MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5b6d5819cc000436777cda63e9022fdd19b15a91451c7b8c4608db9fcf3d359c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuasarRAT


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5b6d5819cc000436777cda63e9022fdd19b15a91451c7b8c4608db9fcf3d359c
SHA3-384 hash: 0330bbe6b7dc2ba2ec1d9c25d246bb4150c1322401221187293c4361d5aafdae3012797c2fd25a5245bbf2cb0c33226b
SHA1 hash: 7c9df4979e1a5a9f205fc6c1e139112297ddc6bc
MD5 hash: 7a690238b7ada1318edede1f7190ac29
humanhash: michigan-papa-sodium-fruit
File name:Quote#1PDF.vbs
Download: download sample
Signature QuasarRAT
Create hunting rule
File size:2'542'770 bytes
First seen:2022-04-22 09:01:02 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 24576:CHZqNW+LcY+MC/2nd7xTFgLO3pCVXB0byLVswFtuUoQhAdWXAYK/ZB6rDVoWhCLm:2ZgU8ZEOgVR0OJt1oZB6HV7QUumt05y
Threatray 16'747 similar samples on MalwareBazaar
TLSH T18FC5F17695B37D99FEFD0AA129102C578C101E1F97E24648EAC2B7F469E2C11EF380B5
Reporter abuse_ch
Tags:QuasarRAT Telegram vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
166
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/265675/
Detection(s):
SecuriteInfo.com.Generic-EXE.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.PUA.Base64EXE-2.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
notepad.exe obfuscated packed replace.exe
Link:
https://www.filescan.io/uploads/62627b0bf9ec17cfbab75db9/reports/967200b4-5229-40ec-8e82-2e23ed9da750/overview
Result
Verdict:
MALICIOUS
Details
Base64 Encoded URL
Detected an ANSI or UNICODE http:// or https:// base64 encoded URL prefix.
Result
Threat name:
AgentTesla Quasar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/981219
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Benign windows process drops PE files
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Injects files into Windows application
Installs a global keyboard hook
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Sigma detected: Notepad Making Network Connection
Sigma detected: Suspicious Add Scheduled Task From User AppData Temp
Sigma detected: Suspicious Process Parents
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected Quasar RAT
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 613706 Sample: Quote#1PDF.vbs Startdate: 22/04/2022 Architecture: WINDOWS Score: 100 80 Malicious sample detected (through community Yara rule) 2->80 82 Antivirus / Scanner detection for submitted sample 2->82 84 Multi AV Scanner detection for dropped file 2->84 86 12 other signatures 2->86 8 wscript.exe 3 2->8         started        12 hmltog.exe 2->12         started        14 hmltog.exe 2->14         started        process3 file4 46 C:\Users\user\AppData\Local\...\notepad.exe, PE32 8->46 dropped 48 C:\Users\user\AppData\Local\Tempbehaviorgraphoogle.exe, PE32 8->48 dropped 88 Benign windows process drops PE files 8->88 16 notepad.exe 3 8->16         started        19 Google.exe 6 8->19         started        22 hmltog.exe 12->22         started        90 Multi AV Scanner detection for dropped file 14->90 92 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 14->92 94 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 14->94 96 Injects a PE file into a foreign processes 14->96 25 hmltog.exe 14->25         started        signatures5 process6 dnsIp7 60 System process connects to network (likely due to code injection or exploit) 16->60 62 Multi AV Scanner detection for dropped file 16->62 64 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 16->64 76 3 other signatures 16->76 27 notepad.exe 17 8 16->27         started        42 C:\Users\user\AppData\Roaming\xXKBkYDYj.exe, PE32 19->42 dropped 44 C:\Users\user\AppData\Local\...\tmp8B23.tmp, XML 19->44 dropped 66 Uses schtasks.exe or at.exe to add and modify task schedules 19->66 68 Adds a directory exclusion to Windows Defender 19->68 32 RegSvcs.exe 19->32         started        34 powershell.exe 25 19->34         started        36 schtasks.exe 19->36         started        52 192.168.2.1 unknown unknown 22->52 54 api.telegram.org 22->54 70 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 22->70 72 Tries to steal Mail credentials (via file / registry access) 22->72 74 Tries to harvest and steal ftp login credentials 22->74 78 2 other signatures 22->78 file8 signatures9 process10 dnsIp11 56 api.telegram.org 149.154.167.220, 443, 49825, 49829 TELEGRAMRU United Kingdom 27->56 50 C:\Users\user\AppData\Roaming\...\hmltog.exe, PE32 27->50 dropped 98 System process connects to network (likely due to code injection or exploit) 27->98 100 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 27->100 102 Tries to steal Mail credentials (via file / registry access) 27->102 104 Injects files into Windows application 27->104 58 3.83.129.253, 4747, 49787, 49789 AMAZON-AESUS United States 32->58 106 Hides that the sample has been downloaded from the Internet (zone.identifier) 32->106 108 Installs a global keyboard hook 32->108 38 conhost.exe 34->38         started        40 conhost.exe 36->40         started        file12 signatures13 process14
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/5b6d5819cc000436777cda63e9022fdd19b15a91451c7b8c4608db9fcf3d359c/
Threat name:
Script-WScript.Trojan.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2022-04-22 09:02:08 UTC
File Type:
Text (VBS)
AV detection:
10 of 26 (38.46%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lnwvqgomaacdm5343jr6sarp3um3cwuriuohxdcgbdnz7tz5gwoa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0983be8cdf4f49585e9b284c8551b149555fe3ec3d636549eb5efd2cea4bf627
QuasarRAT
185ba54811bf367e51e498ccb60534544790abe9d757a5fd2fdd4ff94c2cd912
QuasarRAT
44ab3d116f6c6318067f89ccb838b5198b6544469ec27557ca1de3655a6ceb96
QuasarRAT
56d092c2d8c927f25843226203655bf07c46845fb927d7d2640120862989bfdf
QuasarRAT
ab5ea57fdd5bfa91a11db4d85f99a84e342ead177da5744dff012398d153f4ba
QuasarRAT
bf94ae3815c7d2790667030ff2322157d3b8589b55286f74c875c46f4339fa55
QuasarRAT
+ 16'737 additional samples on MalwareBazaar
Result
Malware family:
quasar
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla family:quasar botnet:office collection keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/220422-kyx2csbfc7/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Checks computer location settings
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Executes dropped EXE
AgentTesla Payload
AgentTesla
Quasar Payload
Quasar RAT
Malware Config
C2 Extraction:
https://api.telegram.org/bot5127674234:AAHGscjRk7JCDDCItFO4GPZfan-K7Hc89Z8/sendDocument
3.83.129.253:4747
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5b6d5819cc000436777cda63e9022fdd19b15a91451c7b8c4608db9fcf3d359c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/265675/

Comments