MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 32bf6a730cca597011b8e619bad0168190337b8e96db09e2fe214b436d8f2f69. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuasarRAT


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 32bf6a730cca597011b8e619bad0168190337b8e96db09e2fe214b436d8f2f69
SHA3-384 hash: 22fe13d7c851dfc991b427f4b617ef1d7b85bc70ebbf955e416addcf259766f5b7c494505015afdc64640a5c554eb6cd
SHA1 hash: deffd7c2a0c95f81d96038968ff3ad7c1c01f654
MD5 hash: 9383a0c4d7aff45bef2a298f2d9a85e3
humanhash: lithium-papa-virginia-kitten
File name:swift.fatura.01.04.2022.pdf.vbs
Download: download sample
Signature QuasarRAT
Create hunting rule
File size:9'399 bytes
First seen:2022-01-04 15:35:21 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 192:9ge7iMMsv2EqjNSl08+nf6b6evYDjctARmlJ:jfMNNSl08XbJvYM
Threatray 1'199 similar samples on MalwareBazaar
TLSH T1E41206E31AF4B5D4A36E2202E2F43B5843352CB3B7A5BE5335C6DD4508229C18DD25F8
Reporter abuse_ch
Tags:QuasarRAT vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
249
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/217268/
Detection(s):
SecuriteInfo.com.VBS.Siggen.7425.4576.17223.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Result
Threat name:
Quasar
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/915316
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Contains functionality to disable the Task Manager (.Net Source)
Contains functionality to hide user accounts
Document contains an embedded VBA macro with suspicious strings
Document contains an embedded VBA with functions possibly related to ADO stream file operations
Document contains an embedded VBA with functions possibly related to HTTP operations
Document contains an embedded VBA with hexadecimal encoded strings
Document exploit detected (process start blacklist hit)
Encrypted powershell cmdline option found
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Office process drops PE file
Sigma detected: MS Office Product Spawning Exe in User Dir
Sigma detected: Suspicious Encoded PowerShell Command Line
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses ping.exe to check the status of other devices and networks
VBScript performs obfuscated calls to suspicious functions
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Quasar RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 547794 Sample: swift.fatura.01.04.2022.pdf.vbs Startdate: 04/01/2022 Architecture: WINDOWS Score: 100 59 192.168.2.1 unknown unknown 2->59 61 www.js-hurling.com 2->61 63 3 other IPs or domains 2->63 87 Multi AV Scanner detection for domain / URL 2->87 89 Malicious sample detected (through community Yara rule) 2->89 91 Antivirus detection for URL or domain 2->91 93 20 other signatures 2->93 10 WINWORD.EXE 34 64 2->10         started        14 wscript.exe 1 2->14         started        17 xpsrchvw.exe 2->17         started        signatures3 process4 dnsIp5 73 www.js-hurling.com 10->73 53 C:\Users\user\AppData\...\DGVCCKLNJ.exe, PE32 10->53 dropped 55 C:\Users\user\AppData\...\pyfuityhgnjm[1].exe, PE32 10->55 dropped 19 DGVCCKLNJ.exe 16 7 10->19         started        75 js-hurling.com 192.185.113.96, 49739, 49765, 49783 UNIFIEDLAYER-AS-1US United States 14->75 77 www.js-hurling.com 14->77 57 C:\Users\user\AppData\Local\Temp\QQQ.doc, Composite 14->57 dropped 115 System process connects to network (likely due to code injection or exploit) 14->115 117 VBScript performs obfuscated calls to suspicious functions 14->117 79 www.js-hurling.com 17->79 119 Machine Learning detection for dropped file 17->119 121 Encrypted powershell cmdline option found 17->121 24 powershell.exe 17->24         started        file6 signatures7 process8 dnsIp9 65 www.js-hurling.com 19->65 67 js-hurling.com 19->67 49 C:\Users\user\AppData\...\xpsrchvw.exe, PE32 19->49 dropped 51 C:\Users\user\AppData\Local\...