MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0b196e6b27ed15410bd946b1ccfd1de6b7af64a540cd0226b8eb9bd742d1b095. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuasarRAT


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0b196e6b27ed15410bd946b1ccfd1de6b7af64a540cd0226b8eb9bd742d1b095
SHA3-384 hash: e8657616d454afe8ccef7ee8733bdfcdf70cdabe3a697c137ab3660ab7792b261721ea575e59033d3e075b6c8aa7ba16
SHA1 hash: 317f8bf5133176cd0f4125c6f2f0fdfc226754ab
MD5 hash: 1b465c6989637df1d5c511919c43e457
humanhash: michigan-violet-kentucky-oven
File name:1b465c6989637df1d5c511919c43e457.exe
Download: download sample
Signature QuasarRAT
Create hunting rule
File size:882'176 bytes
First seen:2021-10-18 11:32:39 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'610 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 24576:nc6zD+4oOZ34MRxbnCiZXsqK+eHTesb/hyDVeb:5D+NOZoax7CSX/g
TLSH T1ED15D09C765071DFC817CAB2ADA46D60EB60B4B7470B8213A09725ED9E0DA9BCF144F3
File icon (PE):PE icon
dhash icon f4cccc9cd6dce4f4 (8 x AveMariaRAT, 3 x OskiStealer, 3 x AgentTesla)
Reporter abuse_ch
Tags:exe QuasarRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
165
Origin country :
n/a
Vendor Threat Intelligence
Detection:
RDPWrap
Create hunting rule
Link:
https://www.capesandbox.com/analysis/198142/
Detection(s):
SecuriteInfo.com.Suspicious.Win32.Save.a.11472.9143.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a file in the %temp% directory
Delayed writing of the file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/616d5b709a5a1e91c5c3b6e2/reports/a21c9339-1aa0-4cff-833f-2220747cf60e/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0d2b3f63-6028-4ea5-9713-8bc0ccfbec92
Result
Threat name:
Quasar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/872244
Signature
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
Contains functionality to hide user accounts
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disables Windows Defender (via service or powershell)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Protects its processes via BreakOnTermination flag
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Sigma detected: Powershell Defender Exclusion
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected Quasar RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 504671 Sample: nWnbB3SlWK.exe Startdate: 18/10/2021 Architecture: WINDOWS Score: 100 81 Malicious sample detected (through community Yara rule) 2->81 83 Antivirus detection for URL or domain 2->83 85 Multi AV Scanner detection for dropped file 2->85 87 9 other signatures 2->87 9 nWnbB3SlWK.exe 7 2->9         started        process3 file4 59 C:\Users\user\AppData\...\kCCzCqEnSxl.exe, PE32 9->59 dropped 61 C:\Users\...\kCCzCqEnSxl.exe:Zone.Identifier, ASCII 9->61 dropped 63 C:\Users\user\AppData\Local\...\tmp9B23.tmp, XML 9->63 dropped 65 C:\Users\user\AppData\...\nWnbB3SlWK.exe.log, ASCII 9->65 dropped 103 Detected unpacking (changes PE section rights) 9->103 105 Detected unpacking (overwrites its own PE header) 9->105 107 May check the online IP address of the machine 9->107 109 3 other signatures 9->109 13 nWnbB3SlWK.exe 16 7 9->13         started        18 powershell.exe 25 9->18         started        20 schtasks.exe 1 9->20         started        signatures5 process6 dnsIp7 75 ip-api.com 208.95.112.1, 49751, 49754, 80 TUT-ASUS United States 13->75 77 91.134.207.16, 80 OVHFR France 13->77 79 2 other IPs or domains 13->79 67 C:\Users\user\AppData\Roaming\...