MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 39f5ac290e298e02e5c7854274278b08afae1162569ed4029c8f014425097250. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuasarRAT


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 39f5ac290e298e02e5c7854274278b08afae1162569ed4029c8f014425097250
SHA3-384 hash: 9205290d1461e650d65c1605d8498bf2b9a1c3e1efd86b0cb778a14e0c18ea0e9fb431e2cd2a466073bd9edc762dc1ef
SHA1 hash: f5d7e45194aaa4114f0dfe7421b91e7576f3de64
MD5 hash: 9cbcc72cd650d8d8575a8ea74fce5c52
humanhash: twelve-double-juliet-hamper
File name:Venom.bin
Download: download sample
Signature QuasarRAT
Create hunting rule
File size:30'200 bytes
First seen:2020-11-28 07:58:25 UTC
Last seen:2020-11-28 09:55:39 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 384:pNEmKf1TYMjyyNysIBlXG7pZ/8XIBK5ivYRHnL9r3PYFGcA6JgsJWIFWVtzDgY0+:pzaf24VQ+sRNPN2llgzDf0Uf2ho
Threatray 140 similar samples on MalwareBazaar
TLSH B7D2D81073967D22F7BE973A15D7E15567F1B2E36402C7AE1CC843DCC682E422D1A2DA
Reporter JAMESWT_WT
Tags:QuasarRAT

Code Signing Certificate

Organisation:Fdcdbbbccafbaadc
Issuer:Fdcdbbbccafbaadc
Algorithm:sha256WithRSAEncryption
Valid from:Nov 27 06:53:04 2020 GMT
Valid to:Nov 27 06:53:04 2021 GMT
Serial number: 361FCA7C8BA7734951C2D40D5C379523
Thumbprint Algorithm:SHA256
Thumbprint: 1F118797BF4028A244F5C0771DD1184E9E78DEAF44F84F2C1955F50993C4FC00
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
209
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/105870/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a process with a hidden window
Sending a UDP request
DNS request
Creating a window
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Sending an HTTP GET request
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Sending a custom TCP request
Launching cmd.exe command interpreter
Launching the process to change the firewall settings
Sending a TCP request to an infection source
Enabling autorun with the shell\open\command registry branches
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Quasar
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/549898
Signature
Binary contains a suspicious time stamp
Connects to a pastebin service (likely for C&C)
Contains functionality to hide user accounts
Hides that the sample has been downloaded from the Internet (zone.identifier)
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Modifies the windows firewall
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses netsh to modify the Windows network and firewall settings
Yara detected Quasar RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 324059 Sample: Venom.bin Startdate: 28/11/2020 Architecture: WINDOWS Score: 100 52 www.minpic.net 2->52 54 pastebin.com 2->54 64 Malicious sample detected (through community Yara rule) 2->64 66 Multi AV Scanner detection for dropped file 2->66 68 Multi AV Scanner detection for submitted file 2->68 70 8 other signatures 2->70 9 Venom.exe 15 3 2->9         started        signatures3 process4 dnsIp5 56 hastebin.com 104.24.127.89, 443, 49715 CLOUDFLARENETUS United States 9->56 48 C:\Users\user\AppData\Local\...\Venom.exe.log, ASCII 9->48 dropped 13 Venom.exe 1 5 9->13         started        18 timeout.exe 1 9->18         started        file6 process7 dnsIp8 58 ip-api.com 208.95.112.1, 49716, 80 TUT-ASUS United States 13->58 60 104.23.98.190, 443, 49753, 49755 CLOUDFLARENETUS United States 13->60 62 2 other IPs or domains 13->62 50 C:\Users\user\AppData\Roaming\Venom.exe, PE32 13->50 dropped 72 Hides that the sample has been downloaded from the Internet (zone.identifier) 13->72 20 cmd.exe 1 13->20         started        22 cmd.exe 1 13->22         started        24 cmd.exe 1 13->24         started        28 8 other processes 13->28 26 conhost.exe 18->26         started        file9 signatures10 process11 process12 30 netsh.exe 3 20->30         started        32 conhost.exe 20->32         started        34 netsh.exe 3 22->34         started        36 conhost.exe 22->36         started        38 netsh.exe 3 24->38         started        40 conhost.exe 24->40         started        42 netsh.exe 3 28->42         started        44 netsh.exe 3 28->44         started        46 13 other processes 28->46
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/39f5ac290e298e02e5c7854274278b08afae1162569ed4029c8f014425097250/
Threat name:
ByteCode-MSIL.Trojan.Perseus
Create hunting rule
Status:
Malicious
First seen:
2020-11-28 07:58:06 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
20 of 28 (71.43%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
471a91b4f8d67792bf0b5a67460fb7fe335db4963a7154c0cc20fe7461a87514
QuasarRAT
68bf0a42854ac13fe13a75bb213f51934a3edc0fa7a0732ddb12a68699619474
QuasarRAT
703aadea111eae71a7dfb3f2c63c4522b4edd138033fef221295f74d3509e10a
QuasarRAT
774fa620be98d94c8530d9c5e50e48c7595271fb911753b1c16d33dad1bc141d
QuasarRAT
7ed14885068667e9de2ede24522ab5e7bc2b02ed2f5953d590517921a3d77f4f
QuasarRAT
94b4df2a78e60f80472d518819e7383b09f20d18b270d60b99be31a4a12f7156
QuasarRAT
9e33fbfc975a81d62c7ec060a00a42fcdf5e84ba294be3f21d5307b79ddf9555
QuasarRAT
b46a76c6240983b927fa789dbfd5214bb513285da9205c52539736286346ddaf
QuasarRAT
d33b633b962e2851492365a557b624d4682620516513cde765b5e0428c69d917
QuasarRAT
d8032c71de22af1a399435b344ca825689ee175529c98fce2529f128f8357dc2
QuasarRAT
+ 130 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
evasion
Link:
https://tria.ge/reports/201128-25hrcgzpps/
Behaviour
Delays execution with timeout.exe
Modifies registry class
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Loads dropped DLL
Executes dropped EXE
Modifies Windows Firewall
Unpacked files
SH256 hash:
39f5ac290e298e02e5c7854274278b08afae1162569ed4029c8f014425097250
MD5 hash:
9cbcc72cd650d8d8575a8ea74fce5c52
SHA1 hash:
f5d7e45194aaa4114f0dfe7421b91e7576f3de64
Link:
https://www.unpac.me/results/765433af-7d76-40a5-a1c2-b780d44683c9/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/105870/

Comments