MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 28379fca654b86d91cdb606bb29ce739b5504b4392de17ecfb63d18506146ae6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuasarRAT


Vendor detections: 9


Intelligence 9 IOCs YARA 12 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 28379fca654b86d91cdb606bb29ce739b5504b4392de17ecfb63d18506146ae6
SHA3-384 hash: b856468400de4e45e9b87e12fb9ed0404deaf092630376a1245e87c298961084e60bbd2fdd2109c042f9d09251dab004
SHA1 hash: 5434813d18301b50c1949b73d9615ff63bcff355
MD5 hash: 9293b7e8dc5750f67d82ab31610e1ef4
humanhash: eight-eighteen-harry-gee
File name:DRAFT-COPY-0409484-BILLLADING.exe
Download: download sample
Signature QuasarRAT
Create hunting rule
File size:645'120 bytes
First seen:2020-10-13 06:01:10 UTC
Last seen:2020-10-13 07:08:46 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 6144:ktd3AxzOw8BOV2QcWV9G15UXEsHtC+LZ0iNZsXFg1O4zIUF4cNTURd4Meyxc0wYB:kvezL8WcWzGH2NZpNZsCO4GciRmiA7Y
Threatray 91 similar samples on MalwareBazaar
TLSH 3BD43CA6BD844932D93347B1C9B64691A7323E9A3561DD0F30A73B022E733477C9AD4E
Reporter abuse_ch
Tags:exe Maersk QuasarRAT RAT


Avatar
abuse_ch
Malspam distributing QuasarRAT:

