c8551b149555fe3ec3d636549eb5efd2cea4bf627

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_AgentTesla_20200929 Create hunting rule
Author:	abuse.ch
Description:	Detects AgentTesla PE

Rule name:	AgentTeslaV3 Create hunting rule
Author:	ditekshen
Description:	AgentTeslaV3 infostealer payload

Rule name:	AgentTesla_test Create hunting rule
Author:	abuse.ch
Description:	Detects AgentTesla PE

Rule name:	BitcoinAddress Create hunting rule
Author:	Didier Stevens (@DidierStevens)
Description:	Contains a valid Bitcoin address

Rule name:	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA Create hunting rule
Author:	ditekSHen
Description:	Detects Windows executables referencing non-Windows User-Agents

Rule name:	INDICATOR_SUSPICIOUS_GENInfoStealer Create hunting rule
Author:	ditekSHen
Description:	Detects executables containing common artifcats observed in infostealers

Rule name:	MALWARE_Win_AgentTeslaV3 Create hunting rule
Author:	ditekSHen
Description:	AgentTeslaV3 infostealer payload

Rule name:	MALWARE_Win_QuasarStealer Create hunting rule
Author:	ditekshen
Description:	Detects Quasar infostealer

Rule name:	MAL_Lokibot_Stealer Create hunting rule
Description:	Detects Lokibot Stealer Variants

Rule name:	MAL_QuasarRAT_May19_1 Create hunting rule
Author:	Florian Roth
Description:	Detects QuasarRAT malware
Reference:	https://blog.ensilo.com/uncovering-new-activity-by-apt10

Rule name:	MAL_QuasarRAT_May19_1_RID2E1E Create hunting rule
Author:	Florian Roth
Description:	Detects QuasarRAT malware
Reference:	https://blog.ensilo.com/uncovering-new-activity-by-apt10

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Vermin_Keylogger_Jan18_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Vermin Keylogger
Reference:	https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/

Rule name:	win_agent_tesla_v1 Create hunting rule
Author:	Johannes Bader @viql
Description:	detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/265442/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample