MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 254f4133d2bfa7ca67fdc4704022cd1c22fb1e22957c90a29626ed8f2d189a3a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuasarRAT


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 254f4133d2bfa7ca67fdc4704022cd1c22fb1e22957c90a29626ed8f2d189a3a
SHA3-384 hash: 576d5e413c83b904a4dcd83f971dd02f6325aa21dbcf3974bebdb04013bc3c570e361f11001a7c146f5a4ea08c181230
SHA1 hash: 982f441a30b5945f131350fded1587a41f848d78
MD5 hash: e206bbb108e3a2e7a554897f9f4d489c
humanhash: blue-nitrogen-emma-five
File name:Product List.exe
Download: download sample
Signature QuasarRAT
Create hunting rule
File size:60'416 bytes
First seen:2021-04-08 06:53:40 UTC
Last seen:2021-04-08 08:26:47 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 1536:hPNK95hzuXuzehXl1UOhX3y4rh7OVT+aGbquLrayHrZ1A:o5hzQl1U2X3t0+aGbquiSrQ
TLSH 3C435B39578D4A37C7CD87BF90471001D7B8C2A71503F7A6386582B22AD37672AE19E7
Reporter abuse_ch
Tags:exe QuasarRAT


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: thegambit.ro
Sending IP: 91.216.156.17
From: Martin Václavek <info@psicoalcala.es>
Reply-To: me <testing@mkontakt.az>
Subject: ORDER REQUEST (RFQ#798606)
Attachment: Product List.zip (contains "Product List.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
127
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Product List.exe
Verdict:
Suspicious activity
Analysis date:
2021-04-08 06:59:53 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/fdcc10c3-4211-4aa6-9d9f-8fe1c0c23785

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/133043/
Detection(s):
SecuriteInfo.com.Trojan.Win32.Save.a.28911.31852.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
DNS request
Sending a custom TCP request
Sending a UDP request
Setting a global event handler
Creating a window
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Quasar RAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/610a6ab7-13db-411e-8a97-ebb39b8afeda
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/669637
Signature
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/254f4133d2bfa7ca67fdc4704022cd1c22fb1e22957c90a29626ed8f2d189a3a/
Threat name:
Win32.Trojan.GenericML
Create hunting rule
Status:
Malicious
First seen:
2021-04-08 00:23:15 UTC
AV detection:
12 of 48 (25.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=evhucm6sx6t4uz75yryeaiwndqrpwhrcsv6jbiuwe3wy6liyti5a._file
Verdict:
suspicious
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/210408-z6yxxjcrye/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Unpacked files
SH256 hash:
254f4133d2bfa7ca67fdc4704022cd1c22fb1e22957c90a29626ed8f2d189a3a
MD5 hash:
e206bbb108e3a2e7a554897f9f4d489c
SHA1 hash:
982f441a30b5945f131350fded1587a41f848d78
Link:
https://www.unpac.me/results/1102c945-5006-40bd-8783-54dd98535978/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/254f4133d2bfa7ca67fdc4704022cd1c22fb1e22957c90a29626ed8f2d189a3a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

QuasarRAT

zip c05630d302eb7b0a3e492f1aa25c226bb8a20db2fec32440d53cd18ba5b978cf

QuasarRAT

Executable exe 254f4133d2bfa7ca67fdc4704022cd1c22fb1e22957c90a29626ed8f2d189a3a

(this sample)

  
Dropped by
MD5 1646b723d5926d6392547d7c7f4ea3a8
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/133043/
  
Dropped by
SHA256 c05630d302eb7b0a3e492f1aa25c226bb8a20db2fec32440d53cd18ba5b978cf

Comments