MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1cecb5f04b2bb2994f2f5f3f9413de052a28a33f7efbfa52fa8b71ef47b5d8c5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Adware.Generic


Vendor detections: 17


Intelligence 17 IOCs YARA 15 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1cecb5f04b2bb2994f2f5f3f9413de052a28a33f7efbfa52fa8b71ef47b5d8c5
SHA3-384 hash: 1cfebbe2b48e990eded76b9dce3acdb3106a5ecac8b18eea5b141103bfd66014c43622244ab76f2b9da7b481dea3e31d
SHA1 hash: eda2b129882af31e7b94cb32509027542ce9862b
MD5 hash: 58a34176496d2ff9264b9990d41d930f
humanhash: zebra-helium-princess-ack
File name:OperaSetup.exe
Download: download sample
Signature Adware.Generic
Create hunting rule
File size:6'351'872 bytes
First seen:2023-07-26 09:05:23 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 98304:YGh5ziNlRUaub+MPDrc/c+NmXnKyFrsqCkHj92AYawl1WPOl6NVLkJ0xWE/8M:Y3NlqaubXgUCqCSBjxIM
Threatray 4 similar samples on MalwareBazaar
TLSH T1BE56BE1177F85E72E16AD3B3D5B1542363F0FC2AB363EB0B2151667A1CB3B4098426A7
TrID 30.3% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
17.8% (.EXE) InstallShield setup (43053/19/16)
12.9% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
11.2% (.EXE) UPX compressed Win32 Executable (27066/9/6)
6.8% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
File icon (PE):PE icon
dhash icon aa38ce868282b882 (110 x Adware.Generic, 6 x CoinMiner, 5 x Formbook)
Reporter Anonymous
Tags:Adware.Generic exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
315
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
asyncrat
Create hunting rule
ID:
1
File name:
OperaSetup.exe
Verdict:
Malicious activity
Analysis date:
2023-07-26 09:07:43 UTC
Tags:
installer trojan rat asyncrat quasar remote
Link:
https://app.any.run/tasks/a9bcbd05-b56f-4ee1-a9ec-f0e77e3fa209

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
QuasarStealer
Create hunting rule
Link:
https://www.capesandbox.com/analysis/433486/
Detection(s):
Win.Malware.Generic-9883083-0
Create hunting rule

Win.Malware.Msilheracles-9900242-0
Create hunting rule

ditekSHen.MALWARE.Win.Trojan.QuasarStealer.UNOFFICIAL
Create hunting rule

Win.Packed.Downeks-6898097-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Setting a keyboard event handler
DNS request
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Searching for the window
Creating a window
Сreating synchronization primitives
Creating a file in the %AppData% subdirectories
Creating a process from a recently created file
Creating a file
Launching a process
Unauthorized injection to a recently created process
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm evasive fingerprint infostealer keylogger packed quasarrat rat stealer
Link:
https://www.filescan.io/uploads/64c0e1fb2c2ccb70944a162b/reports/4b91b776-1b59-4994-9ce4-639c8b801b8b/overview
Verdict:
Malicious
Labled as:
Cerbu.Generic
Link:
https://www.hybrid-analysis.com/sample/1cecb5f04b2bb2994f2f5f3f9413de052a28a33f7efbfa52fa8b71ef47b5d8c5
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0c71b6e9-8319-408d-af9f-fdf47041d37a
Result
Threat name:
Quasar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/1279971
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Installs a global keyboard hook
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
Yara detected Quasar RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1279971 Sample: OperaSetup.exe Startdate: 26/07/2023 Architecture: WINDOWS Score: 64 117 eu-autoupdate.opera.com 2->117 119 autoupdate.geo.opera.com 2->119 137 Snort IDS alert for network traffic 2->137 139 Found malware configuration 2->139 141 Malicious sample detected (through community Yara rule) 2->141 143 9 other signatures 2->143 11 OperaSetup.exe 14 2->11         started        14 launcher.exe 2->14         started        16 opera.exe 2->16         started        18 launcher.exe 2->18         started        signatures3 process4 file5 107 C:\Users\user\AppData\Roaming\...\opera.exe, PE32 11->107 dropped 109 C:\Users\user\AppData\...\OperaSetup.exe, PE32 11->109 dropped 111 C:\Users\user\AppData\...\OperaSetup.exe.log, ASCII 11->111 dropped 20 opera.exe 4 11->20         started        24 OperaSetup.exe 48 11->24         started        113 C:\Users\user\AppData\Local\...\installer.exe, PE32+ 14->113 dropped 27 installer.exe 14->27         started        29 opera_crashreporter.exe 16->29         started        process6 dnsIp7 83 C:\Users\user\AppData\...\launcher.exe, PE32 20->83 dropped 145 Hides that the sample has been downloaded from the Internet (zone.identifier) 20->145 31 launcher.exe 14 2 20->31         started        35 schtasks.exe 1 20->35         started        121 submit-trn.osp.opera.software 107.167.125.189, 443, 49692, 49694 OPERASOFTWAREUS United States 24->121 123 addons.opera.com 185.26.182.112, 443, 49721, 49722 NO-OPERANO Norway 24->123 125 14 other IPs or domains 24->125 85 C:\Users\user\AppData\...\OperaSetup.exe, PE32 24->85 dropped 87 Opera_installer_2307260917542027000.dll, PE32 24->87 dropped 89 C:\Users\user\AppData\Local\...\opera_package, PE32 24->89 dropped 91 4 other files (none is malicious) 24->91 dropped 37 OperaSetup.exe 24->37         started        40 Assistant_100.0.4815.21_Setup.exe_sfx.exe 24->40         started        42 OperaSetup.exe 5 24->42         started        44 2 other processes 24->44 file8 signatures9 process10 dnsIp11 129 ipwho.is 195.201.57.90, 443, 49711 HETZNER-ASDE Germany 31->129 131 0.tcp.eu.ngrok.io 3.124.142.205, 15861, 49705, 49733 AMAZON-02US United States 31->131 133 Hides that the sample has been downloaded from the Internet (zone.identifier) 31->133 135 Installs a global keyboard hook 31->135 46 schtasks.exe 31->46         started        48 conhost.exe 35->48         started        93 Opera_installer_2307260918389486668.dll, PE32 37->93 dropped 50 installer.exe 37->50         started        53 OperaSetup.exe 37->53         started        95 C:\Users\user\AppData\Local\...\mojo_core.dll, PE32 40->95 dropped 97 C:\Users\user\AppData\Local\...\launcher.exe, PE32 40->97 dropped 99 C:\Users\user\AppData\Local\...\dbghelp.dll, PE32 40->99 dropped 105 3 other files (none is malicious) 40->105 dropped 101 Opera_installer_2307260917552957004.dll, PE32 42->101 dropped 103 Opera_installer_2307260917594972888.dll, PE32 44->103 dropped 55 assistant_installer.exe 44->55         started        file12 signatures13 process14 file15 57 conhost.exe 46->57         started        75 Opera_installer_2307260919209654840.dll, PE32+ 50->75 dropped 77 C:\Users\user\AppData\Local\...\opera.exe, PE32+ 50->77 dropped 79 C:\Users\user\AppData\Local\...\launcher.exe, PE32+ 50->79 dropped 59 opera.exe 50->59         started        62 installer.exe 50->62         started        65 installer_helper_64.exe 50->65         started        81 Opera_installer_2307260918423616880.dll, PE32 53->81 dropped process16 dnsIp17 127 192.168.2.1 unknown unknown 59->127 67 opera_crashreporter.exe 59->67         started        69 opera_gx_splash.exe 59->69         started        71 opera.exe 59->71         started        73 opera.exe 59->73         started        115 Opera_installer_2307260919224804716.dll, PE32+ 62->115 dropped file18 process19
Detection:
quasar
Create hunting rule
Link:
https://mwdb.cert.pl/sample/1cecb5f04b2bb2994f2f5f3f9413de052a28a33f7efbfa52fa8b71ef47b5d8c5/
Threat name:
ByteCode-MSIL.Trojan.Quasar
Create hunting rule
Status:
Malicious
First seen:
2023-07-26 09:06:07 UTC
File Type:
PE (.Net Exe)
Extracted files:
206
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dtwll4clfozjstzpl47zie66auvcriz7p357uux2rny66r5v3dcq._file
Verdict:
malicious
Similar samples:
5e8fac6112512b2f2a726424c8acfe486043905a2b8efc0219be0c551a4a6cd6
Adware.Generic
aa18400f1aa2fef6c2a5a50965981a3d668e052ce8ac851a8bd145cac1ee2ace
Adware.Generic
ed4cbfe246783bd7a7d124ac8f67e208f968a805264c3c6883fe77ac8fc4e72c
Adware.Generic
ee3a27163a31b2fbe14fecb33abc0c965e81faeaba4cb379ddbf4f719677c383
Adware.Generic
Result
Malware family:
quasar
Create hunting rule
Score:
  10/10
Tags:
family:quasar botnet:opera spyware stealer trojan upx
Link:
https://tria.ge/reports/230726-k2q28aae78/
Behaviour
Creates scheduled task(s)
Modifies system certificate store
Runs ping.exe
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Enumerates connected drives
Legitimate hosting services abused for malware hosting/C2
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
UPX packed file
Downloads MZ/PE file
Quasar RAT
Quasar payload
Malware Config
C2 Extraction:
0.tcp.eu.ngrok.io:15861
Unpacked files
SH256 hash:
1cecb5f04b2bb2994f2f5f3f9413de052a28a33f7efbfa52fa8b71ef47b5d8c5
MD5 hash:
58a34176496d2ff9264b9990d41d930f
SHA1 hash:
eda2b129882af31e7b94cb32509027542ce9862b
Detections:
QuasarRAT
Create hunting rule
Link:
https://www.unpac.me/results/b584cb67-6377-41fa-8b6e-862debad256e/
Malware family:
QuasarRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/1cecb5f04b2b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1cecb5f04b2bb2994f2f5f3f9413de052a28a33f7efbfa52fa8b71ef47b5d8c5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:grakate_stealer_nov_2021
Create hunting rule
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_B64_Encoded_UserAgent
Create hunting rule
Author:ditekSHen
Description:Detects executables containing base64 encoded User Agent
Rule name:INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
Author:ditekSHen
Description:Detects Windows executables referencing non-Windows User-Agents
Rule name:INDICATOR_SUSPICIOUS_GENInfoStealer
Create hunting rule
Author:ditekSHen
Description:Detects executables containing common artifcats observed in infostealers
Rule name:MALWARE_Win_QuasarStealer
Create hunting rule
Author:ditekshen
Description:Detects Quasar infostealer
Rule name:MAL_QuasarRAT_May19_1
Create hunting rule
Description:Detects QuasarRAT malware
Rule name:MAL_QuasarRAT_May19_1
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects QuasarRAT malware
Reference:https://blog.ensilo.com/uncovering-new-activity-by-apt10
Rule name:MAL_QuasarRAT_May19_1_RID2E1E
Create hunting rule
Author:Florian Roth
Description:Detects QuasarRAT malware
Reference:https://blog.ensilo.com/uncovering-new-activity-by-apt10
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:yara_template
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/433486/

Comments