HELO: mail.mailerhost.net
Sending IP: 5.206.224.208
From: MAERSK LINE <info@cnexac.tk>
Subject: URGENT TELEX RELEASE - RE Shipment Bill of lading 20170000112
Attachment: DRAFT-COPY-0409484-BILLLADING.rar (contains "DRAFT-COPY-0409484-BILLLADING.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
110
Origin country :
n/a
Vendor Threat Intelligence
Detection:
QuasarRAT
Create hunting rule
Link:
https://www.capesandbox.com/analysis/70275/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader34.65222.27226.21433.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a file
Using the Windows Management Instrumentation requests
DNS request
Sending an HTTP GET request
Creating a file in the %AppData% subdirectories
Enabling the 'hidden' option for recently created files
Creating a process from a recently created file
Creating a process with a hidden window
Creating a window
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Result
Threat name:
Quasar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/489218
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Connects to many ports of the same IP (likely port scanning)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Yara detected Quasar RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 297063 Sample: DRAFT-COPY-0409484-BILLLADING.exe Startdate: 13/10/2020 Architecture: WINDOWS Score: 100 50 Malicious sample detected (through community Yara rule) 2->50 52 Antivirus / Scanner detection for submitted sample 2->52 54 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->54 56 8 other signatures 2->56 8 DRAFT-COPY-0409484-BILLLADING.exe 1 2->8         started        12 DRAFT-COPY-0409484-BILLLADING.exe 2->12         started        process3 file4 32 C:\...\DRAFT-COPY-0409484-BILLLADING.exe.log, ASCII 8->32 dropped 58 Injects a PE file into a foreign processes 8->58 14 DRAFT-COPY-0409484-BILLLADING.exe 16 5 8->14         started        19 DRAFT-COPY-0409484-BILLLADING.exe 8->19         started        21 DRAFT-COPY-0409484-BILLLADING.exe 8->21         started        23 DRAFT-COPY-0409484-BILLLADING.exe 12->23         started        signatures5 process6 dnsIp7 42 www.telize.com 88.198.193.213, 49745, 49746, 49747 HETZNER-ASDE Germany 14->42 44 freegeoip.net 104.26.15.73, 49748, 49767, 80 CLOUDFLARENETUS United States 14->44 46 4 other IPs or domains 14->46 34 C:\Users\user\AppData\Roaming\...\Client.exe, PE32 14->34 dropped 48 Hides that the sample has been downloaded from the Internet (zone.identifier) 14->48 25 Client.exe 1 14->25         started        file8 signatures9 process10 signatures11 60 Antivirus detection for dropped file 25->60 62 Multi AV Scanner detection for dropped file 25->62 64 Machine Learning detection for dropped file 25->64 66 Injects a PE file into a foreign processes 25->66 28 Client.exe 14 4 25->28         started        process12 dnsIp13 36 equity2020money.duckdns.org 156.96.118.168, 5002 VDI-NETWORKUS United States 28->36 38 156.96.157.102, 62103 VDI-NETWORKUS United States 28->38 40 6 other IPs or domains 28->40 68 Hides that the sample has been downloaded from the Internet (zone.identifier) 28->68 70 Installs a global keyboard hook 28->70 signatures14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/28379fca654b86d91cdb606bb29ce739b5504b4392de17ecfb63d18506146ae6/
Threat name:
ByteCode-MSIL.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2020-10-13 01:05:12 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=fa3z7stfjodnshg3mbv3fhhhhg2vas2dslpbp3h3mpiykbqunlta._file
Verdict:
malicious
Label(s):
masslogger
Create hunting rule
Similar samples:
1f6a8fd32a14dd74a23ad8e588d3543120b254290283d6092693d564ea0fc265
QuasarRAT
25a419f3b2963cf24fda8824b538b67dc73fd2e4d32e73cd5bfdf935c61769dd
QuasarRAT
26cb425375a7613736c367866d0b79b8b7d8845437ec88e87bc83146445f892e
QuasarRAT
2df82d12b3e4627ffb2f7c0e6c8371f23c4beabb935f93b2c88389953fc07027
QuasarRAT
40ac8e128b78d30d49accda865a6ca90a23cf7b7e5f31042c7df55a9fe1b5af4
QuasarRAT
b29a1b48648aacf2fe60861692bd0991cf226956ea986b687972667496e1d7d7
QuasarRAT
b3d36e86a478b5223968e34ca51bff54002eb9b1a01ef26d8b657d49dd4dd831
QuasarRAT
d6031bb15fd16cac9b514985035e18f08f0beaaa0542a66274467cb66e76a8fd
QuasarRAT
e2d6b8bc603260f1a7564a044523d230c31c8d873deabb579cae90b88f1b92b9
QuasarRAT
e99398f753e61710eaea626dc778a19fc47a34f103b5ff1daaa0d7ad7f6432c4
QuasarRAT
+ 81 additional samples on MalwareBazaar
Result
Malware family:
quasar
Create hunting rule
Score:
  10/10
Tags:
persistence trojan spyware family:quasar
Link:
https://tria.ge/reports/201013-x4jxl3xkdj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Looks up external IP address via web service
Loads dropped DLL
Executes dropped EXE
Quasar RAT
Unpacked files
SH256 hash:
28379fca654b86d91cdb606bb29ce739b5504b4392de17ecfb63d18506146ae6
MD5 hash:
9293b7e8dc5750f67d82ab31610e1ef4
SHA1 hash:
5434813d18301b50c1949b73d9615ff63bcff355
Link:
https://www.unpac.me/results/5aaf3ed0-fe32-4fb7-9e91-5bdf0cb420ce/
SH256 hash:
624b670e36ae425a548fd77b4dfe489ef0bdee15343edf7226b7003feb8340fb
MD5 hash:
99d1b5884d86c026585ac467b9b0612f
SHA1 hash:
9209f3dde8f0b607395ce71274d2adcd20e08791
Link:
https://www.unpac.me/results/5aaf3ed0-fe32-4fb7-9e91-5bdf0cb420ce/
SH256 hash:
165b6353a27653c087637f372f70713e4e0af658e87f03ba0703d8b975525243
MD5 hash:
112730ad698bcb62cfb8c64c4862640a
SHA1 hash:
6b42b1f3f372785c40b4f80c35d6aa2e0d012429
Link:
https://www.unpac.me/results/5aaf3ed0-fe32-4fb7-9e91-5bdf0cb420ce/
SH256 hash:
b845cbcad281bcec29e626429ad58e159cfad04b5d64918f7a90966ee14715b3
MD5 hash:
d54e37bf9f9b3c1abf51b3a3ccbaba68
SHA1 hash:
b5cddeb215aa3d986022f0d5015aa05053e50160
Link:
https://www.unpac.me/results/5aaf3ed0-fe32-4fb7-9e91-5bdf0cb420ce/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Quasar
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/28379fca654b86d91cdb606bb29ce739b5504b4392de17ecfb63d18506146ae6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:Chrome_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Chrome in files like avemaria
Rule name:CN_disclosed_20180208_KeyLogger_1
Create hunting rule
Author:Florian Roth
Description:Detects malware from disclosed CN malware set
Reference:https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:MSILStealer
Create hunting rule
Author:https://github.com/hwvs
Description:Detects strings from C#/VB Stealers and QuasarRat
Reference:https://github.com/quasar/QuasarRAT
Rule name:Quasar
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect QuasarRAT in memory
Rule name:Quasar_RAT_1
Create hunting rule
Author:Florian Roth
Description:Detects Quasar RAT
Reference:https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
Rule name:Quasar_RAT_2
Create hunting rule
Author:Florian Roth
Description:Detects Quasar RAT
Reference:https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
Rule name:Quasar_RAT_Jan18_1
Create hunting rule
Author:Florian Roth
Description:Detects Quasar RAT
Reference:https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/
Rule name:Select_from_enumeration
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:Vermin_Keylogger_Jan18_1
Create hunting rule
Author:Florian Roth
Description:Detects Vermin Keylogger
Reference:https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/
Rule name:xRAT_1
Create hunting rule
Author:Florian Roth
Description:Detects Patchwork malware
Reference:https://goo.gl/Pg3P4W

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

QuasarRAT

rar 4afd225e0748782cbfc1f44eb9b1cdee70d401845698ec5d4729ea77db9e94ff

QuasarRAT

Executable exe 28379fca654b86d91cdb606bb29ce739b5504b4392de17ecfb63d18506146ae6

(this sample)

  
Dropped by
MD5 26ab73536bfd9d65343f4c7f072dd524
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/70275/
  
Dropped by
SHA256 4afd225e0748782cbfc1f44eb9b1cdee70d401845698ec5d4729ea77db9e94ff

Comments