MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 49e5b6a43eb0b1f3311af48ffaad03cb2b40354edb537d51a5f86855887f853c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuasarRAT


Vendor detections: 8


Intelligence 8 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 49e5b6a43eb0b1f3311af48ffaad03cb2b40354edb537d51a5f86855887f853c
SHA3-384 hash: 8ebbc5f2f80caf2a7848e9da630eb2cfb0982df4e7b438bf1e331b688fc873d3e2cd10a1bf8697dffbc5df7cb483fb6f
SHA1 hash: 700e3d3d2048724eda40395f9dbdbf1d1d968ab2
MD5 hash: 8c14864fdd53cb7c6a51f6510d85dcd4
humanhash: king-south-purple-cup
File name:KMSpico.bat
Download: download sample
Signature QuasarRAT
Create hunting rule
File size:8'886'811 bytes
First seen:2022-11-12 19:07:11 UTC
Last seen:2022-11-26 19:22:11 UTC
File type:Batch (bat) bat
MIME type:text/x-msdos-batch
ssdeep 49152:G1zwj4WafDi8n60NAZ4xe5ZAJ50AyNLNeBAfGC6yVn9AmOTDpTqNfvnzaL0nUipt:X
Threatray 2'870 similar samples on MalwareBazaar
TLSH T18D9633211E692D7E4BACC23C61BF1F0D27A20FE0D084E5E743A174D7625FF96966B824
Reporter Gannascus_
Tags:bat QuasarRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
185
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
KMSpico.bat
Verdict:
Malicious activity
Analysis date:
2022-11-12 19:08:50 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/ecd3d070-34fb-441d-8115-5c53f04cdba7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/333012/
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
powershell stealer warp
Link:
https://www.filescan.io/uploads/636fef135ae98d577068e823/reports/20987218-8687-4ad2-aad4-9b9283a99218/overview
Result
Verdict:
MALICIOUS
Result
Threat name:
Quasar
Create hunting rule
Detection:
malicious
Classification:
troj.evad.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1111961
Signature
Bypasses PowerShell execution policy
Connects to many ports of the same IP (likely port scanning)
Creates a thread in another existing process (thread injection)
Drops executables to the windows directory (C:\Windows) and starts them
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hooks files or directories query functions (used to hide files and directories)
Hooks processes query functions (used to hide processes)
Hooks registry keys query functions (used to hide registry keys)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Installs a global keyboard hook
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Obfuscated command line found
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Renames powershell.exe to bypass HIPS
Sigma detected: Schedule system process
Sigma detected: Schedule VBS From Appdata
Suspicious powershell command line found
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected Costura Assembly Loader
Yara detected Quasar RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 744657 Sample: KMSpico.bat Startdate: 12/11/2022 Architecture: WINDOWS Score: 100 156 tapwater.ftp.sh 2->156 158 tapwater.ddns.net 2->158 160 atomic-nt.ddns.net 2->160 174 Multi AV Scanner detection for domain / URL 2->174 176 Multi AV Scanner detection for dropped file 2->176 178 Sigma detected: Schedule VBS From Appdata 2->178 180 9 other signatures 2->180 14 cmd.exe 2 2->14         started        18 wscript.exe 2->18         started        signatures3 process4 file5 144 C:\Users\user\Desktop\KMSpico.bat.exe, PE32+ 14->144 dropped 226 Suspicious powershell command line found 14->226 228 Wscript starts Powershell (via cmd or directly) 14->228 230 Obfuscated command line found 14->230 232 3 other signatures 14->232 20 KMSpico.bat.exe 20 14->20         started        24 powershell.exe 7 14->24         started        26 conhost.exe 14->26         started        28 cmd.exe 18->28         started        signatures6 process7 file8 132 C:\Users\user\Desktop\KMSLeaner.bat, DOS 20->132 dropped 190 Obfuscated command line found 20->190 30 cmd.exe 2 20->30         started        34 cmd.exe 2 20->34         started        36 cmd.exe 3 2 20->36         started        45 4 other processes 20->45 192 Suspicious powershell command line found 28->192 194 Wscript starts Powershell (via cmd or directly) 28->194 196 Renames powershell.exe to bypass HIPS 28->196 38 iNvcdiBnmE.bat.exe 28->38         started        41 conhost.exe 28->41         started        43 powershell.exe 28->43         started        signatures9 process10 dnsIp11 146 C:\Users\user\Desktop\Uni.bat.exe, PE32+ 30->146 dropped 234 Renames powershell.exe to bypass HIPS 30->234 47 Uni.bat.exe 30->47         started        51 conhost.exe 30->51         started        148 C:\Users\user\Desktop\KMSLeaner.bat.exe, PE32+ 34->148 dropped 236 Suspicious powershell command line found 34->236 238 Wscript starts Powershell (via cmd or directly) 34->238 53 KMSLeaner.bat.exe 34->53         started        61 2 other processes 34->61 55 wscript.exe 36->55         started        63 2 other processes 36->63 162 tapwater.ftp.sh 157.90.51.195, 4782, 49850, 49851 REDIRISRedIRISAutonomousSystemES United States 38->162 240 Obfuscated command line found 38->240 57 cmd.exe 38->57         started        59 powershell.exe 38->59         started        65 4 other processes 45->65 file12 signatures13 process14 file15 150 C:\Windows\$sxr-seroxen.bat, DOS 47->150 dropped 164 Writes to foreign memory regions 47->164 166 Modifies the context of a thread in another process (thread injection) 47->166 168 Injects a PE file into a foreign processes 47->168 67 cmd.exe 47->67         started        71 dllhost.exe 47->71         started        152 C:\Users\user\AppData\...\iNvcdiBnmE.vbs, ASCII 53->152 dropped 154 C:\Users\user\AppData\...\iNvcdiBnmE.bat, DOS 53->154 dropped 170 Obfuscated command line found 53->170 73 wscript.exe 53->73         started        75 cmd.exe 53->75         started        77 powershell.exe 53->77         started        172 Wscript starts Powershell (via cmd or directly) 55->172 79 conhost.exe 57->79         started        81 schtasks.exe 57->81         started        83 conhost.exe 59->83         started        85 net1.exe 1 63->85         started        signatures16 process17 file18 130 C:\Windows\$sxr-seroxen.bat.exe, PE32+ 67->130 dropped 182 Obfuscated command line found 67->182 184 Drops executables to the windows directory (C:\Windows) and starts them 67->184 186 Renames powershell.exe to bypass HIPS 67->186 87 $sxr-seroxen.bat.exe 67->87         started        91 conhost.exe 67->91         started        188 Wscript starts Powershell (via cmd or directly) 73->188 93 cmd.exe 73->93         started        95 conhost.exe 75->95         started        97 schtasks.exe 75->97         started        99 conhost.exe 77->99         started        signatures19 process20 file21 134 C:\Windows\System32\vcruntime140d.dll, PE32+ 87->134 dropped 136 C:\Windows\System32\vcruntime140_1d.dll, PE32+ 87->136 dropped 138 C:\Windows\System32\ucrtbased.dll, PE32+ 87->138 dropped 140 C:\Windows\$sxr-seroxen\$sxr-nircmd.exe, PE32 87->140 dropped 212 Writes to foreign memory regions 87->212 214 Modifies the context of a thread in another process (thread injection) 87->214 216 Hides that the sample has been downloaded from the Internet (zone.identifier) 87->216 224 2 other signatures 87->224 101 dllhost.exe 87->101         started        104 dllhost.exe 87->104         started        142 C:\Users\user\AppData\...\iNvcdiBnmE.bat.exe, PE32+ 93->142 dropped 218 Suspicious powershell command line found 93->218 220 Wscript starts Powershell (via cmd or directly) 93->220 222 Renames powershell.exe to bypass HIPS 93->222 106 iNvcdiBnmE.bat.exe 93->106         started        108 conhost.exe 93->108         started        110 powershell.exe 93->110         started        112 winlogon.exe 95->112 injected 114 lsass.exe 95->114 injected 116 svchost.exe 95->116 injected 118 12 other processes 95->118 signatures22 process23 signatures24 198 Injects code into the Windows Explorer (explorer.exe) 101->198 200 Writes to foreign memory regions 101->200 202 Creates a thread in another existing process (thread injection) 101->202 204 Injects a PE file into a foreign processes 101->204 206 Obfuscated command line found 106->206 208 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 106->208 210 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 106->210 120 cmd.exe 106->120         started        122 powershell.exe 106->122         started        process25 process26 124 conhost.exe 120->124         started        126 schtasks.exe 120->126         started        128 conhost.exe 122->128         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/49e5b6a43eb0b1f3311af48ffaad03cb2b40354edb537d51a5f86855887f853c/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jhs3njb6wcy7gmi26sh7vlidzmvuanko3njx2unf7buflcd7qu6a._file
Verdict:
malicious
Similar samples:
0aa284db0c537a4fba1a41c326029587bc4538ed2a0ba704c16ed7ef8fd54970
QuasarRAT
16691a026002980c1fac428610d73ca9638420d2e3fa79c8d1a8284388ee307b
QuasarRAT
2027e263e2872242faf65b3e6bf249223cb09b8e9b335f44bf3e89b9951be9f9
QuasarRAT
47ac3d18dc7010640808ab90a5a83881593a6ab8a5bc178ff72f983e26c3476f
QuasarRAT
84374cb55c56fb530ef4f83f655ffeb7463e8c0452d7f13d57535d9e032e761f
QuasarRAT
a40bd62eff582a81334bd53c21ea4ef288fca54d97c4ccff59dd8d607786ea78
QuasarRAT
b495d68b0733d071e67e0c30665382decd71885af9bad1c6510ef168e5732cd3
QuasarRAT
c500fecde8b41e100ed5bcfdaf6b6047e4e1958e69c693869772147316bea289
QuasarRAT
d27fe6a42208e340e992bb1e4b346229d9c2663b9184238e01ab699c3a772a3c
QuasarRAT
eab9a40c5379d460e7d5f3d11c2b766ce8674c2240110e063fecb0c651e0dd67
QuasarRAT
+ 2'860 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
n/a
Link:
https://tria.ge/reports/221112-xs7ptscc3v/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Creates scheduled task(s)
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies registry class
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of SetThreadContext
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Suspicious use of NtCreateProcessExOtherParentProcess
Suspicious use of NtCreateUserProcessOtherParentProcess
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/49e5b6a43eb0b1f3311af48ffaad03cb2b40354edb537d51a5f86855887f853c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

QuasarRAT

Batch (bat) bat 49e5b6a43eb0b1f3311af48ffaad03cb2b40354edb537d51a5f86855887f853c

(this sample)

  
Link
http://kmspico.one/KMSpico.bat
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/333012/

Comments