MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 56a430a18e93eee6f709348fba459a6f639c032c7718806c01a6ba522dd704e6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuasarRAT


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 56a430a18e93eee6f709348fba459a6f639c032c7718806c01a6ba522dd704e6
SHA3-384 hash: dcb761135313a1a471f8ee2aa9480dd5aaff0cf24ff2af2c1d22f30987213e96aaab48a150dd015fd386d6eaa5f7f371
SHA1 hash: 17f19688453db95b9216c92b6852db561f1fbe52
MD5 hash: 5156d66a8c002444411077418cda8f1f
humanhash: lamp-freddie-georgia-grey
File name:Invoice.vbs
Download: download sample
Signature QuasarRAT
Create hunting rule
File size:1'132 bytes
First seen:2021-08-02 17:31:55 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 24:APQ1B03iEZzeArpIqmnAMvAN5STD69P1EI3SDKV:giez5rK/AN5SPc1EI3D
Threatray 80 similar samples on MalwareBazaar
TLSH T16E2133243A0BF1314445E2C65DBE9A24F7A653ABC5601481323CC19D507F4ED19C3FCE
Reporter abuse_ch
Tags:QuasarRAT RAT vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
135
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/175856/
Result
Verdict:
MALICIOUS
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/825654
Signature
Creates an undocumented autostart registry key
Obfuscated command line found
Sigma detected: Suspicious PowerShell Command Line
VBScript performs obfuscated calls to suspicious functions
Wscript starts Powershell (via cmd or directly)
Yara detected Powershell download and execute
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/56a430a18e93eee6f709348fba459a6f639c032c7718806c01a6ba522dd704e6/
Threat name:
Script.Trojan.Valyria
Create hunting rule
Status:
Malicious
First seen:
2021-08-02 17:32:07 UTC
AV detection:
7 of 46 (15.22%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=k2sdbimospxon5yjgsh3urm2n5rzyazmo4mia3abu25feloxatta._file
Verdict:
malicious
Similar samples:
13f297d03a1dea9495fbd57508fdf3bc1975954ed97338bb4d35adcd9e02536d
QuasarRAT
5f5021b3286e9d1b8e9fa9d53319773f0be1c7603efddd040124be7c60424edc
QuasarRAT
87f4a4c323f26710b7acdc123173fa63f4ccb4f3c8239dfaa489ee69ab89f7cc
QuasarRAT
972d8fcd3083eb6c81e2dc704d8e0ec1b097e43b7ef5576cf8cccc4e8fc85925
QuasarRAT
ab59fbf0ee10b8c5428479b1f5dfdb5cfc87dd40407b3742814ab34611f32b1d
QuasarRAT
ba4b51ae64c68b32d126322b51b41dce7c300c01faed97aca35ff142e121a914
QuasarRAT
bc7cbed34a28008fed6c5c7d7fea8658d4abeb1eff5b06e06a917680d5091fcf
QuasarRAT
db95252c51380bd1270af501cbc040ce72a3ad551156526580e4ce39b3feb0de
QuasarRAT
+ 70 additional samples on MalwareBazaar
Result
Malware family:
quasar
Create hunting rule
Score:
  10/10
Tags:
family:quasar spyware trojan
Link:
https://tria.ge/reports/210802-yrmsf6qpbx/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Looks up external IP address via web service
Blocklisted process makes network request
Quasar Payload
Quasar RAT
Malware Config
Dropper Extraction:
https://ia601400.us.archive.org/3/items/misan/misan.txt
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/56a430a18e93eee6f709348fba459a6f639c032c7718806c01a6ba522dd704e6

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

QuasarRAT

Visual Basic Script (vbs) vbs 56a430a18e93eee6f709348fba459a6f639c032c7718806c01a6ba522dd704e6

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/175856/

Comments