MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 234b2c300af5e4ac2001332e07c2e54bd48dac174cf8b5d0c486a3cc6076043c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

QuasarRAT

Vendor detections: 6

Intelligence 6 IOCs YARA 3 File information Comments

SHA256 hash:	234b2c300af5e4ac2001332e07c2e54bd48dac174cf8b5d0c486a3cc6076043c
SHA3-384 hash:	c9c6cf65127790a64ab0dba0aa591464f8687defd926d60c68a599ed2e973d0b324410b641ba0452ec126c4b93de1a4c
SHA1 hash:	e884cd80368c4c5459129e4eb6adf202c891e918
MD5 hash:	623cbd012379aa533d20921bcc84e015
humanhash:	seventeen-grey-diet-alaska
File name:	Purchase Order # 2147.exe
Download:	download sample
Signature	QuasarRAT Create hunting rule
File size:	875'520 bytes
First seen:	2020-08-28 05:59:43 UTC
Last seen:	2020-08-28 07:03:44 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'738 x AgentTesla, 19'597 x Formbook, 12'241 x SnakeKeylogger)
ssdeep	24576:luP1C9exO+YaL+xeCmDHeLfUdwGp99jfDG:QM9exOgmC39jfD
Threatray	58 similar samples on MalwareBazaar
TLSH	C81523162FEC8798CEF91AFF6A2FB18087B67B482333DB5D0C51A16756763C00561A4B
Reporter	abuse_ch
Tags:	exe QuasarRAT RAT

abuse_ch

Malspam distributing QuasarRAT:

HELO: ge.getservapi.live
Sending IP: 45.95.171.214
From: losphall@japremix.com <losphall@japremix.com>
Reply-To: losphall@japremix.com <sale@petrochemicalhousecube.xyz>
Subject: Purchase Order # 2147
Attachment: Purchase Order 2147.img (contains "Purchase Order # 2147.exe")

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/52177/

Detection(s):

SecuriteInfo.com.Fareit-FYV623CBD012379.25565.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Unauthorized injection to a recently created process

Creating a file

DNS request

Sending an HTTP GET request

Using the Windows Management Instrumentation requests

Reading critical registry keys

Setting a global event handler for the keyboard

Result

Threat name:

MassLogger RAT

Detection:

malicious

Classification:

troj.spyw.evad

Score:

96 / 100

Link:

https://www.joesandbox.com/analysis/453219

Signature

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to steal Mail credentials (via file access)

Yara detected Costura Assembly Loader

Yara detected MassLogger RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/234b2c300af5e4ac2001332e07c2e54bd48dac174cf8b5d0c486a3cc6076043c/

Threat name:

ByteCode-MSIL.Trojan.Kryptik

Status:

Malicious

First seen:

2020-08-28 06:01:10 UTC

AV detection:

25 of 29 (86.21%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=enfsymak6xskyiabgmxapqxfjpki3laxjt4llugeq2r4yydwaq6a._file

Verdict:

unknown

QuasarRAT

1bf67b967c8397bfab22e326bce6efa64c647206102d4753569ba1abb538d685

QuasarRAT

444338fed0f0499fb9d5a4862b64386472c22329aa75f6c544c6d37b8b5a629f

QuasarRAT

5c48cd3f4eba017d3a0aea873a3ca3bc61bcdc3aa6a52727ee1236ddb885604d

QuasarRAT

a2938e6462b02115d0579cb8a4294626eb792a781b68175844a5fb26ae6de0b6

QuasarRAT

bd6650220b7fa539c937c4008df96914a86b1cbaa0098588a9b4ec0175f0c679

QuasarRAT

cb26b474b4f7be86dc5bf39c595a93d1e3353bd25312d83249dc4e1097df2f3e

QuasarRAT

dfe001ed1950d612ea59a75c6367629ff0e031853e9f7a12b7f0381a4f20660f

QuasarRAT

fafa7913ac9ff3330896a63b8db3d8e8f88e35a10de8a96dafa570ed29b537d6

QuasarRAT

fb80c2113b1bf08db1c5f3997c9787f5b819418473975c4a370e4c5cebfa3b7f

QuasarRAT

+ 48 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

spyware

Link:

https://tria.ge/reports/200828-mhkq64a6sa/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Modifies data under HKEY_USERS

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Drops file in Windows directory

Suspicious use of SetThreadContext

Looks up external IP address via web service

Reads user/profile data of web browsers

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.75

Link:

https://yomi.yoroi.company/submissions/234b2c300af5e4ac2001332e07c2e54bd48dac174cf8b5d0c486a3cc6076043c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	masslogger_gcch Create hunting rule
Author:	govcert_ch

Rule name:	Quasar_RAT_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Quasar RAT
Reference:	https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf