MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3ca289bac2df826b2d7c4faa05cd9f39a948fdf47872d56ddcfd1a45e60be963. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuasarRAT


Vendor detections: 7


Intelligence 7 IOCs YARA 11 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3ca289bac2df826b2d7c4faa05cd9f39a948fdf47872d56ddcfd1a45e60be963
SHA3-384 hash: f28eccc895953e34a046b6bbb0b43842bf7986696deee52e9c8e192e646194a8abfafb71f2ea3d69134d8778d2f0708c
SHA1 hash: 79b4b76cd7be4dd4aa219513d394e0632fc875a8
MD5 hash: 2a02d57e4ad5117eb724be65697afd66
humanhash: happy-ten-harry-bluebird
File name:DHLMT-BL-PL-CI08348-SHIPMENT.pdf.xls.scr
Download: download sample
Signature QuasarRAT
Create hunting rule
File size:1'007'240 bytes
First seen:2020-11-19 07:30:31 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'648 x AgentTesla, 19'452 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 12288:6BKGzQIE2J6xBs+jy/BxhX3+Y0EN7v533beKDfGn8I55AA9QqPV1qRNCZfzN66ju:6EeEGTX3Z0mZq9nAA9QSGNcfzs67Rs
Threatray 149 similar samples on MalwareBazaar
TLSH 4C25FAF851EB10A1F25F993666AEFCA402B2F587DAD64D480378F6301ABEB533B0550D
Reporter abuse_ch
Tags:DHL nVpn QuasarRAT RAT scr

Code Signing Certificate

Organisation:Eion Robb
Issuer:DigiCert SHA2 Assured ID Code Signing CA
Algorithm:sha256WithRSAEncryption
Valid from:Jul 10 00:00:00 2018 GMT
Valid to:Jun 12 12:00:00 2020 GMT
Serial number: 0853E240A4892340FD6BA6D7E623DB18
Intelligence: 2 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: B0C4CACD6FE8D49305E8FE298C65BFF6B42045E0CE32181BDF26946F8C1EE702
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
abuse_ch
Malspam distributing QuasarRAT:

HELO: bartletfarms.com
Sending IP: 185.236.231.238
From: DHL Global Delivery <no-replydhlcourierrosenberger@dhl.cn>
Subject: TicketID:32834979185679281349 -BL- Tracking No/Shipping Docs/CI/MT101/PL/ Arrival - 11/19/2020 02:23:41 am
Attachment: DHLMT-BL-PL-CI08348-SHIPMENT.pdf.xls.au.img (contains "DHLMT-BL-PL-CI08348-SHIPMENT.pdf.xls.scr")

QuasarRAT C2:
devils.shacknet.us:4782 (185.244.26.221)

Pointing to nVpn:

% Information related to '185.244.26.192 - 185.244.26.255'

% Abuse contact for '185.244.26.192 - 185.244.26.255' is 'abuse@privacyfirst.sh'

inetnum: 185.244.26.192 - 185.244.26.255
remarks: This prefix is assigned to The PRIVACYFIRST Project, which
remarks: operates infrastructure jointly used by various VPN service
remarks: providers. We have a very strong focus on privacy and freedom.
remarks: In case of abuse, we encourage all international law enforcement
remarks: agencies to get in touch with our abuse contact. Due to the fact
remarks: that we keep no logs of user activities and only share data when
remarks: it is legally required under our jurisdiction, it is very unlikely
remarks: for a demand of user information to be successful. Still, that
remarks: should not deter you from reaching out.
netname: PRIVACYFIRST-EU3
country: EU
admin-c: TPP15-RIPE
tech-c: TPP15-RIPE
org: ORG-TPP6-RIPE
status: ASSIGNED PA
mnt-by: PRIVACYFIRST-MNT
created: 2020-04-16T22:05:10Z
last-modified: 2020-10-18T10:49:56Z
source: RIPE

Intelligence

File Origin
# of uploads :
1
# of downloads :
130
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Artemis2A02D57E4AD5.6377.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Quasar
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/542389
Signature
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Sigma detected: Suspicious Double Extension
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected Quasar RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3ca289bac2df826b2d7c4faa05cd9f39a948fdf47872d56ddcfd1a45e60be963/
Threat name:
ByteCode-MSIL.Infostealer.ClipBanker
Create hunting rule
Status:
Malicious
First seen:
2020-11-19 04:37:41 UTC
File Type:
PE (.Net Exe)
Extracted files:
13
AV detection:
23 of 28 (82.14%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=hsritowc36bgwll4j6valtm7hguur7pupbznk3o47unelzql5frq._file
Verdict:
malicious
Similar samples:
44ea4b14ee643709c87800d407e19e45d9f6a1f3bea15c00de3afcfba2614e8a
QuasarRAT
4c6c1c0d7925af6c2891164d67743204132fcc8ea3cda471c005f446ea1cfda1
QuasarRAT
51ad568171d6a835bc1edd45cfe1fee659085dfc4522ac3d93c1458688d44bd5
QuasarRAT
618cf92a4d525540b478ce46a3f86da110c479b6327a80fe357b990bba802a3a
QuasarRAT
810bbf258484b94bf2e51c7fba2f8a19f6aaf1137c982d2d6a97e600159c16fa
QuasarRAT
904a518a8c867a1fd79e963fcdd317aa9f5a76eb6964b027cb0566d4a87102d7
QuasarRAT
9cdcc531878d3a23d2da833a058efa100b91d212e4d5780cb21d5d36db0cbd01
QuasarRAT
b71d6728f8709dc2b8b6a57bbd0ea7d27e78a0ea16af5eff61b2d11f983e0129
QuasarRAT
b7f09be3bf95632ac3219b3d402a419e9bc40a54a3fc6ac1c57c183798e525fe
QuasarRAT
ee1b2c9bdba344c7fe2dc2bec7544a038ad64dbed6add636ecdd426079296c28
QuasarRAT
+ 139 additional samples on MalwareBazaar
Result
Malware family:
quasar
Create hunting rule
Score:
  10/10
Tags:
family:quasar persistence spyware trojan
Link:
https://tria.ge/reports/201119-a3p37djhxe/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Looks up external IP address via web service
Quasar RAT
Unpacked files
SH256 hash:
3ca289bac2df826b2d7c4faa05cd9f39a948fdf47872d56ddcfd1a45e60be963
MD5 hash:
2a02d57e4ad5117eb724be65697afd66
SHA1 hash:
79b4b76cd7be4dd4aa219513d394e0632fc875a8
Link:
https://www.unpac.me/results/fcd9fafa-c8c6-416f-af77-8f162d1e4c07/
SH256 hash:
234705a19c4820e3bd092b253ff937f68ad70f883312de90016798bb83a7db46
MD5 hash:
4e1a8c7915a19b0d93696d552c3d2514
SHA1 hash:
0e666638ea2847201a9b0307f115fa11fb66ab07
Link:
https://www.unpac.me/results/fcd9fafa-c8c6-416f-af77-8f162d1e4c07/
SH256 hash:
bd171d5f483acc00c562b6d4c4b1a578bff812832765519071438f3c37aba1dd
MD5 hash:
17572d95937e576752c6fb8ff872994c
SHA1 hash:
3801b61908cab4e619b6e03c9983a111dbdb9ede
Link:
https://www.unpac.me/results/fcd9fafa-c8c6-416f-af77-8f162d1e4c07/
SH256 hash:
83c08f0721c8b0c96e3d6a8f3ccaf5c96fbcc427d574625c34424c3429fefaa1
MD5 hash:
3c5dbcc3bb27e913e14efd8054811373
SHA1 hash:
b0eba9388abddaef9d5aa49ccd5dbab2924cced0
Link:
https://www.unpac.me/results/fcd9fafa-c8c6-416f-af77-8f162d1e4c07/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Chrome_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Chrome in files like avemaria
Rule name:CN_disclosed_20180208_KeyLogger_1
Create hunting rule
Author:Florian Roth
Description:Detects malware from disclosed CN malware set
Reference:https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:MAL_QuasarRAT_May19_1
Create hunting rule
Author:Florian Roth
Description:Detects QuasarRAT malware
Reference:https://blog.ensilo.com/uncovering-new-activity-by-apt10
Rule name:MSILStealer
Create hunting rule
Author:https://github.com/hwvs
Description:Detects strings from C#/VB Stealers and QuasarRat
Reference:https://github.com/quasar/QuasarRAT
Rule name:Quasar
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect QuasarRAT in memory
Rule name:Quasar_RAT_1
Create hunting rule
Author:Florian Roth
Description:Detects Quasar RAT
Reference:https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
Rule name:Quasar_RAT_2
Create hunting rule
Author:Florian Roth
Description:Detects Quasar RAT
Reference:https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
Rule name:Select_from_enumeration
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:Vermin_Keylogger_Jan18_1
Create hunting rule
Author:Florian Roth
Description:Detects Vermin Keylogger
Reference:https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/
Rule name:xRAT_1
Create hunting rule
Author:Florian Roth
Description:Detects Patchwork malware
Reference:https://goo.gl/Pg3P4W

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

QuasarRAT

img f6fc15d5a8757a3fe1371e1b583c5627f92651cf39456da5cc9caaa53eb7f1c7

QuasarRAT

Executable exe 3ca289bac2df826b2d7c4faa05cd9f39a948fdf47872d56ddcfd1a45e60be963

(this sample)

  
Dropped by
MD5 82879eccfbc0aaecb25a5f79dd849f85
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 f6fc15d5a8757a3fe1371e1b583c5627f92651cf39456da5cc9caaa53eb7f1c7

Comments