MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6008de3f1a1d175cc66844a23a4b07c7bf009c29dc6e81a96d7d0ed4658e4e64. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuasarRAT


Vendor detections: 6


Intelligence 6 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6008de3f1a1d175cc66844a23a4b07c7bf009c29dc6e81a96d7d0ed4658e4e64
SHA3-384 hash: 008125bfb6427e5bc0038ff9e78fbdb0962dda36b0a3fdcd94844db1b44ceb99a7a22680b70c8ee49c17b3bf7d10fe07
SHA1 hash: 9d0a459baee083badf37ba48cc9e9048b24724ee
MD5 hash: 5e5549ae4dd07a2d0532fe121ccab0fa
humanhash: sierra-wolfram-mockingbird-asparagus
File name:Zamówienie_89118___Metal-Constructions.pdf.lzh
Download: download sample
Signature QuasarRAT
Create hunting rule
File size:3'688'065 bytes
First seen:2024-11-12 08:32:36 UTC
Last seen:Never
File type: rar
MIME type:application/x-rar
ssdeep 98304:/E/c0bc42JOBo3PnSzb7O59BAlo+R4wMkJH:8hcaofnSzbC5kl/R5MoH
TLSH T18706332145D7D2D8C223B4CF783097ABB2821B6CC6AA19D4F05C1D89DAF781D1FDBA64
TrID 61.5% (.RAR) RAR compressed archive (v5.0) (8000/1)
38.4% (.RAR) RAR compressed archive (gen) (5000/1)
Magika rar
Reporter nfsec_pl
Tags:exe pdf QuasarRAT rar

Intelligence

File Origin
# of uploads :
1
# of downloads :
437
Origin country :
PL PL
File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:Zamówienie 89118 _ Metal-Constructions.pdf.com
File size:3'706'368 bytes
SHA256 hash: fd12d28d6b8030ec8e3d28c13ce562dc0f42b085806401b02a1155a6f44eb19c
MD5 hash: 1834eaa9099724ef4fe227478fed783a
MIME type:application/x-dosexec
Signature QuasarRAT
Vendor Threat Intelligence
Verdict:
Malicious
Score:
70%
Link:
https://cyber-fortress.com/docs/result/index.php?id=673312faaf2d3dc89feee0fe
Tags:
autorun spawn sage remo
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6008de3f1a1d175cc66844a23a4b07c7bf009c29dc6e81a96d7d0ed4658e4e64/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2024-11-12 09:06:21 UTC
AV detection:
6 of 38 (15.79%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=maen4py2dulvzrtiisrdusyhy67qbhbj3rxidklnpuhnizmojzsa._file
Result
Malware family:
quasar
Create hunting rule
Score:
  10/10
Tags:
family:quasar botnet:code discovery spyware trojan
Link:
https://tria.ge/reports/241112-kpvvmsxqfv/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Executes dropped EXE
Loads dropped DLL
Quasar RAT
Quasar family
Quasar payload
Malware Config
C2 Extraction:
twart.myfirewall.org:9792
rency.ydns.eu:5287
wqo9.firewall-gateway.de:8841
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6008de3f1a1d175cc66844a23a4b07c7bf009c29dc6e81a96d7d0ed4658e4e64

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTesla_DIFF_Common_Strings_01
Create hunting rule
Author:schmidtsz
Description:Identify partial Agent Tesla strings
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

QuasarRAT

rar 6008de3f1a1d175cc66844a23a4b07c7bf009c29dc6e81a96d7d0ed4658e4e64

(this sample)

QuasarRAT

Executable exe fd12d28d6b8030ec8e3d28c13ce562dc0f42b085806401b02a1155a6f44eb19c

  
Dropping
SHA256 fd12d28d6b8030ec8e3d28c13ce562dc0f42b085806401b02a1155a6f44eb19c
  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 d78baa99cdaa1c5037167f9a0b2f4aa65f694ac32af8c84d71e152542a970850
  
Dropping
MD5 46606f39941acbcfe136254053a7685c

Comments