MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3cc33ce58536242bc9b2029cd9475a287351a379ccbd12da6b8b7bf2cc68be89. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuasarRAT


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3cc33ce58536242bc9b2029cd9475a287351a379ccbd12da6b8b7bf2cc68be89
SHA3-384 hash: d3b967e86d08ef89f626f484a91dfd5c667fd477585c06246676257c2072a6238e41eb48747d066e3e6d2ed1cd0e4a34
SHA1 hash: 0c001b7e9615cbc22eac2a324d8deb7eaf069ff7
MD5 hash: 9ed9ad87a1564fbb5e1b652b3e7148c8
humanhash: nevada-arkansas-failed-wyoming
File name:PhoenixMiner_5.4c_Windows.exe
Download: download sample
Signature QuasarRAT
Create hunting rule
File size:8'717'814 bytes
First seen:2021-01-01 21:48:40 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 196608:8eOr3LD6MZ+NL0j/YjNV4p9eLDZPhujwk8kAb+RWvqWd6qmgNSN:8TbnQYiN2eRPhSwhk8s46C4N
Threatray 356 similar samples on MalwareBazaar
TLSH A696332098C28071F4312431E27DE7913B79BDA08F385A476BF5D52EC778AA1792DFA1
Reporter o2genum
Tags:AutoIT AZORult BuerLoader exe QuasarRAT


Avatar
o2genum
Distributed as ZIP.
Packed into a RAR SFX for analysis.

Intelligence

File Origin
# of uploads :
1
# of downloads :
488
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PhoenixMiner_5.4c_Windows.exe
Verdict:
Malicious activity
Analysis date:
2021-01-01 21:51:55 UTC
Tags:
miner autoit evasion trojan rat quasar
Link:
https://app.any.run/tasks/933d3742-574e-44a6-909c-1644cea4ade0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/110261/
Detection(s):
SecuriteInfo.com.BackDoor.SiggenNET.5.27436.8753.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Sending a UDP request
Transferring files using the Background Intelligent Transfer Service (BITS)
DNS request
Sending a custom TCP request
Enabling the 'hidden' option for files in the %temp% directory
Moving a file to the %temp% subdirectory
Launching a process
Running batch commands
Deleting a recently created file
Launching cmd.exe command interpreter
Creating a file in the %AppData% subdirectories
Using BITS transfer job for data transfer
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Quasar
Create hunting rule
Detection:
malicious
Classification:
rans.troj.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/572861
Signature
Deletes shadow drive data (may be related to ransomware)
Drops PE files with a suspicious file extension
Found strings related to Crypto-Mining
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Obfuscated command line found
Sample is not signed and drops a device driver
Sigma detected: Drops script at startup location
Sigma detected: Suspicious Certutil Command
Submitted sample is a known malware sample
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected AntiVM_3
Yara detected Quasar RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 335493 Sample: PhoenixMiner_5.4c_Windows.exe Startdate: 01/01/2021 Architecture: WINDOWS Score: 100 78 raw.githubusercontent.com 2->78 80 ip-api.com 2->80 82 github.map.fastly.net 2->82 92 Malicious sample detected (through community Yara rule) 2->92 94 Yara detected AntiVM_3 2->94 96 Yara detected Quasar RAT 2->96 98 10 other signatures 2->98 13 PhoenixMiner_5.4c_Windows.exe 20 2->13         started        17 rundll32.exe 2->17         started        signatures3 process4 file5 68 C:\Users\user\AppData\...\PhoenixMiner.exe, PE32 13->68 dropped 70 C:\Users\user\AppData\Local\...\IOMap64.sys, PE32+ 13->70 dropped 108 Sample is not signed and drops a device driver 13->108 19 PhoenixMiner.exe 1 4 13->19         started        signatures6 process7 signatures8 100 Suspicious powershell command line found 19->100 22 powershell.exe 24 19->22         started        24 powershell.exe 19 19->24         started        process9 process10 26 lWr.exe 1 6 22->26         started        28 ck.exe 1 22->28         started        30 conhost.exe 22->30         started        32 conhost.exe 24->32         started        process11 34 cmd.exe 1 26->34         started        36 cmd.exe 1 26->36         started        39 conhost.exe 28->39         started        signatures12 41 cmd.exe 2 34->41         started        44 conhost.exe 34->44         started        46 certutil.exe 2 34->46         started        102 Submitted sample is a known malware sample 36->102 48 conhost.exe 36->48         started        process13 signatures14 104 Obfuscated command line found 41->104 106 Uses ping.exe to sleep 41->106 50 taskhost.com 41->50         started        53 PING.EXE 41->53         started        56 PING.EXE 41->56         started        58 2 other processes 41->58 process15 dnsIp16 90 Drops PE files with a suspicious file extension 50->90 61 taskhost.com 50->61         started        84 127.0.0.1 unknown unknown 53->84 86 Vezu.Vezu 56->86 66 C:\Users\user\AppData\Local\...\taskhost.com, Targa 58->66 dropped file17 signatures18 process19 dnsIp20 88 mmikHTxHEnKtBIAFxlGnos.mmikHTxHEnKtBIAFxlGnos 61->88 72 C:\Users\user\AppData\...\kdiTVnLhWt.com, PE32 61->72 dropped 74 C:\Users\user\AppData\...\kdiTVnLhWt.url, MS 61->74 dropped 76 C:\Users\user\AppData\Local\...\RegAsm.exe, PE32 61->76 dropped 110 Injects a PE file into a foreign processes 61->110 file21 signatures22
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3cc33ce58536242bc9b2029cd9475a287351a379ccbd12da6b8b7bf2cc68be89/
Threat name:
Win32.Trojan.Miner
Create hunting rule
Status:
Malicious
First seen:
2021-01-01 21:49:05 UTC
AV detection:
12 of 47 (25.53%)
Threat level:
  5/5
Verdict:
suspicious
Similar samples:
05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7
QuasarRAT
1630f3fabf80e99d1990176b5736835496bdbd74610d1e43eefd7088e2529a6e
QuasarRAT
1c421e6eea0c7d28016da05e2be26a099f94bb355e05ed1088c2098c024760b1
QuasarRAT
2261f624e99b92e00913fd0fc189ae96bb115b3ae5b393e0170066f032b12af1
QuasarRAT
29c0c875bd961391938a48794be49c006a1ee8c31e25a1fd5f0891f5dcd46e6c
QuasarRAT
637d172395f876a73f77476c2ab1261e289b8f12395110627a7c93583b11c868
QuasarRAT
ab6c220ed37a3771afb540e7b1179aea65119d6e3da91d55af7f659f61541f42
QuasarRAT
cb04bfdeb1a12eaab0a0442ecdf62ce49d2c1daa5b4345412cf3462b9ab26803
QuasarRAT
eb7f8c540e1fec50dbf69d1118d556130a32c7f08806c9cf0b12a63eaa2ac735
QuasarRAT
ecee44992b84f86f98c14b5af66451c9e6306e7db33d038cef6d7292988da559
QuasarRAT
+ 346 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
persistence
Link:
https://tria.ge/reports/210101-3q3z5t3pqa/
Behaviour
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
JavaScript code in executable
Looks up external IP address via web service
Drops startup file
Loads dropped DLL
Executes dropped EXE
Malware Config
Dropper Extraction:
https://raw.githubusercontent.com/jkh36/d/main/bild.exe
https://raw.githubusercontent.com/jkh36/d/main/PhoenixMiner.exe
Unpacked files
SH256 hash:
3cc33ce58536242bc9b2029cd9475a287351a379ccbd12da6b8b7bf2cc68be89
MD5 hash:
9ed9ad87a1564fbb5e1b652b3e7148c8
SHA1 hash:
0c001b7e9615cbc22eac2a324d8deb7eaf069ff7
Link:
https://www.unpac.me/results/c6119ed3-fd85-4181-ac18-39a1e237362a/
SH256 hash:
f565e2d465eaeacf254121926d63e9f33f2190e3318cbb36ef8f857f571610ea
MD5 hash:
941c5fb975dcf1702913c1ffd0cda5c9
SHA1 hash:
48a1ed2142f129684282f1df3585998868521659
Link:
https://www.unpac.me/results/c6119ed3-fd85-4181-ac18-39a1e237362a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3cc33ce58536242bc9b2029cd9475a287351a379ccbd12da6b8b7bf2cc68be89

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

QuasarRAT

Executable exe 3cc33ce58536242bc9b2029cd9475a287351a379ccbd12da6b8b7bf2cc68be89

(this sample)

anyrun
any.run
https://app.any.run/tasks/b285c6c8-daa1-496e-9a62-8850cb8de2d7
  
Link
https://github.com/PhoenixMiner-ETH-miner/phoenix-miner/releases/tag/5.4c
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/110261/

Comments