MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1082af11e2e9949798b1752d511d0c134ccc7bb54147b5c83a5d0edddd236e65. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuasarRAT


Vendor detections: 9


Intelligence 9 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1082af11e2e9949798b1752d511d0c134ccc7bb54147b5c83a5d0edddd236e65
SHA3-384 hash: e4c8d2498c863010a0b147cd474e10aaa67278ec4c168e9dacf6774c36f74fc752463d395b5e0430939ae96762742d80
SHA1 hash: 2c1bcfac805bd6bd400389b902029eb80865f518
MD5 hash: 01e4b34085e840c3c2cebf1e0db0aa29
humanhash: ceiling-carpet-double-failed
File name:NEW980009000.exe
Download: download sample
Signature QuasarRAT
Create hunting rule
File size:385'536 bytes
First seen:2021-08-27 10:39:31 UTC
Last seen:2021-08-27 12:01:49 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash ef471c0edf1877cd5a881a6a8bf647b9 (74 x Formbook, 33 x Loki, 29 x Loda)
ssdeep 6144:l4XrK9PX7Fp6Gh2wWRGl0EDDf1PisZQ5rAGQwg1QtP1f4paaYlsdcaMJEdbI0PzQ:eXe9PPlowWX0t6mOQwg1Qd15CcYk0Weg
Threatray 5'916 similar samples on MalwareBazaar
TLSH T12484121A5CC64C99E6D4B7F461F1865B293A7D5204248389EDF8FF2C9972113ECC24BE
dhash icon 174f4559191b1b13 (81 x AgentTesla, 68 x Formbook, 34 x SnakeKeylogger)
Reporter adrian__luca
Tags:exe QuasarRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
210
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
NEW980009000.exe
Verdict:
Malicious activity
Analysis date:
2021-08-27 10:41:26 UTC
Tags:
evasion stealer
Link:
https://app.any.run/tasks/34e237f7-0425-4df2-8ea3-46287f47f4ff

