MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 66c0b3969424c37bc46498d8f51e9cd6c82ac5a66b50302fa1d13a4ac2d82e6d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuasarRAT


Vendor detections: 12


Maldoc score: 13


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 66c0b3969424c37bc46498d8f51e9cd6c82ac5a66b50302fa1d13a4ac2d82e6d
SHA3-384 hash: c81b6f55dccf99aab98e0306fd3fa95b47ae72da3c76acfde3d6706f8f3d7e7310ed50eb2ff3eda95b6d1b1830032f1e
SHA1 hash: be27720bf452da09fcbe0bcf7aab9dd5515ffbc7
MD5 hash: df0a17615bdc7f69832961aba81b1f1d
humanhash: minnesota-failed-orange-happy
File name:INVOICE 1842.xlsm
Download: download sample
Signature QuasarRAT
Create hunting rule
File size:72'647 bytes
First seen:2022-01-12 09:31:23 UTC
Last seen:Never
File type:Excel file xlsm
MIME type:application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
ssdeep 1536:8aW+Pbq26RF2VoN2VUt362p1Kyxv+rI1LQ3fC5:W+PO26RF2VoN2VUtfLx9hQ30
TLSH T1A363CF65C2B979A4E64F507616F108EF724811AB83C0BE0F3A9CE0CA5F413574F6F9A9
Reporter abuse_ch
Tags:QuasarRAT xlsm

Office OLE Information

This malware samples appears to be an Office document. The following table provides more information about this document using oletools and oledump.

OLE id
Maldoc score: 13
OLE dump

MalwareBazaar was able to identify 13 sections in this file using oledump:

Section IDSection sizeSection name
A1588 bytesPROJECT
A2119 bytesPROJECTwm
A31005 bytesVBA/Learn more
A4999 bytesVBA/Start
A55366 bytesVBA/ThisWorkbook
A61002 bytesVBA/Workbook
A72302 bytesVBA/_VBA_PROJECT
A81823 bytesVBA/__SRP_0
A9198 bytesVBA/__SRP_1
A101869 bytesVBA/__SRP_2
A11386 bytesVBA/__SRP_3
A12288 bytesVBA/dir
OLE vba

MalwareBazaar was able to extract and deobfuscate VBA script(s) the following information from OLE objects embedded in this file using olevba:

TypeKeywordDescription
AutoExecWorkbook_ActivateRuns when the Excel Workbook is opened
IOCKyorpfsgncwoizomiskwExecutable file name code and P-code are different, this may have been used to hide malicious code
SuspiciousOpenMay open a file
SuspiciousOutputMay write to a file (if combined with Open)
SuspiciousShellMay run an executable file or a system command
SuspiciousStrReverseMay attempt to obfuscate specific strings (use option --deobf to deobfuscate)
SuspiciousHex StringsHex-encoded strings were detected, may be used to obfuscate strings (option --decode to see all)
SuspiciousBase64 StringsBase64-encoded strings were detected, may be used to obfuscate strings (option --decode to see all)

Intelligence

File Origin
# of uploads :
1
# of downloads :
156
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
INVOICE 1842.xlsm
Verdict:
No threats detected
Analysis date:
2022-01-12 10:55:50 UTC
Tags:
macros macros-on-open
Link:
https://app.any.run/tasks/977208c3-9cfe-4dbd-a537-cdb46713520a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
File type:
application/vnd.ms-excel.sheet.macroEnabled.12
Has a screenshot:
False
Contains macros:
True
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/218634/
Detection(s):
MiscreantPunch.EvilMacro.PSHREVRSH.M1.UNOFFICIAL
Create hunting rule

MiscreantPunch.EvilMacro.PSHELLSPROCB64.11.UNOFFICIAL
Create hunting rule

MiscreantPunch.EvilMacro.PSHELLNEWOBJECTw.5.UNOFFICIAL
Create hunting rule

TwinWave.EvilDoc.DOCXRSTRGOOD.SHELL.REV.200317.UNOFFICIAL
Create hunting rule

TwinWave.EvilDoc.MiscreantsTurnBackTime.20210220.UNOFFICIAL
Create hunting rule

TwinWave.EvilDoc.DOCXRSTRGOOD.POWERSHELL.REV.200317.UNOFFICIAL
Create hunting rule

TwinWave.EvilDoc.DOCXRSTRGOOD.NEW-OBJECT.200322B64.7.UNOFFICIAL
Create hunting rule

TwinWave.EvilDoc.DOCXRSTRGOOD.NEW_OBJECT.200630B64.7.UNOFFICIAL
Create hunting rule

TwinWave.EvilDoc.DOCXRSTRGOOD.HTTPS_.210304B64.1.UNOFFICIAL
Create hunting rule

TwinWave.EvilDoc.DOCXRSTRGOOD.START_PROCES.211006B64.1.UNOFFICIAL
Create hunting rule

TwinWave.EvilDoc.CancionDelMariachi.20211020.UNOFFICIAL
Create hunting rule

TwinWave.EvilDoc.DOCXRSTRGOOD.START_PROC.211028B64.1.UNOFFICIAL
Create hunting rule

TwinWave.EvilDoc.DOCXRSTRGOOD.ENV_APPDATA.211028B64.7.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
DNS request
Sending a custom TCP request
Creating a window
Сreating synchronization primitives
Creating a file
Creating a process with a hidden window
Running batch commands by exploiting the app vulnerability
Launching a file downloaded from the Internet
Result
Verdict:
Malicious
File Type:
Excel File with Macro
Link:
https://app.docguard.net/66c0b3969424c37bc46498d8f51e9cd6c82ac5a66b50302fa1d13a4ac2d82e6d/results/dashboard
Document image
Image:
Download PNG
Document image
Gathering data
Label:
Malicious
Suspicious Score:
9.9/10
Score Malicious:
99%
Score Benign:
0%
Link:
https://www.malware.ai/gui/files/?id=ae7c3a1d-1499-432f-8923-a991dedd78e6
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/66c0b3969424c37bc46498d8f51e9cd6c82ac5a66b50302fa1d13a4ac2d82e6d
Details
Base64 Encoded Powershell Directives
Detected one or more base64 encoded Powershell directives.
Macro with Startup Hook
Detected macro logic that will automatically execute on document open. Most malware contains some execution hook.
Macro with File System Write
Detected macro logic that can write data to the file system.
Macro Contains Suspicious String
Detected a macro with a suspicious string. Suspicious strings include privileged function calls, obfuscations, odd registry keys, etc...
Base64 Encoded URL
Detected an ANSI or UNICODE http:// or https:// base64 encoded URL prefix.
External Relationship Element
Document contains an externally hosted relationship, which fetches further content.
Result
Threat name:
Quasar
Create hunting rule
Detection:
malicious
Classification:
bank.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/919204
Signature
.NET source code references suspicious native API functions
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Creates an undocumented autostart registry key
Document contains an embedded VBA macro which may execute processes
Document contains VBA stomped code (only p-code) potentially bypassing AV detection
Document exploit detected (creates forbidden files)
Document exploit detected (process start blacklist hit)
Encrypted powershell cmdline option found
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious encrypted Powershell command line found
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Potential dropper URLs found in powershell memory
Powershell drops PE file
Sigma detected: Microsoft Office Product Spawning Windows Shell
Sigma detected: Suspicious Encoded PowerShell Command Line
Writes to foreign memory regions
Yara detected Quasar RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 551682 Sample: INVOICE 1842.xlsm Startdate: 12/01/2022 Architecture: WINDOWS Score: 100 56 Found malware configuration 2->56 58 Malicious sample detected (through community Yara rule) 2->58 60 Multi AV Scanner detection for dropped file 2->60 62 13 other signatures 2->62 9 EXCEL.EXE 77 23 2->9         started        process3 file4 38 C:\Users\user\...\Kyorpfsgncwoizomiskw.bat, ASCII 9->38 dropped 40 C:\Users\user\Desktop\~$INVOICE 1842.xlsm, data 9->40 dropped 42 C:\Users\user\...\INVOICE 1842.xlsm (copy), Microsoft 9->42 dropped 74 Document exploit detected (creates forbidden files) 9->74 13 cmd.exe 9->13         started        signatures5 process6 signatures7 84 Malicious encrypted Powershell command line found 13->84 86 Encrypted powershell cmdline option found 13->86 16 powershell.exe 16 7 13->16         started        process8 dnsIp9 44 emailanywhere.co.za 154.0.167.233, 443, 49165, 49226 AfrihostZA South Africa 16->44 32 C:\Users\user\AppData\...\Hyrjyhptecb.exe, PE32 16->32 dropped 64 Powershell drops PE file 16->64 21 Hyrjyhptecb.exe 12 4 16->21         started        file10 signatures11 process12 dnsIp13 46 new-fp-shed.wg1.b.yahoo.com 87.248.100.215, 443, 49171, 49177 YAHOO-IRDGB United Kingdom 21->46 48 yahoo.com 74.6.143.26, 443, 49170, 49176 YAHOO-3US United States 21->48 50 4 other IPs or domains 21->50 34 C:\Users\user\...\SmartUninstaller.exe, PE32 21->34 dropped 36 C:\Users\user\AppData\...\Hyrjyhptecb.exe, PE32 21->36 dropped 66 Multi AV Scanner detection for dropped file 21->66 68 Creates an undocumented autostart registry key 21->68 70 Machine Learning detection for dropped file 21->70 72 3 other signatures 21->72 26 Hyrjyhptecb.exe 2 21->26         started        30 powershell.exe 6 21->30         started        file14 signatures15 process16 dnsIp17 52 194.5.98.18, 4782, 49228, 49229 DANILENKODE Netherlands 26->52 54 ip-api.com 208.95.112.1, 49227, 80 TUT-ASUS United States 26->54 76 Multi AV Scanner detection for dropped file 26->76 78 May check the online IP address of the machine 26->78 80 Machine Learning detection for dropped file 26->80 82 2 other signatures 26->82 signatures18
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/66c0b3969424c37bc46498d8f51e9cd6c82ac5a66b50302fa1d13a4ac2d82e6d/
Threat name:
Script-Macro.Trojan.Valyria
Create hunting rule
Status:
Malicious
First seen:
2022-01-12 01:41:00 UTC
File Type:
Document
Extracted files:
54
AV detection:
11 of 43 (25.58%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=m3alhfuuetbxxrdetdmpkhu423ecvrngnnidal5b2e5evqwyfzwq._file
Result
Malware family:
quasar
Create hunting rule
Score:
  10/10
Tags:
family:quasar botnet:u.n.i.a macro spyware trojan
Link:
https://tria.ge/reports/220112-lhmfcscbbl/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies Internet Explorer settings
Modifies registry class
Modifies system certificate store
NTFS ADS
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Office loads VBA resources, possible macro or embedded object present
Enumerates physical storage devices
Suspicious use of SetThreadContext
Looks up external IP address via web service
Deletes itself
Loads dropped DLL
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
Process spawned unexpected child process
Quasar Payload
Quasar RAT
Malware Config
C2 Extraction:
194.5.98.18:4782
Dropper Extraction:
https://emailanywhere.co.za/Rich/Ye Asante.pif
Malware family:
Quasar
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/66c0b3969424/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/66c0b3969424c37bc46498d8f51e9cd6c82ac5a66b50302fa1d13a4ac2d82e6d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/218634/

Comments