\winrara.exe, PE32 13->67 dropped 111 Hides that the sample has been downloaded from the Internet (zone.identifier) 13->111 113 Disables Windows Defender (via service or powershell) 13->113 22 winrara.exe 13->22         started        25 powershell.exe 13->25         started        27 powershell.exe 13->27         started        33 5 other processes 13->33 29 conhost.exe 18->29         started        31 conhost.exe 20->31         started        file8 signatures9 process10 signatures11 95 Multi AV Scanner detection for dropped file 22->95 97 Detected unpacking (changes PE section rights) 22->97 99 Detected unpacking (overwrites its own PE header) 22->99 101 5 other signatures 22->101 35 winrara.exe 22->35         started        39 powershell.exe 22->39         started        41 schtasks.exe 22->41         started        43 conhost.exe 25->43         started        45 conhost.exe 27->45         started        47 conhost.exe 33->47         started        49 conhost.exe 33->49         started        51 conhost.exe 33->51         started        53 conhost.exe 33->53         started        process12 dnsIp13 69 grace.adds-only.xyz 79.134.225.110, 1609, 49755 FINK-TELECOM-SERVICESCH Switzerland 35->69 71 192.168.2.1 unknown unknown 35->71 73 ip-api.com 35->73 89 Protects its processes via BreakOnTermination flag 35->89 91 Hides that the sample has been downloaded from the Internet (zone.identifier) 35->91 93 Installs a global keyboard hook 35->93 55 conhost.exe 39->55         started        57 conhost.exe 41->57         started        signatures14 process15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0b196e6b27ed15410bd946b1ccfd1de6b7af64a540cd0226b8eb9bd742d1b095/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-10-18 10:54:08 UTC
AV detection:
15 of 27 (55.56%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bmmw42zh5ukucc6zi2y4z7i542326zffidgqejvy5on5oqwrwckq._file
Result
Malware family:
venomrat
Create hunting rule
Score:
  10/10
Tags:
family:quasar family:venomrat botnet:office04 evasion rat rootkit spyware stealer trojan
Link:
https://tria.ge/reports/211018-nn7dtsedfk/
Behaviour
Creates scheduled task(s)
Modifies system certificate store
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Looks up external IP address via web service
Loads dropped DLL
Windows security modification
Executes dropped EXE
Contains code to disable Windows Defender
Modifies Windows Defender Real-time Protection settings
Quasar Payload
Quasar RAT
VenomRAT
Malware Config
C2 Extraction:
grace.adds-only.xyz:1609
Unpacked files
SH256 hash:
74f157d228b19efbe878feb76a5be3caeb1cdd11c59ee3ec9622dbd994081310
MD5 hash:
025e2ffb735be017523af9c9a2fbbe87
SHA1 hash:
e5fa2a222098a73ac23644675947816ca14cb1aa
Link:
https://www.unpac.me/results/d1f1b28f-452d-47e5-be7d-0918e2722e5d/
SH256 hash:
9ae40d61d2e7c73a66fb3d45288bae7d3e5b723a67b5e04b2b21f2d8b95321c1
MD5 hash:
751059e057e3f76de6d2d56e3e11b8bd
SHA1 hash:
e1867c27223d8f9aabd79a0ca24b72d58b4f8573
Link:
https://www.unpac.me/results/d1f1b28f-452d-47e5-be7d-0918e2722e5d/
SH256 hash:
1bb6f045a9218bacd2c0f35f2e9fb3f0a92f5bdd7efd207b070c47707a6ae82d
MD5 hash:
1634b36bb54a876f818712d1f105fe00
SHA1 hash:
deaa950169f13bd1f07103e5aff7932547962e04
Link:
https://www.unpac.me/results/d1f1b28f-452d-47e5-be7d-0918e2722e5d/
SH256 hash:
c4bdfe525ee779f81f4c8863b49d605dec38489b640f00ca1ef488fac7221304
MD5 hash:
e19abbe4ed7ddf88a77084130142792e
SHA1 hash:
1c5267bee1a008609637321b4a337f115a334889
Link:
https://www.unpac.me/results/d1f1b28f-452d-47e5-be7d-0918e2722e5d/
SH256 hash:
7b4ba24781e21b310e2749bc2f7a80b9670a4198a54d26e42079a6a1c1be6ae7
MD5 hash:
7b77d210bf6b00fd8ee8187198852052
SHA1 hash:
7f78d6294a269349fc9a49ad3c8ccb3c3d2665b4
Link:
https://www.unpac.me/results/d1f1b28f-452d-47e5-be7d-0918e2722e5d/
SH256 hash:
0b196e6b27ed15410bd946b1ccfd1de6b7af64a540cd0226b8eb9bd742d1b095
MD5 hash:
1b465c6989637df1d5c511919c43e457
SHA1 hash:
317f8bf5133176cd0f4125c6f2f0fdfc226754ab
Link:
https://www.unpac.me/results/d1f1b28f-452d-47e5-be7d-0918e2722e5d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0b196e6b27ed15410bd946b1ccfd1de6b7af64a540cd0226b8eb9bd742d1b095

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

QuasarRAT

Executable exe 0b196e6b27ed15410bd946b1ccfd1de6b7af64a540cd0226b8eb9bd742d1b095

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1690810/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/198142/

Comments