MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6af042955207ac4aa13b739d44ab6292af8892ac013444326d15ead0fefdfabe. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuasarRAT


Vendor detections: 20


Intelligence 20 IOCs 1 YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6af042955207ac4aa13b739d44ab6292af8892ac013444326d15ead0fefdfabe
SHA3-384 hash: 1d13f18ac084a9084a798356e155d32b9f0ce7080869fee1282d203a9f75477b2225b17e69a3e10fca444a561981f467
SHA1 hash: b427e9c43f0a1a361f7bf38d5ea829e09a986f54
MD5 hash: 7c5ba84841c124268a70f0a668d851cb
humanhash: zebra-johnny-harry-angel
File name:FAKTURA DHL.exe
Download: download sample
Signature QuasarRAT
Create hunting rule
File size:3'908'096 bytes
First seen:2025-02-04 13:58:34 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 98304:2XxBLBJqj8ysrESFeA4xEa375aqJeZhd9ijkMCIhNVT+lLb:2X7LjgFs5FUEfX3gqANG
Threatray 1'062 similar samples on MalwareBazaar
TLSH T1160622C83774AB02DD7947B09630DC7503BA2D6DB020F6AA5EC53BDBB929B118E04B57
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter Anonymous
Tags:exe QuasarRAT

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
104.234.114.151:6921 https://threatfox.abuse.ch/ioc/1403271/

Intelligence

File Origin
# of uploads :
1
# of downloads :
482
Origin country :
PL PL
Vendor Threat Intelligence
Malware family:
quasar
Create hunting rule
ID:
1
File name:
FAKTURA DHL.exe
Verdict:
Malicious activity
Analysis date:
2025-02-04 13:59:28 UTC
Tags:
rat quasar remote evasion
Link:
https://app.any.run/tasks/ec570aae-8bff-4691-a18a-0f30570d5b0f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Packed.Msilheracles-10020638-0
Create hunting rule

Win.Packed.Agensla-10021078-0
Create hunting rule

Win.Packed.Formbook-10021419-0
Create hunting rule

Win.Packed.LokiBot-10026312-0
Create hunting rule

Win.Packed.LokiBot-10027126-0
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67a21df92dcee78dd8195696
Tags:
autorun kryptik sage msil
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Сreating synchronization primitives
Creating a file in the %AppData% subdirectories
Launching a process
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
masquerade obfuscated obfuscated packed packed packer_detected
Link:
https://www.filescan.io/uploads/67a21d36e7790b912a1dc1f2/reports/92c1f2a9-9aec-4202-ab40-b6285987406a/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/6af042955207ac4aa13b739d44ab6292af8892ac013444326d15ead0fefdfabe
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Quasar RAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5e6c255b-f0f8-4132-84fe-28a980657c7e
Result
Threat name:
AgentTesla, Quasar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1606505
Signature
.NET source code contains potential unpacker
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Joe Sandbox ML detected suspicious sample
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Suricata IDS alerts for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected Quasar RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1606505 Sample: FAKTURA DHL.exe Startdate: 04/02/2025 Architecture: WINDOWS Score: 100 68 yuba.ydns.eu 2->68 70 mail.keeptraveling-eg.com 2->70 72 4 other IPs or domains 2->72 84 Suricata IDS alerts for network traffic 2->84 86 Found malware configuration 2->86 88 Malicious sample detected (through community Yara rule) 2->88 90 13 other signatures 2->90 12 FAKTURA DHL.exe 3 2->12         started        16 Edge.exe 2 2->16         started        signatures3 process4 file5 62 C:\Users\user\AppData\...\FAKTURA DHL.exe.log, ASCII 12->62 dropped 118 Injects a PE file into a foreign processes 12->118 18 FAKTURA DHL.exe 4 12->18         started        22 Edge.exe 2 16->22         started        signatures6 process7 file8 60 C:\Users\user\AppData\Roaming\...dge.exe, PE32 18->60 dropped 92 Hides that the sample has been downloaded from the Internet (zone.identifier) 18->92 24 Edge.exe 3 18->24         started        27 schtasks.exe 1 18->27         started        signatures9 process10 signatures11 98 Multi AV Scanner detection for dropped file 24->98 100 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 24->100 102 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 24->102 104 3 other signatures 24->104 29 Edge.exe 15 5 24->29         started        34 conhost.exe 27->34         started        process12 dnsIp13 80 yuba.ydns.eu 104.234.114.151, 49711, 6921 VELCOMCA Canada 29->80 82 ipwho.is 195.201.57.90, 443, 49713 HETZNER-ASDE Germany 29->82 64 C:\Users\user\AppData\...\jpW1QUzJsQJi.exe, PE32 29->64 dropped 66 C:\Users\user\AppData\...\wCxwHfUroCSd.bat, DOS 29->66 dropped 120 Hides that the sample has been downloaded from the Internet (zone.identifier) 29->120 122 Installs a global keyboard hook 29->122 36 cmd.exe 29->36         started        39 schtasks.exe 1 29->39         started        41 schtasks.exe 29->41         started        file14 signatures15 process16 signatures17 94 Uses ping.exe to sleep 36->94 96 Uses ping.exe to check the status of other devices and networks 36->96 43 Edge.exe 36->43         started        46 conhost.exe 36->46         started        48 chcp.com 36->48         started        50 PING.EXE 36->50         started        52 conhost.exe 39->52         started        54 conhost.exe 41->54         started        process18 signatures19 114 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 43->114 116 Injects a PE file into a foreign processes 43->116 56 Edge.exe 43->56         started        process20 dnsIp21 74 mail.keeptraveling-eg.com 162.241.224.14, 49988, 587 UNIFIEDLAYER-AS-1US United States 56->74 76 ip-api.com 208.95.112.1, 49987, 80 TUT-ASUS United States 56->76 78 api.ipify.org 104.26.12.205, 443, 49986 CLOUDFLARENETUS United States 56->78 106 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 56->106 108 Tries to steal Mail credentials (via file / registry access) 56->108 110 Tries to harvest and steal ftp login credentials 56->110 112 Tries to harvest and steal browser information (history, passwords, etc) 56->112 signatures22
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/6af042955207ac4aa13b739d44ab6292af8892ac013444326d15ead0fefdfabe
Detection:
quasar
Create hunting rule
Link:
https://mwdb.cert.pl/sample/6af042955207ac4aa13b739d44ab6292af8892ac013444326d15ead0fefdfabe/
Threat name:
ByteCode-MSIL.Spyware.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2025-02-04 13:59:13 UTC
File Type:
PE (.Net Exe)
Extracted files:
43
AV detection:
17 of 24 (70.83%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nlyeffksa6wevij3oooujk3cskxyrevmae2eimtncxvnb7x57k7a._file
Verdict:
malicious
Label(s):
quasarrat
Create hunting rule
unknown_loader_037
Create hunting rule
Similar samples:
076cb1ac8e46bc1226a8bb42d83afac656d525cb7e6dc9a4d79475ab9b286440
QuasarRAT
159f657fbcc6e984293395b6c292b57bcdb6ebdc9cd5fd8551452260a99299ed
QuasarRAT
24bbfa8d70a5d5e74791b0af93c77802df7e965b14b0649aaec2ab8dd0e0c999
QuasarRAT
2ef4ebd10553a48ea05850048a0ba4ab052f98186b487f76a52a3116052f3b0d
QuasarRAT
5bda0fc048c68899988ae1d18bffe618d76edc0e02abcf3289018ac1038ff420
QuasarRAT
cce6d7fc922f75d8a904e74b48dfbac2ecf4e332792522985422902d34100bd1
QuasarRAT
error
QuasarRAT
+ 1'052 additional samples on MalwareBazaar
Result
Malware family:
quasar
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla family:quasar botnet:sim discovery keylogger spyware stealer trojan
Link:
https://tria.ge/reports/250204-raf69szkgm/
Behaviour
Runs ping.exe
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Suspicious use of SetThreadContext
Looks up external IP address via web service
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads WinSCP keys stored on the system
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Agenttesla family
Quasar RAT
Quasar family
Quasar payload
Malware Config
C2 Extraction:
yuba.ydns.eu:6921
Verdict:
Malicious
Tags:
Win.Packed.Msilheracles-10020638-0
YARA:
n/a
Link:
https://app.threat.zone/submission/8549ed13-23a9-458c-be85-b2a27c615d6e
Unpacked files
SH256 hash:
6af042955207ac4aa13b739d44ab6292af8892ac013444326d15ead0fefdfabe
MD5 hash:
7c5ba84841c124268a70f0a668d851cb
SHA1 hash:
b427e9c43f0a1a361f7bf38d5ea829e09a986f54
Link:
https://www.unpac.me/results/d945ec90-1154-447a-902e-0504061c5342/
SH256 hash:
2ded5ce08a46de9a127d965b32788daff27d2b6ccd8268a628a250f6886158c8
MD5 hash:
c9f67417c00efa5d690222b9e87ef5ce
SHA1 hash:
06cf4614ffb37b5360c9642b7a1426174be95f35
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/d945ec90-1154-447a-902e-0504061c5342/
SH256 hash:
77607560a64a98c4d069c2e6e5dd58c8009ccb8f72a34aff5e6768d145042e31
MD5 hash:
518273e703fc15e69791446543e587b0
SHA1 hash:
c08665a6d2a88ab2cfe160558fa21e479bd85b4f
Link:
https://www.unpac.me/results/d945ec90-1154-447a-902e-0504061c5342/
SH256 hash:
50a6915e6bc15f11b5f7a5ff8a6dc3dce2863baba6a64482dc2c477041479789
MD5 hash:
6a809860c4708c7c7aad2fa0b4a7eac1
SHA1 hash:
e751027a71698f11b13fc1bad46a87de0e96e0aa
Detections:
QuasarRAT
Create hunting rule
cn_utf8_windows_terminal
Create hunting rule
malware_windows_xrat_quasarrat
Create hunting rule
MAL_QuasarRAT_May19_1
Create hunting rule
win_quasarrat_j2
Create hunting rule
win_quasar_rat_client
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_GENInfoStealer
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
MALWARE_Win_QuasarStealer
Create hunting rule
Link:
https://www.unpac.me/results/d945ec90-1154-447a-902e-0504061c5342/
Parent samples :
6af042955207ac4aa13b739d44ab6292af8892ac013444326d15ead0fefdfabe
7085e3a803cd04ff43f726c07816734eb4fcf9499b432d67e35c193c663cde1b
54e199788100b76b9d2344c39a0807146ed4d2346eab14f61707b7814b907d97
d25df8d5b45fe5cd79e2b45896459838b06ccc9abf6358d97232af011d273976
50a6915e6bc15f11b5f7a5ff8a6dc3dce2863baba6a64482dc2c477041479789
Malware family:
QuasarRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/6af042955207/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6af042955207ac4aa13b739d44ab6292af8892ac013444326d15ead0fefdfabe

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTesla_DIFF_Common_Strings_01
Create hunting rule
Author:schmidtsz
Description:Identify partial Agent Tesla strings
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments