MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1c94f84e3fa2094147335a35c973392186a19fa774419d66b3d39d331e55c167. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuasarRAT


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1c94f84e3fa2094147335a35c973392186a19fa774419d66b3d39d331e55c167
SHA3-384 hash: 67d5718e147ea96a2336c487d95863652e7c10cf3aa6c83e8f1125545c3c3b5d39247a488ded9cadc0182c31010d1e8e
SHA1 hash: 21b53bc1c750bfecba35cce22a865a23f096a74c
MD5 hash: 6181328f6a72d5c548d45f97eee054b7
humanhash: venus-river-speaker-cat
File name:2.cmd
Download: download sample
Signature QuasarRAT
Create hunting rule
File size:1'986'163 bytes
First seen:2024-10-03 12:07:47 UTC
Last seen:2024-10-03 12:08:11 UTC
File type:cmd cmd
MIME type:text/plain
ssdeep 24576:qPumzpfx2dnMf3XU/8QcKeODDVx7eu2hCnC0P8TJE/RLm9Ok:euCc62TT393/K
Threatray 92 similar samples on MalwareBazaar
TLSH T1A4953360FDB82F1F4C25DB1EE24A651D37D10FBBBDAA9453905520870BAEA528E23C35
Magika powershell
Reporter JAMESWT_WT
Tags:azure-winsecure-com cmd QuasarRAT whyareyouherewho-ru

Intelligence

File Origin
# of uploads :
2
# of downloads :
87
Origin country :
IT IT
Vendor Threat Intelligence
Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66fe8a3d0fdf88870979dabb
Tags:
Powershell Gumen
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
cmd lolbin powershell
Link:
https://www.filescan.io/uploads/66fe892588188863f38e37db/reports/f1414b7f-1c32-42e6-9f59-000f3e974bad/overview
Verdict:
Suspicious
Labled as:
Trojan/PS.Encpe
Link:
https://www.hybrid-analysis.com/sample/1c94f84e3fa2094147335a35c973392186a19fa774419d66b3d39d331e55c167
Result
Verdict:
UNKNOWN
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1524941
Signature
Adds a directory exclusion to Windows Defender
AI detected suspicious sample
Creates a thread in another existing process (thread injection)
Drops executables to the windows directory (C:\Windows) and starts them
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hooks files or directories query functions (used to hide files and directories)
Hooks processes query functions (used to hide processes)
Hooks registry keys query functions (used to hide registry keys)
Injects code into the Windows Explorer (explorer.exe)
Installs a global keyboard hook
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Powershell drops PE file
Queries sensitive service information (via WMI, MSSMBios_RawSMBiosTables, often done to detect sandboxes)
Queries temperature or sensor information (via WMI often done to detect virtual machines)
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: DLL Search Order Hijackig Via Additional Space in Path
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: TrustedPath UAC Bypass Pattern
Suricata IDS alerts for network traffic
Suspicious command line found
Suspicious powershell command line found
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1524941 Sample: 2.cmd Startdate: 03/10/2024 Architecture: WINDOWS Score: 100 61 api.telegram.org 2->61 63 time.windows.com 2->63 65 7 other IPs or domains 2->65 81 Suricata IDS alerts for network traffic 2->81 83 Malicious sample detected (through community Yara rule) 2->83 85 Multi AV Scanner detection for dropped file 2->85 89 10 other signatures 2->89 9 cmd.exe 1 2->9         started        12 cmd.exe 2->12         started        signatures3 87 Uses the Telegram API (likely for C&C communication) 61->87 process4 signatures5 91 Suspicious powershell command line found 9->91 93 Suspicious command line found 9->93 14 powershell.exe 14 37 9->14         started        19 conhost.exe 9->19         started        21 cmd.exe 1 9->21         started        23 conhost.exe 12->23         started        process6 dnsIp7 67 api.telegram.org 149.154.167.220, 443, 60414 TELEGRAMRU United Kingdom 14->67 69 azure-winsecure.com 154.216.20.132, 60408, 7000 SKHT-ASShenzhenKatherineHengTechnologyInformationCo Seychelles 14->69 71 2 other IPs or domains 14->71 51 C:\Windows \System32\MLANG.dll, PE32+ 14->51 dropped 53 C:\Users\user\AppData\Local\Temp\MLANG.dll, PE32+ 14->53 dropped 55 C:\Users\user\...\$phantom-OneDrive.cmd, ASCII 14->55 dropped 57 C:\Windows \System32\ComputerDefaults.exe, PE32+ 14->57 dropped 73 Suspicious powershell command line found 14->73 75 Injects code into the Windows Explorer (explorer.exe) 14->75 77 Writes to foreign memory regions 14->77 79 5 other signatures 14->79 25 svchost.exe 1 14->25         started        28 cmd.exe 1 14->28         started        30 powershell.exe 14->30         started        32 32 other processes 14->32 file8 signatures9 process10 dnsIp11 95 Queries sensitive service information (via WMI, MSSMBios_RawSMBiosTables, often done to detect sandboxes) 25->95 97 Queries temperature or sensor information (via WMI often done to detect virtual machines) 25->97 99 Drops executables to the windows directory (C:\Windows) and starts them 28->99 35 conhost.exe 28->35         started        37 ComputerDefaults.exe 12 28->37         started        101 Loading BitLocker PowerShell Module 30->101 39 conhost.exe 30->39         started        41 WmiPrvSE.exe 30->41         started        59 127.0.0.1 unknown unknown 32->59 103 Maps a DLL or memory area into another process 32->103 43 conhost.exe 32->43         started        45 conhost.exe 32->45         started        47 conhost.exe 32->47         started        49 backgroundTaskHost.exe 32->49         started        signatures12 process13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1c94f84e3fa2094147335a35c973392186a19fa774419d66b3d39d331e55c167/
Threat name:
Win32.Trojan.Sonbokli
Create hunting rule
Status:
Malicious
First seen:
2024-10-02 17:36:03 UTC
File Type:
Text (PowerShell)
AV detection:
3 of 37 (8.11%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dskpqtr7uieucrztli24s4zzegdkdh5horaz2zvt2ootghsvyftq._file
Verdict:
malicious
Label(s):
donutloader
Create hunting rule
r77_core
Create hunting rule
Similar samples:
2a93f789e9db7989d85f309b704bf7e1a01188f38533ab940f2ae18815bc2158
QuasarRAT
74531f459fdb6837669583dc731b7a6afad5378782ab8bca5d726edac753f251
QuasarRAT
9964275838163379d80a317544e6b2be35216b20be75a950be36bf331ed61878
QuasarRAT
a4623b34f8d09f536e6d8e2f06f6edfb3975938eb0d9927e6cd2ff9c553468fc
QuasarRAT
cac0056b23a93519a5f4e526e52187f37b88373c76aa065b9f895d1ecd4f4169
QuasarRAT
d1832886bd31bf7129fbd708123c19bbc633e4c12bde2affabbf69236f38afad
QuasarRAT
dbbe21f14ca93d658be3606974e289edf4b205b22d967324c49cba1950f29b9e
QuasarRAT
error
QuasarRAT
fe74f06d7437d213d96466b4475db2809c60a4e8aced9df338f4a71cf9bc7c16
QuasarRAT
+ 82 additional samples on MalwareBazaar
Result
Malware family:
quasar
Create hunting rule
Score:
  10/10
Tags:
family:quasar botnet:solidity v4 defense_evasion execution spyware trojan
Link:
https://tria.ge/reports/241003-pawkva1dmb/
Behaviour
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Drops file in System32 directory
Enumerates connected drives
Indicator Removal: File Deletion
Looks up external IP address via web service
Executes dropped EXE
Indicator Removal: Clear Windows Event Logs
Loads dropped DLL
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Quasar RAT
Quasar payload
Malware Config
C2 Extraction:
azure-winsecure.com:7000
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1c94f84e3fa2094147335a35c973392186a19fa774419d66b3d39d331e55c167

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments