MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 13f6c9d2b53ff26787837ee6e18e0024682653488ab2a363ecf71b035640d12e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuasarRAT


Vendor detections: 14


Intelligence 14 IOCs YARA 17 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 13f6c9d2b53ff26787837ee6e18e0024682653488ab2a363ecf71b035640d12e
SHA3-384 hash: af076025ad8db6c376da1d2776ba1c490c5b0210503cbd62550c23796e1cc4354d75a07cd55cd4ca4ecd2f041fce6051
SHA1 hash: 107ae2e064563555e5c763d688e576cbf81750fc
MD5 hash: 34f0253df6d63ed2a84e597be76ddabf
humanhash: triple-sweet-pasta-vegan
File name:34f0253df6d63ed2a84e597be76ddabf.exe
Download: download sample
Signature QuasarRAT
Create hunting rule
File size:11'328'512 bytes
First seen:2023-08-25 14:45:20 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep 196608:jXRZLug6KGz4uN4iXa9V4oHvsFZIwM1A/w7jaAcekxy9Hymy4R0UNrttaOff:j+lK64ziq9KoHUFWoijaXhxIPDaa
Threatray 176 similar samples on MalwareBazaar
TLSH T126B633E1EEDCB591DA5BC9F22C89F031A592944967F2BCAC3EB477D9D333250190834A
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 9288ce8c2a868f92 (89 x Tinba, 7 x AsyncRAT, 6 x Dridex)
Reporter abuse_ch
Tags:exe QuasarRAT RAT


Avatar
abuse_ch
QuasarRAT C2:
83.143.112.45:4782

Intelligence

File Origin
# of uploads :
1
# of downloads :
346
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
34f0253df6d63ed2a84e597be76ddabf.exe
Verdict:
Malicious activity
Analysis date:
2023-08-25 14:48:05 UTC
Tags:
xworm remote
Link:
https://app.any.run/tasks/1274aea3-5ef8-43b4-9195-a5c9228029be

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
XWorm
Create hunting rule
Link:
https://www.capesandbox.com/analysis/444767/
Detection(s):
SecuriteInfo.com.Trojan.MulDrop22.42282.10907.12720.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a file
Creating a process from a recently created file
Running batch commands
Using the Windows Management Instrumentation requests
Sending a custom TCP request
Creating a file in the %temp% directory
Enabling the 'hidden' option for recently created files
Launching a process
Creating a file in the Windows directory
Creating a file in the Windows subdirectories
Creating a window
Searching for synchronization primitives
Creating a process with a hidden window
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Launching a tool to kill processes
Enabling autorun by creating a file
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/64e8beabb3b7d7c782cfb6a2/reports/9fa9bac4-4cf9-4401-99ec-c742e5b1fe9d/overview
Verdict:
Malicious
Labled as:
IL:Trojan.MSILZilla
Link:
https://www.hybrid-analysis.com/sample/13f6c9d2b53ff26787837ee6e18e0024682653488ab2a363ecf71b035640d12e
Result
Verdict:
MALICIOUS
Malware family:
XWorm
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ade3aec7-0748-44ef-844c-60d80582e9bb
Result
Threat name:
Quasar, XWorm
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1297481
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code contains process injector
.NET source code references suspicious native API functions
Antivirus / Scanner detection for submitted sample
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to modify clipboard data
Creates a thread in another existing process (thread injection)
Drops executables to the windows directory (C:\Windows) and starts them
Found malware configuration
Found stalling execution ending in API Sleep call
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Powershell connects to network
Powershell is started from unusual location (likely to bypass HIPS)
Renames powershell.exe to bypass HIPS
Sample uses process hollowing technique
Snort IDS alert for network traffic
Suspicious powershell command line found
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Very long command line found
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Yara detected Generic Downloader
Yara detected Quasar RAT
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1297481 Sample: r2wd0vCZr1.exe Startdate: 25/08/2023 Architecture: WINDOWS Score: 100 119 Snort IDS alert for network traffic 2->119 121 Found malware configuration 2->121 123 Malicious sample detected (through community Yara rule) 2->123 125 14 other signatures 2->125 11 r2wd0vCZr1.exe 4 2->11         started        14 $sxr-nircmd.exe 2->14         started        17 $sxr-powershell.exe 2->17         started        19 2 other processes 2->19 process3 file4 95 C:\ProgramData\server.exe, PE32 11->95 dropped 97 C:\ProgramData\Uni.bat, DOS 11->97 dropped 21 cmd.exe 1 11->21         started        25 server.exe 1 4 11->25         started        167 Drops executables to the windows directory (C:\Windows) and starts them 14->167 169 Contains functionality to modify clipboard data 14->169 28 $sxr-nircmd.exe 14->28         started        171 Powershell is started from unusual location (likely to bypass HIPS) 17->171 30 conhost.exe 17->30         started        signatures5 process6 dnsIp7 93 C:\ProgramData\Uni.bat.exe, PE32+ 21->93 dropped 131 Uses ping.exe to sleep 21->131 133 Uses ping.exe to check the status of other devices and networks 21->133 32 Uni.bat.exe 1 24 21->32         started        36 conhost.exe 21->36         started        105 83.143.112.45, 4782, 49721, 49727 INTERNETIA_ETTH2-ASNoc-BialystokPL Germany 25->105 135 Multi AV Scanner detection for dropped file 25->135 137 Machine Learning detection for dropped file 25->137 38 cmd.exe 28->38         started        file8 signatures9 process10 file11 83 C:\Windows\System32\vcruntime140d.dll, PE32+ 32->83 dropped 85 C:\Windows\System32\vcruntime140_1d.dll, PE32+ 32->85 dropped 87 C:\Windows\System32\ucrtbased.dll, PE32+ 32->87 dropped 91 3 other files (2 malicious) 32->91 dropped 109 Suspicious powershell command line found 32->109 111 Very long command line found 32->111 113 Bypasses PowerShell execution policy 32->113 117 5 other signatures 32->117 40 $sxr-powershell.exe 14 16 32->40         started        44 dllhost.exe 32->44         started        46 dllhost.exe 32->46         started        50 2 other processes 32->50 89 C:\Windows\$sxr-seroxen1\$sxr-Uni.bat.exe, PE32+ 38->89 dropped 115 Renames powershell.exe to bypass HIPS 38->115 48 conhost.exe 38->48         started        signatures12 process13 dnsIp14 99 api4.ipify.org 64.185.227.156, 443, 49730 WEBNXUS United States 40->99 101 tools.keycdn.com 185.172.148.96, 443, 49729 PROINITYPROINITYDE Germany 40->101 103 api.ipify.org 40->103 147 Suspicious powershell command line found 40->147 149 Very long command line found 40->149 151 May check the online IP address of the machine 40->151 165 7 other signatures 40->165 52 $sxr-powershell.exe 40->52         started        55 $sxr-powershell.exe 40->55         started        57 $sxr-powershell.exe 40->57         started        66 7 other processes 40->66 153 Writes to foreign memory regions 44->153 155 Creates a thread in another existing process (thread injection) 44->155 157 Injects a PE file into a foreign processes 44->157 59 winlogon.exe 44->59 injected 61 lsass.exe 44->61 injected 68 3 other processes 44->68 159 Found stalling execution ending in API Sleep call 46->159 161 Contains functionality to inject code into remote processes 46->161 163 Uses ping.exe to sleep 50->163 63 PING.EXE 50->63         started        70 3 other processes 50->70 signatures15 process16 dnsIp17 127 Powershell is started from unusual location (likely to bypass HIPS) 52->127 72 dllhost.exe 59->72         started        75 dllhost.exe 59->75         started        129 Writes to foreign memory regions 61->129 107 192.168.2.1 unknown unknown 63->107 signatures18 process19 signatures20 139 Injects code into the Windows Explorer (explorer.exe) 72->139 141 Writes to foreign memory regions 72->141 143 Creates a thread in another existing process (thread injection) 72->143 145 Injects a PE file into a foreign processes 72->145 77 svchost.exe 72->77 injected 79 svchost.exe 72->79 injected 81 svchost.exe 72->81 injected process21
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/13f6c9d2b53ff26787837ee6e18e0024682653488ab2a363ecf71b035640d12e/
Threat name:
ByteCode-MSIL.Dropper.AsyncRAT
Create hunting rule
Status:
Malicious
First seen:
2023-08-23 12:27:14 UTC
File Type:
PE (.Net Exe)
Extracted files:
28
AV detection:
18 of 24 (75.00%)
Threat level:
  3/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=cp3mtuvvh7zgpb4dp3toddqaerucmu2irkzkgy7m64nqgvsa2exa._file
Verdict:
malicious
Similar samples:
02249a1154a152d50bffabfbb2084d49238fc3e6392dc535ea93734dee4cbbde
QuasarRAT
251ea4a148b947d67575a547d06cbd5fb88a2a26b66943ac4478fe1009c4592f
QuasarRAT
3102e1238ac6ad9f97e4faaf2b24f6df4caedde9abcf7a5c04c309a38069494e
QuasarRAT
47e6a8a74ff05cfdc79dd853f12540ff0c7435cb74c56f407610a99ff279b93f
QuasarRAT
89c13d0d555824acb2e24f61d92fc6fb3dce46d6af5d1df86e683eb9c24eb3f0
QuasarRAT
98e31627b19f043069d716af0f479420029a4a5003fbdde9cf4e576a3daecc88
QuasarRAT
b5df131373e2480d28873f9a2df7d4eadf0020267d3300ef0d2e7f6e282226ed
QuasarRAT
ccd4f31d9788b7e42092781ff45454adbb8986bf7dabf52a2814a3e6fafa4d2f
QuasarRAT
+ 166 additional samples on MalwareBazaar
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:xworm persistence rat trojan
Link:
https://tria.ge/reports/230825-r5amzaee9s/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of SetThreadContext
Adds Run key to start application
Looks up external IP address via web service
Drops startup file
Executes dropped EXE
Loads dropped DLL
Suspicious use of NtCreateUserProcessOtherParentProcess
Xworm
Malware Config
C2 Extraction:
83.143.112.45:7000
Unpacked files
SH256 hash:
13f6c9d2b53ff26787837ee6e18e0024682653488ab2a363ecf71b035640d12e
MD5 hash:
34f0253df6d63ed2a84e597be76ddabf
SHA1 hash:
107ae2e064563555e5c763d688e576cbf81750fc
Link:
https://www.unpac.me/results/7bad2b6f-7a0d-4bd7-b023-f950ce73c969/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/13f6c9d2b53ff26787837ee6e18e0024682653488ab2a363ecf71b035640d12e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AutoIT_Compiled
Create hunting rule
Author:@bartblaze
Description:Identifies compiled AutoIT script (as EXE).
Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
Author:ditekSHen
Description:Detects Windows executables referencing non-Windows User-Agents
Rule name:MALWARE_Win_AsyncRAT
Create hunting rule
Author:ditekSHen
Description:Detects AsyncRAT
Rule name:MALWARE_Win_XWorm
Create hunting rule
Author:ditekSHen
Description:Detects XWorm
Rule name:Multifamily_RAT_Detection
Create hunting rule
Author:Lucas Acha (http://www.lukeacha.com)
Description:Generic Detection for multiple RAT families, PUPs, Packers and suspicious executables
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_DOTNET_PE_List_AV
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detecs .NET Binary that lists installed AVs
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:win_delivery_check_g0
Create hunting rule
Rule name:win_r77_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.r77.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/444767/

Comments