MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 17cb2a091ccd9e86a391fb54125ec26b297e4b7abf63d4f87eedf098cea3f766. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuasarRAT


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 17cb2a091ccd9e86a391fb54125ec26b297e4b7abf63d4f87eedf098cea3f766
SHA3-384 hash: 2a82facfe3fad38017cd755c908ed03e471fd662e73ebdf1dcd757eb2bf9a6f1ac9bc8463f25cbf14d1e9b100e981863
SHA1 hash: 3e9a1d25373003a398880c47b7d59b167fd9cf3d
MD5 hash: 709d3babbc93d5ade9fb261bf3fd4253
humanhash: early-leopard-music-april
File name:SKTT090800.UUE
Download: download sample
Signature QuasarRAT
Create hunting rule
File size:484'938 bytes
First seen:2021-05-25 07:38:59 UTC
Last seen:2021-05-25 08:01:37 UTC
File type: zip
MIME type:application/zip
ssdeep 12288:c1ubDrsld3YsoIlZE90yzaOijeNVHLKtFbTAU/99dC2Zr3:KldNvJcCClLKnTAU/E2Z3
TLSH 2CA423B586E8C0FDC150B1433E8ABA33BE1557BFDA18B230E2662255DA744325FA1DF4
Reporter cocaman
Tags:QuasarRAT uue


Avatar
cocaman
Malicious email (T1566.001)
From: "mastersealandlogistics2@gmail.com" (likely spoofed)
Received: "from hosted-by.rootlayer.net (unknown [185.222.58.136]) "
Date: "23 May 2021 18:07:40 -0700"
Subject: "=?UTF-8?B?6KiC5Zau77yDMDkwMDA5MDA=?="
Attachment: "SKTT090800.UUE"

Intelligence

File Origin
# of uploads :
2
# of downloads :
153
Origin country :
n/a
Vendor Threat Intelligence
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/17cb2a091ccd9e86a391fb54125ec26b297e4b7abf63d4f87eedf098cea3f766
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/17cb2a091ccd9e86a391fb54125ec26b297e4b7abf63d4f87eedf098cea3f766/
Threat name:
ByteCode-MSIL.Packed.Bulz
Create hunting rule
Status:
Malicious
First seen:
2021-05-24 10:47:15 UTC
File Type:
Binary (Archive)
Extracted files:
20
AV detection:
11 of 46 (23.91%)
Threat level:
  1/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=c7fsuci4zwpini4r7nkbexwcnmux4s32x5r5j6d65xyjrtvd65ta._file
Result
Malware family:
stormkitty
Create hunting rule
Score:
  10/10
Tags:
family:stormkitty spyware stealer
Link:
https://tria.ge/reports/210525-a53lb4n8z2/
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Looks up external IP address via web service
Loads dropped DLL
Reads local data of messenger clients
Reads user/profile data of web browsers
Executes dropped EXE
StormKitty
StormKitty Payload
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/17cb2a091ccd9e86a391fb54125ec26b297e4b7abf63d4f87eedf098cea3f766

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

QuasarRAT

zip 17cb2a091ccd9e86a391fb54125ec26b297e4b7abf63d4f87eedf098cea3f766

(this sample)

QuasarRAT

Executable exe 81bc32eecba3c6c90eea4128b4547518f9217a436c5df3e14782382a33cc5270

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 81bc32eecba3c6c90eea4128b4547518f9217a436c5df3e14782382a33cc5270
  
Dropping
QuasarRAT

Comments