\DGVCCKLNJ.exe, PE32 19->51 dropped 95 Encrypted powershell cmdline option found 19->95 97 Writes to foreign memory regions 19->97 99 Allocates memory in foreign processes 19->99 101 Injects a PE file into a foreign processes 19->101 26 DGVCCKLNJ.exe 4 19->26         started        30 powershell.exe 18 19->30         started        32 conhost.exe 24->32         started        file10 signatures11 process12 dnsIp13 81 ip-api.com 208.95.112.1, 49826, 49836, 80 TUT-ASUS United States 26->81 83 famesurvelizerditis.sytes.net 26->83 107 May check the online IP address of the machine 26->107 109 Machine Learning detection for dropped file 26->109 111 Encrypted powershell cmdline option found 26->111 113 Hides that the sample has been downloaded from the Internet (zone.identifier) 26->113 34 cmd.exe 2 26->34         started        37 conhost.exe 30->37         started        signatures14 process15 signatures16 85 Uses ping.exe to check the status of other devices and networks 34->85 39 DGVCCKLNJ.exe 34->39         started        43 conhost.exe 34->43         started        45 chcp.com 34->45         started        47 PING.EXE 34->47         started        process17 dnsIp18 69 www.js-hurling.com 39->69 71 js-hurling.com 39->71 103 Encrypted powershell cmdline option found 39->103 105 Injects a PE file into a foreign processes 39->105 signatures19
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/32bf6a730cca597011b8e619bad0168190337b8e96db09e2fe214b436d8f2f69/
Threat name:
Script-WScript.Downloader.Nemucod
Create hunting rule
Status:
Malicious
First seen:
2022-01-04 03:12:30 UTC
File Type:
Text (VBS)
AV detection:
13 of 28 (46.43%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gk7wu4ymzjmxaeny4ym3vuawqgidg64os3nqtyx6effug3mpf5uq._file
Verdict:
malicious
Similar samples:
02a6c3107c222062f0102daa96954f22d2af742dfecf45477478a243799301a0
QuasarRAT
102f91266026da7eb656fe30e15fb7eadda1335013bc21ab3e0a986ea1ff7727
QuasarRAT
61803de50535a38519fcfacaba6438717e7ac6e97a10348bf5c7d3a2ddc02e1d
QuasarRAT
6ff685e5acfd946101b558f9f9d47a0d515c62e7476f5f83694609d64343315e
QuasarRAT
800b4455105a08833332092017909f9dd47bd4ebfb1cbddbe0b95658d03b8d64
QuasarRAT
a0824896a6cb88bb0459cd54f5085056cfd2c9733b5cdc75623615e5d61f86c1
QuasarRAT
b26c95976936054915610598a19dabb10dd52f47b9edbdbadc079d2e91717814
QuasarRAT
b2ce2ad6d522621b917ce77b362541bcfa0976bdcbbc36f1a57ec1c5d6199112
QuasarRAT
f4976b0e97222698e5426b45314ef8eeb862204a5c6e1061617d377924dc49b8
QuasarRAT
fa0acd72e7884f09ad831fb1f9bf7231dc31c214a91b487bdcfe6fdef9e2d14d
QuasarRAT
+ 1'189 additional samples on MalwareBazaar
Result
Malware family:
quasar
Create hunting rule
Score:
  10/10
Tags:
family:quasar botnet:venom client macro macro_on_action persistence spyware trojan
Link:
https://tria.ge/reports/220104-s1xglshegl/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies Internet Explorer settings
Modifies registry class
Runs ping.exe
Script User-Agent
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Office loads VBA resources, possible macro or embedded object present
Enumerates physical storage devices
Drops file in System32 directory
Suspicious use of SetThreadContext
Adds Run key to start application
Looks up external IP address via web service
Loads dropped DLL
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
Office macro that triggers on suspicious action
Suspicious Office macro
Quasar Payload
Quasar RAT
Malware Config
C2 Extraction:
famesurvelizerditis.sytes.net:4782
artedriendfrim.hopto.org:4782
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/32bf6a730cca597011b8e619bad0168190337b8e96db09e2fe214b436d8f2f69

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

QuasarRAT

Visual Basic Script (vbs) vbs 32bf6a730cca597011b8e619bad0168190337b8e96db09e2fe214b436d8f2f69

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/217268/

Comments