MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 351a74c692706f6aff7968e2cec0781caef986344160bd66e5d19852a2e908df. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuasarRAT


Vendor detections: 14


Intelligence 14 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 351a74c692706f6aff7968e2cec0781caef986344160bd66e5d19852a2e908df
SHA3-384 hash: f502a854fee93332f5dcaab63948c8b8ab6d9e1f9f9a78fd2de3fb53033d0a676e836b6f91fb5ee9c449bb5a5147ea56
SHA1 hash: 55746793118b2459d13087e5c5c3bb8d91ba1e20
MD5 hash: 0fb34a9fa6324ce1f025b4cffd46216b
humanhash: lion-iowa-carbon-illinois
File name:10
Download: download sample
Signature QuasarRAT
Create hunting rule
File size:5'056'992 bytes
First seen:2023-11-02 22:38:57 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2339ac77bf9371500ebbf86df3a10d43 (8 x njrat, 4 x LgoogLoader, 3 x RedLineStealer)
ssdeep 49152:c8rXNzObQRQQ66a6isfnzE2NCnMCb918EzI+n+RcwPIW5+S6SWvONKVwbcst:3JzDRQN+nJNoMCb91LBn+RceYmbc
TLSH T11A36BF237681B53AC05B0739553BA671893EBFA1BA12CD5767F4388C9F31680793938B
TrID 55.8% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
11.7% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
8.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
6.0% (.WLX) Total Commander Lister extension (plugin) (21500/1/6)
4.6% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
File icon (PE):PE icon
dhash icon e88e88c6f0a8a4d4 (2 x QuasarRAT)
Reporter 5KidRo0t
Tags:exe OverdriveNTool QuasarRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
334
Origin country :
ES ES
Vendor Threat Intelligence
Malware family:
quasar
Create hunting rule
ID:
1
File name:
OverdriveNtool.rar
Verdict:
Malicious activity
Analysis date:
2023-11-03 02:00:05 UTC
Tags:
autoit evasion quasar stealer redline
Link:
https://app.any.run/tasks/d450bf98-196c-4c23-85f7-8e8c8e92490f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/457849/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Launching a process
Creating a process with a hidden window
Launching cmd.exe command interpreter
Using the Windows Management Instrumentation requests
Searching for synchronization primitives
Running batch commands
Creating a process from a recently created file
Creating a window
Creating a file
DNS request
Possible injection to a system process
Enabling autorun by creating a file
Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
advpack CAB control installer lolbin overlay packed regedit replace rundll32 setupapi shell32
Link:
https://www.filescan.io/uploads/6544250d7462628255573844/reports/394ee3df-5699-45a4-9308-21133826f83e/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/351a74c692706f6aff7968e2cec0781caef986344160bd66e5d19852a2e908df
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/8366f53e-4827-48dd-b576-84644eabf0e3
Result
Threat name:
Blackshades
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1336282
Signature
.NET source code references suspicious native API functions
Antivirus detection for dropped file
Contains functionality to disable the Task Manager (.Net Source)
Contains functionality to modify clipboard data
Deletes shadow drive data (may be related to ransomware)
Drops PE files with a suspicious file extension
Found API chain indicative of debugger detection
Found API chain indicative of sandbox detection
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Sigma detected: Drops script at startup location
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Yara detected Blackshades RAT
Yara detected Generic Downloader
Yara detected RansomwareGeneric
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1336282 Sample: 10.exe Startdate: 02/11/2023 Architecture: WINDOWS Score: 100 89 YYKTPnvnYcq.YYKTPnvnYcq 2->89 91 ip-api.com 2->91 95 Snort IDS alert for network traffic 2->95 97 Malicious sample detected (through community Yara rule) 2->97 99 Antivirus detection for dropped file 2->99 101 9 other signatures 2->101 13 10.exe 1 10 2->13         started        16 wscript.exe 1 1 2->16         started        19 rundll32.exe 2->19         started        signatures3 process4 file5 83 C:\Users\user\AppData\Local\Temp\...\Her, PE32 13->83 dropped 21 cmd.exe 1 13->21         started        24 ftp.exe 1 13->24         started        93 Windows Scripting host queries suspicious COM object (likely to drop second stage) 16->93 26 MusicWave.pif 1 16->26         started        signatures6 process7 signatures8 105 Uses ping.exe to sleep 21->105 107 Drops PE files with a suspicious file extension 21->107 109 Uses ping.exe to check the status of other devices and networks 21->109 28 cmd.exe 1 21->28         started        31 conhost.exe 21->31         started        33 conhost.exe 24->33         started        111 Deletes shadow drive data (may be related to ransomware) 26->111 113 Writes to foreign memory regions 26->113 115 Injects a PE file into a foreign processes 26->115 35 jsc.exe 26->35         started        37 jsc.exe 26->37         started        process9 signatures10 127 Uses ping.exe to sleep 28->127 39 Beats.pif 5 28->39         started        43 cmd.exe 2 28->43         started        45 cmd.exe 2 28->45         started        47 4 other processes 28->47 process11 file12 77 C:\Users\user\AppData\Local\...