MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 123c46aeba7452d44ac8d18d5c5852964737fbc3697446b587311271bfe4413c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuasarRAT


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 123c46aeba7452d44ac8d18d5c5852964737fbc3697446b587311271bfe4413c
SHA3-384 hash: d020b4d33e9fea712ab274165557dcd40a418c62cf28e4015068523c3fc796534682506e5bf29955e517c00945f615be
SHA1 hash: 0c9cc8855875300978bae077786df0a0cdeeba63
MD5 hash: a41de1ef870e970e265cc35b766a5ec8
humanhash: missouri-california-oranges-whiskey
File name:125655799651.vbs
Download: download sample
Signature QuasarRAT
Create hunting rule
File size:6'794 bytes
First seen:2022-04-15 07:00:03 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 192:/FBzA1vEOvf1t3OsvFBar91+Uiz2vuhlW:99YvEOv9tesvyZ1+UizqgW
TLSH T18CE18A67C8265A872986432DB33E2455DB1D62FEE1C0A4497021C3CD1E6D3C9FE3EAD6
Reporter abuse_ch
Tags:QuasarRAT vbs


Avatar
abuse_ch
Payload URL:
https://pastetext.net/raw/vzwmtwswrf

Intelligence

File Origin
# of uploads :
1
# of downloads :
347
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/263930/
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/625917faffe27d5119d76791/reports/71e989ce-a750-4419-b1b5-971fcbdbb038/overview
Result
Verdict:
UNKNOWN
Result
Threat name:
Quasar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/977300
Signature
.NET source code references suspicious native API functions
Antivirus detection for dropped file
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
Compiles code for process injection (via .Net compiler)
Drops VBS files to the startup folder
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Sigma detected: Drops script at startup location
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: Windows Shell File Write to Suspicious Folder
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Suspicious powershell command line found
Uses known network protocols on non-standard ports
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected Quasar RAT
Yara detected RUNPE
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 609797 Sample: 125655799651.vbs Startdate: 15/04/2022 Architecture: WINDOWS Score: 100 98 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->98 100 Multi AV Scanner detection for domain / URL 2->100 102 Malicious sample detected (through community Yara rule) 2->102 104 11 other signatures 2->104 10 wscript.exe 1 2->10         started        13 wscript.exe 2->13         started        15 wscript.exe 2->15         started        17 2 other processes 2->17 process3 signatures4 122 Wscript starts Powershell (via cmd or directly) 10->122 124 Bypasses PowerShell execution policy 10->124 19 powershell.exe 14 18 10->19         started        24 powershell.exe 13->24         started        26 powershell.exe 15->26         started        28 powershell.exe 6 17->28         started        30 powershell.exe 17->30         started        process5 dnsIp6 92 pastetext.net 188.114.96.7, 443, 49777 CLOUDFLARENETUS European Union 19->92 84 C:\Users\Public\vzwmtwswrf.PS1, UTF-8 19->84 dropped 108 Suspicious powershell command line found 19->108 110 Drops VBS files to the startup folder 19->110 112 Compiles code for process injection (via .Net compiler) 19->112 32 powershell.exe 26 19->32         started        37 conhost.exe 19->37         started        86 C:\Users\user\AppData\Local\...\sfjp5hke.0.cs, C++ 24->86 dropped 114 Writes to foreign memory regions 24->114 116 Injects a PE file into a foreign processes 24->116 39 csc.exe 24->39         started        51 2 other processes 24->51 41 csc.exe 26->41         started        43 conhost.exe 26->43         started        45 RegAsm.exe 26->45         started        47 conhost.exe 28->47         started        49 conhost.exe 30->49         started        file7 signatures8 process9 dnsIp10 90 185.81.157.172, 49780, 49784, 49785 INU-ASFR France 32->90 70 C:\Users\user\AppData\...\WinLOGONUpdate.vbs, ASCII 32->70 dropped 72 C:\Users\...behaviorgraphoogleChromeUpdateHandlerx64.vbs, ASCII 32->72 dropped 74 C:\Users\...behaviorgraphoogleChromeUpdateHandler.vbs, ASCII 32->74 dropped 76 C:\...\fd2d122d2de04c4b82af754b52570c44.PS1, ASCII 32->76 dropped 106 Suspicious powershell command line found 32->106 53 powershell.exe 22 32->53         started        78 C:\Users\user\AppData\Local\...\sfjp5hke.dll, PE32 39->78 dropped 57 cvtres.exe 39->57         started        80 C:\Users\user\AppData\Local\...\lcfa2fz2.dll, PE32 41->80 dropped 59 cvtres.exe 41->59         started        file11 signatures12 process13 file14 88 C:\Users\user\AppData\...\SystemLogin.vbs, ASCII 53->88 dropped 118 Writes to foreign memory regions 53->118 120 Injects a PE file into a foreign processes 53->120 61 RegAsm.exe 53->61         started        65 csc.exe 53->65         started        signatures15 process16 dnsIp17 94 ip-api.com 208.95.112.1, 49798, 80 TUT-ASUS United States 61->94 96 185.81.157.203, 1111, 49799 INU-ASFR France 61->96 126 May check the online IP address of the machine 61->126 128 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 61->128 130 Hides that the sample has been downloaded from the Internet (zone.identifier) 61->130 132 Installs a global keyboard hook 61->132 82 C:\Users\user\AppData\Local\...\qjjvwco1.dll, PE32 65->82 dropped 68 cvtres.exe 65->68         started        file18 signatures19 process20
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/123c46aeba7452d44ac8d18d5c5852964737fbc3697446b587311271bfe4413c/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2022-04-15 07:01:06 UTC
File Type:
Text (VBS)
AV detection:
1 of 42 (2.38%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ci6enlv2orjniswi2ggvywcsszdtp66dnf2ennmhgejhdp7eie6a._file
Verdict:
unknown
Result
Malware family:
n/a
Score:
  10/10
Tags:
n/a
Link:
https://tria.ge/reports/220415-hsm8vsded3/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Drops startup file
Blocklisted process makes network request
Malware Config
Dropper Extraction:
https://pastetext.net/raw/vzwmtwswrf
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/123c46aeba7452d44ac8d18d5c5852964737fbc3697446b587311271bfe4413c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
URLhaus
https://urlhaus.abuse.ch/url/2148998/
Cape
Cape
https://www.capesandbox.com/analysis/263930/

Comments