MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2e6b47bbdb9f281c1432dc63d92d67ca891adf87e20edfa456789c8724a4b7b1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuasarRAT


Vendor detections: 8


Intelligence 8 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2e6b47bbdb9f281c1432dc63d92d67ca891adf87e20edfa456789c8724a4b7b1
SHA3-384 hash: 56514acf316f38f2cae1b83c6732a2a38062c59a57affd66f82d42baedc36adf69f0c179ce0f36ecc1603dd59ce069a7
SHA1 hash: 7acd0a479bd569b8b78774f7d142bc2e40b9c21c
MD5 hash: 4fdc775bf6f9125a700c32dadf7cde42
humanhash: sixteen-saturn-helium-princess
File name:97885667836purchaseorder563773.exe
Download: download sample
Signature QuasarRAT
Create hunting rule
File size:515'584 bytes
First seen:2020-10-07 16:43:31 UTC
Last seen:2020-10-07 18:00:13 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 6144:vVZiLeImHvm6A7CAThO1zmfmHnAbP0SoF0KWar2l6WkPkg8vMER/l7XG7CxEYfyl:dZitmPQ9hO8+HsP9uu7U1ER/l78YfL8
Threatray 268 similar samples on MalwareBazaar
TLSH 13B47D45CDABD972FF843BF6F8296CFEDB64C4181D53E70A81024C998D2E6C417632A6
Reporter abuse_ch
Tags:exe QuasarRAT


Avatar
abuse_ch
Malspam distributing QuasarRAT:

HELO: moneyyy.vps-ams1.blazingfast.io
Sending IP: 5.206.224.57
From: Sulzer Global <Sulzer.Global@megoldaspatika.hu>
Subject: New Order PO 851641186864819000
Attachment: Purchase Order.rar (contains "97885667836purchaseorder563773.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
133
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Using the Windows Management Instrumentation requests
Creating a file
DNS request
Sending an HTTP GET request
Creating a window
Launching a process
Running batch commands
Creating a process with a hidden window
Creating a file in the %AppData% subdirectories
Creating a file in the %temp% directory
Creating a process from a recently created file
Unauthorized injection to a recently created process
Enabling autorun by creating a file
Result
Threat name:
MassLogger RAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/484458
Signature
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Costura Assembly Loader
Yara detected MassLogger RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 294671 Sample: 97885667836purchaseorder563... Startdate: 07/10/2020 Architecture: WINDOWS Score: 100 68 Malicious sample detected (through community Yara rule) 2->68 70 Antivirus / Scanner detection for submitted sample 2->70 72 Multi AV Scanner detection for submitted file 2->72 74 8 other signatures 2->74 9 97885667836purchaseorder563773.exe 1 2->9         started        13 apdate.exe 1 2->13         started        process3 file4 50 C:\...\97885667836purchaseorder563773.exe.log, ASCII 9->50 dropped 76 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 9->76 78 Injects a PE file into a foreign processes 9->78 15 97885667836purchaseorder563773.exe 15 7 9->15         started        20 97885667836purchaseorder563773.exe 9->20         started        80 Antivirus detection for dropped file 13->80 82 Multi AV Scanner detection for dropped file 13->82 84 Machine Learning detection for dropped file 13->84 22 apdate.exe 13->22         started        24 apdate.exe 13->24         started        signatures5 process6 dnsIp7 58 elb097307-934924932.us-east-1.elb.amazonaws.com 23.21.126.66, 49740, 80 AMAZON-AESUS United States 15->58 60 nagano-19599.herokussl.com 15->60 62 api.ipify.org 15->62 48 C:\Users\user\AppData\Roaming\...\apdate.exe, PE32 15->48 dropped 66 Adds a directory exclusion to Windows Defender 15->66 26 cmd.exe 1 15->26         started        28 cmd.exe 1 15->28         started        30 powershell.exe 25 15->30         started        file8 signatures9 process10 process11 32 apdate.exe 26->32         started        35 conhost.exe 26->35         started        37 timeout.exe 1 26->37         started        39 conhost.exe 28->39         started        41 schtasks.exe 1 28->41         started        43 conhost.exe 30->43         started        signatures12 64 Injects a PE file into a foreign processes 32->64 45 apdate.exe 32->45         started        process13 dnsIp14 52 54.204.14.42, 49759, 80 AMAZON-AESUS United States 45->52 54 192.168.2.1 unknown unknown 45->54 56 3 other IPs or domains 45->56
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2e6b47bbdb9f281c1432dc63d92d67ca891adf87e20edfa456789c8724a4b7b1/
Threat name:
ByteCode-MSIL.Backdoor.QuasarRAT
Create hunting rule
Status:
Malicious
First seen:
2020-10-07 13:13:23 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=fzvupo63t4ubyfbs3rr5sllhzkervx4h4ihn7jcwpcoiojfew6yq._file
Verdict:
malicious
Label(s):
masslogger
Create hunting rule
Similar samples:
3662a3b002337c0da8ad94925e3c183f0a2d35b0932f9d40b89643335f10564d
QuasarRAT
553ad8c805d4151e154177bb4fbb1678711306d8eefba081ec36bf0518d4e88f
QuasarRAT
ab7cc003aa4d6807236dcd8983804a44a460a462c0e6d4ef70b3030f8ab6b366
QuasarRAT
b3f2d07e97cfe28deee3a65b8541c48f96f022b52db515b06c635f3b9fcc35ef
QuasarRAT
b515db56b7c63191b19befe748f7af7f00d08623029e8856c86fc46362fbed9f
QuasarRAT
c7f039cff52a5c1de59fb782259f3fd2054946e9fca03d364f61c7977128dcca
QuasarRAT
ce073fce9de335c288fe205d5bf7fbdd9fd3ecc718821116dbad098f176a69de
QuasarRAT
d8aebda89bb5717256e78b44dd9e9ef54179d3590f7a6125da452e877c083c48
QuasarRAT
d8cea078199dbdef51ec7189cf03541bbcbd10c49a133b187348e2a24fe1e2eb
QuasarRAT
fc8f5c635abe5534833683141ae57470c09a246eb290895ce748d1bede405c25
QuasarRAT
+ 258 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
spyware
Link:
https://tria.ge/reports/201007-98z5z4va4n/
Behaviour
Creates scheduled task(s)
Delays execution with timeout.exe
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Unpacked files
SH256 hash:
2e6b47bbdb9f281c1432dc63d92d67ca891adf87e20edfa456789c8724a4b7b1
MD5 hash:
4fdc775bf6f9125a700c32dadf7cde42
SHA1 hash:
7acd0a479bd569b8b78774f7d142bc2e40b9c21c
Link:
https://www.unpac.me/results/345f6a27-f8b4-4d6d-a7e9-dd43d5474b6a/
SH256 hash:
d5faa387fb2bbef87ac31b3d4ae1c89bb87ac4a13e8c422ef0c320340920be73
MD5 hash:
29d4a850868ead7b9fbe0942c96c4388
SHA1 hash:
f5ee7973e0fba52523faa5e9cc4e302679fbc269
Detections:
win_masslogger_w0
Create hunting rule
Link:
https://www.unpac.me/results/345f6a27-f8b4-4d6d-a7e9-dd43d5474b6a/
Parent samples :
2e6b47bbdb9f281c1432dc63d92d67ca891adf87e20edfa456789c8724a4b7b1
cfde16e103af9e59944d44d7f12e5755313948273cd64237df2dce50811866db
SH256 hash:
165b6353a27653c087637f372f70713e4e0af658e87f03ba0703d8b975525243
MD5 hash:
112730ad698bcb62cfb8c64c4862640a
SHA1 hash:
6b42b1f3f372785c40b4f80c35d6aa2e0d012429
Link:
https://www.unpac.me/results/345f6a27-f8b4-4d6d-a7e9-dd43d5474b6a/
SH256 hash:
3456d4c366a4149b9708d3ed9ff0e55af61e6de925afd7e9b9de89f3511f008f
MD5 hash:
84a8ddf59836415dfabf816a21c55a61
SHA1 hash:
a91d39cd7c6214c54ee1739314f25539917f50cf
Link:
https://www.unpac.me/results/345f6a27-f8b4-4d6d-a7e9-dd43d5474b6a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2e6b47bbdb9f281c1432dc63d92d67ca891adf87e20edfa456789c8724a4b7b1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:masslogger_gcch
Create hunting rule
Author:govcert_ch
Rule name:Quasar_RAT_1
Create hunting rule
Author:Florian Roth
Description:Detects Quasar RAT
Reference:https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
Rule name:win_masslogger_w0
Create hunting rule
Author:govcert_ch

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

QuasarRAT

rar 765564da3592737dec2ec19c115ccd055d54d09bccbf164c03a461bbb141928f

QuasarRAT

Executable exe 2e6b47bbdb9f281c1432dc63d92d67ca891adf87e20edfa456789c8724a4b7b1

(this sample)

  
Dropped by
MD5 4190ceb054b0d0aeb661f734fd0ad826
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 765564da3592737dec2ec19c115ccd055d54d09bccbf164c03a461bbb141928f
Cape
Cape
https://www.capesandbox.com/analysis/69001/

Comments