MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1c29149081e94e1ad00a2575210eada3b8a9c23e7dc9230c17870078f7e5d619. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QNodeService


Vendor detections: 9


Intelligence 9 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1c29149081e94e1ad00a2575210eada3b8a9c23e7dc9230c17870078f7e5d619
SHA3-384 hash: 2fc09144085baa12f2a637dd5e2b055196d96c7ac1c50acab6113b8680bdeeb191d9907b695c9dde2a535d52d780da5f
SHA1 hash: 364924902e2c569d6c98625bd9a2e9243a36172f
MD5 hash: edab163a753ba918089ca191002f87ac
humanhash: mississippi-papa-lamp-double
File name:SKM_C258201001130020005057.exe
Download: download sample
Signature QNodeService
Create hunting rule
File size:988'672 bytes
First seen:2020-12-21 07:23:48 UTC
Last seen:2020-12-21 08:55:54 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:Ey2Che7o+L+8cNeCTADDu06uI18uwD4GXUDyH54MTDFPPe0pMgBhKblD5yCWslml:Xlesm+8aBTAPugI18VM3S54MTDFPW0R
Threatray 1'189 similar samples on MalwareBazaar
TLSH 4225BE2439EA5019F5B7AF754BE471A2DA6FF7B33B03E45E1480038A4623E41DED2639
Reporter abuse_ch
Tags:exe QNodeService RAT


Avatar
abuse_ch
Malspam distributing QNodeService:

HELO: s1008.xrea.com
Sending IP: 150.95.9.228
From: Elaine Wu <Elaine@hasbc.com>
Subject: FWD: Reconfirm Swift Code
Attachment: SKM_C258201001130020005057.7z (contains "SKM_C258201001130020005057.exe")

QNodeService C2:
https://severdops.ddns.net:6204

Intelligence

File Origin
# of uploads :
2
# of downloads :
171
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SKM_C258201001130020005057.exe
Verdict:
Malicious activity
Analysis date:
2020-12-21 07:24:10 UTC
Tags:
trojan rat asyncrat
Link:
https://app.any.run/tasks/5ec366b7-b568-418e-a1c7-169979448b4f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.Agent.FBBH.22618.12636.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Launching a process
Creating a process with a hidden window
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AsyncRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/567191
Signature
.NET source code contains very large strings
Binary contains a suspicious time stamp
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM_3
Yara detected AsyncRAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1c29149081e94e1ad00a2575210eada3b8a9c23e7dc9230c17870078f7e5d619/
Threat name:
ByteCode-MSIL.Trojan.Taskun
Create hunting rule
Status:
Malicious
First seen:
2020-12-20 22:02:57 UTC
AV detection:
23 of 28 (82.14%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=dqurjeeb5fhbvuakev2scdvnuo4ktqr6pxesgdaxq4ahr57f2ymq._file
Verdict:
suspicious
Similar samples:
0a2fe4b7d0c23f0ea83a75f458660dfd486d336716609bda19c82a05730ff4d3
QNodeService
0e7d9a0423e2abe849c313d741de58cb172512f0b81ca56680a0c98bcc5a28e8
QNodeService
6ef6e538a34a5ae1ca34a7616c8fc5038a2238e63f0543673e1e48d7ac352241
QNodeService
a46ba41ed485d6f17d3da30e84f784ef419206d2378bc127c7095e7bbb2c1de6
QNodeService
a5ce2ebab407749927a5056f7d432f5936675ec94e166e67bf0ea254a63e1abb
QNodeService
a7120c8022437adb5629ea851c83f9efd6e57d9f5598f735e66fc11381fd707d
QNodeService
ba6d3319514c66b0b43c4dfa29ace7eadc90119cba7c3d1a86c3fb7fa9711a0e
QNodeService
e58365faedd335953c8f41dc5d7e9056c6db3924628dcf977ad7e556410d558a
QNodeService
fda323de5210f1ec46ee237d0e58558d78d34474ea282bf5dd1ca448c5ad369b
QNodeService
ff0dfc8a3f301d01a87dd618a831e5ec8409d7b1ef22fcc0ae595a7775ca7059
QNodeService
+ 1'179 additional samples on MalwareBazaar
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat rat
Link:
https://tria.ge/reports/201221-2pgfj997n2/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Async RAT payload
AsyncRat
Malware Config
C2 Extraction:
severdops.ddns.net:6204
Unpacked files
SH256 hash:
55abf08a6a6ab7c7848a2bc0410d84befe6dcfa118336e2e4f1ee456a8009efc
MD5 hash:
6ce9761c3c3ae715d40a77b982d31dc9
SHA1 hash:
42a5a02eabe7d80d79408549e7686d4e44524361
Link:
https://www.unpac.me/results/fa930aa9-0836-4a18-8326-065a3c7708b5/
SH256 hash:
1c29149081e94e1ad00a2575210eada3b8a9c23e7dc9230c17870078f7e5d619
MD5 hash:
edab163a753ba918089ca191002f87ac
SHA1 hash:
364924902e2c569d6c98625bd9a2e9243a36172f
Link:
https://www.unpac.me/results/fa930aa9-0836-4a18-8326-065a3c7708b5/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1c29149081e94e1ad00a2575210eada3b8a9c23e7dc9230c17870078f7e5d619

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:asyncrat
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect AsyncRat in memory
Reference:internal research
Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del
Rule name:Reverse_text_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Reverse text detected
Rule name:win_asyncrat_j1
Create hunting rule
Author:Johannes Bader @viql
Description:detects AsyncRAT
Rule name:win_asyncrat_w0
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect AsyncRat in memory
Reference:internal research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

QNodeService

7z bd1f4d87d73b27b29a680c1cf02ac909c6f879a31ff60c0177e9f8408b252ccd

QNodeService

Executable exe 1c29149081e94e1ad00a2575210eada3b8a9c23e7dc9230c17870078f7e5d619

(this sample)

  
Dropped by
MD5 0920018e810c134749e5aac1e1776a61
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 bd1f4d87d73b27b29a680c1cf02ac909c6f879a31ff60c0177e9f8408b252ccd

Comments