\MusicWave.pif, PE32 39->77 dropped 79 C:\Users\user\AppData\Local\Temp\...\jsc.exe, PE32 39->79 dropped 117 Found API chain indicative of debugger detection 39->117 119 Found API chain indicative of sandbox detection 39->119 121 Deletes shadow drive data (may be related to ransomware) 39->121 123 5 other signatures 39->123 49 jsc.exe 15 4 39->49         started        54 cmd.exe 2 39->54         started        81 C:\Users\user\AppData\Local\...\Beats.pif, PE32 43->81 dropped signatures13 process14 dnsIp15 85 ip-api.com 208.95.112.1, 49738, 80 TUT-ASUS United States 49->85 87 135.181.11.41, 2424 HETZNER-ASDE Germany 49->87 73 C:\Users\user\AppData\...\g4yP6GeMlOXN.bat, DOS 49->73 dropped 103 Hides that the sample has been downloaded from the Internet (zone.identifier) 49->103 56 cmd.exe 49->56         started        59 WerFault.exe 49->59         started        75 C:\Users\user\AppData\...\MusicWave.url, MS 54->75 dropped 61 conhost.exe 54->61         started        file16 signatures17 process18 signatures19 125 Uses ping.exe to sleep 56->125 63 jsc.exe 56->63         started        65 conhost.exe 56->65         started        67 chcp.com 56->67         started        69 PING.EXE 56->69         started        process20 process21 71 conhost.exe 63->71         started       
Score:
92%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/351a74c692706f6aff7968e2cec0781caef986344160bd66e5d19852a2e908df
Detection:
quasar
Create hunting rule
Link:
https://mwdb.cert.pl/sample/351a74c692706f6aff7968e2cec0781caef986344160bd66e5d19852a2e908df/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2023-11-02 22:39:07 UTC
File Type:
PE (Exe)
Extracted files:
112
AV detection:
8 of 23 (34.78%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gunhjrusobxwv73zndrm5qdydsxptbruifql2zxf2gmffixjbdpq._file
Verdict:
unknown
Result
Malware family:
quasar
Create hunting rule
Score:
  10/10
Tags:
family:quasar botnet:office persistence spyware trojan
Link:
https://tria.ge/reports/231102-2kyjeage6z/
Behaviour
Enumerates processes with tasklist
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Adds Run key to start application
Drops startup file
Executes dropped EXE
Loads dropped DLL
Quasar RAT
Quasar payload
Suspicious use of NtCreateUserProcessOtherParentProcess
Malware Config
C2 Extraction:
135.181.11.41:2424
Unpacked files
SH256 hash:
49f726559690aee6d88cfb1e775bbcbb53686d5655cb127f334e2bd51e596a54
MD5 hash:
d040e6b89d3e9b6c792c9b4a89549801
SHA1 hash:
995a51ac061716ef7dc327653a90c14c40fb3fc8
Link:
https://www.unpac.me/results/92108ad7-a952-4d57-bd82-de8805abe706/
Parent samples :
e7f0e5b269709e0c1038f76d1073bf614308dfc5cac8beb1c2c39d6704eb804d
cdf64a111349a82f90434e360e6312f107a45a6dafa24f8fcddb497e1584ee79
9e56bc168efc43001c19a1720891c88fa4cefb2057b0b38b8c0effaab170e190
cf0c7d8987626b0d2f0115ca56a525762382a4e453365ea740caf733fd8a908e
da928ea0a7b11461c0e4e77880b48723a1138e68c7948a153c17f5e9da624209
e8e307f94d9319f62b20920b93bec8ad8fad2341a3fa1d072a0cd8257295d881
3726fd2adc46647baeedba9144d1fa6e0634c08f55f183fcf4c5e67c763b446a
f6503af4165e558f39c767f7df0c1b28adcd8149d64b5ac810687e1ba53daffb
828cda2143a5d51706f89716c96c8714cdadac696df62a806e566ecead0ed4ce
9120ce3b64b1eea0eccc343744f4e8ff3bdc88b8a79743e07a975c6c313789ee
3830e8249b95e86065288cb7a00ee9139d9e2fd918ff9c7e427e8684c1481579
17eb1a2f794ad5e02a0d96fcbd42fcfe328eb4a10bdda74d8e5cb1dfc46e4fa6
cbb21348582932ab0b31c23529c0cf675ba8b40f85f373d9a33b2853aedd1c16
9410861cbe8204310017cdec72056d49f8effbe26961cc6cb73fee37c731e0a0
267ea6b4497e79e884e06a78dbadb0ac85e7da70987a6230d299b1a3aae2edd1
c97aa2240452b4c1db4ccfbfc783c95d6b47309d5bd389675864d0fc3541b93a
fdb1515e4b51131fe289ea794f76acacb9939416b0905ed9e9e44f0ca60fc805
9bccd2dc8f14b92f591fab90b458da775598de51f9c56dca13ed0561e33eea24
SH256 hash:
351a74c692706f6aff7968e2cec0781caef986344160bd66e5d19852a2e908df
MD5 hash:
0fb34a9fa6324ce1f025b4cffd46216b
SHA1 hash:
55746793118b2459d13087e5c5c3bb8d91ba1e20
Link:
https://www.unpac.me/results/92108ad7-a952-4d57-bd82-de8805abe706/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/351a74c692706f6aff7968e2cec0781caef986344160bd66e5d19852a2e908df

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/457849/

Comments