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/182914/
Detection(s):
PUA.Win.Packer.Upolyx-12
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Connection attempt
Sending a custom TCP request
Sending an HTTP GET request
Creating a file in the %temp% directory
Unauthorized injection to a recently created process
Creating a file in the %AppData% subdirectories
Setting a keyboard event handler
Launching a process
Launching the default Windows debugger (dwwin.exe)
Sending a UDP request
Creating a file
Creating a process with a hidden window
Unauthorized injection to a system process
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/bdcfde3c-e305-4238-91e3-1c1fe1fe75b4
Result
Threat name:
SpyEx StormKitty a310Logger
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/840353
Signature
Antivirus detection for dropped file
AutoIt script contains suspicious strings
Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Installs a global keyboard hook
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses process hollowing technique
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Yara detected a310Logger
Yara detected Generic Dropper
Yara detected SpyEx stealer
Yara detected StormKitty Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 472784 Sample: NEW980009000.exe Startdate: 27/08/2021 Architecture: WINDOWS Score: 100 57 Found malware configuration 2->57 59 Malicious sample detected (through community Yara rule) 2->59 61 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->61 63 6 other signatures 2->63 8 NEW980009000.exe 15 2->8         started        process3 dnsIp4 33 a.tmp.ninja 198.251.89.86, 443, 49706 PONYNETUS United States 8->33 71 Maps a DLL or memory area into another process 8->71 12 NEW980009000.exe 1 3 8->12         started        signatures5 process6 signatures7 73 Sample uses process hollowing technique 12->73 75 Installs a global keyboard hook 12->75 15 InstallUtil.exe 15 7 12->15         started        19 InstallUtil.exe 6 12->19         started        22 InstallUtil.exe 12->22         started        process8 dnsIp9 35 251.241.3.0.in-addr.arpa 15->35 37 icanhazip.com 104.18.7.156, 49707, 49721, 80 CLOUDFLARENETUS United States 15->37 39 api.mylnikov.org 104.21.9.139, 443, 49708 CLOUDFLARENETUS United States 15->39 47 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 15->47 49 May check the online IP address of the machine 15->49 51 Tries to steal Instant Messenger accounts or passwords 15->51 24 MZ.exe 3 15->24         started        41 251.241.3.0.in-addr.arpa 19->41 43 172.67.160.130, 443, 49722 CLOUDFLARENETUS United States 19->43 45 192.168.2.1 unknown unknown 19->45 31 C:\Users\user\AppData\Roaming\...\MZ.exe, PE32 19->31 dropped 53 Tries to steal Mail credentials (via file access) 19->53 55 Tries to harvest and steal browser information (history, passwords, etc) 19->55 27 MZ.exe 2 19->27         started        29 WerFault.exe 22->29         started        file10 signatures11 process12 signatures13 65 Antivirus detection for dropped file 24->65 67 Multi AV Scanner detection for dropped file 24->67 69 Machine Learning detection for dropped file 24->69
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1082af11e2e9949798b1752d511d0c134ccc7bb54147b5c83a5d0edddd236e65/
Threat name:
Win32.Packed.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-08-27 02:11:41 UTC
AV detection:
15 of 28 (53.57%)
Threat level:
  1/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ccbk6epc5gkjpgfrouwvchimcngmy65vifd3lsb2luhn3xjdnzsq._file
Verdict:
malicious
Similar samples:
1c4cf94d38837e40ac5654711ef04cf7f2e07a66c065c46955d92d0d95089d90
QuasarRAT
455517009fdfd87789fdfec23ccb1b00ac85f5b3bcc47430f4709ddab4073fba
QuasarRAT
71335267a0a48bbcf678e354b421445d3db926ec5dd9b40c2a004cebb9b166f0
QuasarRAT
8083fc125756be5ccebc8b837ffd80063f42696159291e0df941c28f03170b07
QuasarRAT
8344690f025846a5a0dcf5d6012a94cddcfe48ffcc06fa6d566bb4ef149e6716
QuasarRAT
b09fdc39338aacafb7eb0163757d2b9863f78e5467af017ff4ad2f09e0e266a2
QuasarRAT
c46c1d3ce137b855a860af126e8986175501defc0a3f69c5472bf9d905c05bb4
QuasarRAT
e9714695528eb1f8786fe8a7250f952f23b3205a4e2a60073668717eb2f5dc2b
QuasarRAT
f3037e5e047b6bfbfb11c453d1d836217e8c7ec606eacce69dfe31bf8b260821
QuasarRAT
ff3168baecb6c9afcaeaf4d557d814522a197183c8930da3832465f2f5b3963b
QuasarRAT
+ 5'906 additional samples on MalwareBazaar
Result
Malware family:
stormkitty
Create hunting rule
Score:
  10/10
Tags:
family:a310logger family:stormkitty spyware stealer upx
Link:
https://tria.ge/reports/210827-qsfpnm8rw6/
Behaviour
Checks processor information in registry
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Looks up external IP address via web service
Looks up geolocation information via web service
Reads local data of messenger clients
Reads user/profile data of web browsers
Executes dropped EXE
A310logger Executable
A310logger
StormKitty
StormKitty Payload
Unpacked files
SH256 hash:
b17db72c9a3457a06331d4920a6d16993808f328b44337e57af1542aba8aa5e3
MD5 hash:
71c7d790288fc1a34c9cf04e4ca1ff97
SHA1 hash:
afaa0526ef50a5c093fda75fddf4ba54c7a521d1
Link:
https://www.unpac.me/results/5b82cedb-e522-454a-af53-64ab5334d8ad/
SH256 hash:
1082af11e2e9949798b1752d511d0c134ccc7bb54147b5c83a5d0edddd236e65
MD5 hash:
01e4b34085e840c3c2cebf1e0db0aa29
SHA1 hash:
2c1bcfac805bd6bd400389b902029eb80865f518
Link:
https://www.unpac.me/results/5b82cedb-e522-454a-af53-64ab5334d8ad/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/1082af11e2e9/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.85
Link:
https://yomi.yoroi.company/submissions/1082af11e2e9949798b1752d511d0c134ccc7bb54147b5c83a5d0edddd236e65

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_StormKitty
Create hunting rule
Author:ditekSHen
Description:Detects StormKitty infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Quasar_RAT_1
Create hunting rule
Author:Florian Roth
Description:Detects Quasar RAT
Reference:https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

455a49cd2ada78bf504e814e96a945dcc449b26e0d2f21e3d223bb5e71fb0450

QuasarRAT

Executable exe 1082af11e2e9949798b1752d511d0c134ccc7bb54147b5c83a5d0edddd236e65

(this sample)

  
Dropped by
SHA256 455a49cd2ada78bf504e814e96a945dcc449b26e0d2f21e3d223bb5e71fb0450
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/182914/

Comments