MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6f3c875ea507bfa07f6631e193d59eaabde66853648798151bb711bf5bbcaef8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuasarRAT


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6f3c875ea507bfa07f6631e193d59eaabde66853648798151bb711bf5bbcaef8
SHA3-384 hash: 4010e75bf11710fc62fc029f334eea44950877e5e2bef437dcf2573fa8fd4f56385626f75cbe6834506860dd192fd15b
SHA1 hash: 633736e2920058e956c0205351a7b278bffbdfcf
MD5 hash: 16c14f95270a07886e9674bc02980d82
humanhash: earth-robin-autumn-princess
File name:RJ27.vbs
Download: download sample
Signature QuasarRAT
Create hunting rule
File size:3'603 bytes
First seen:2020-12-21 07:06:16 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 48:rJ2sK2miLR9DJb+I49mKnPmvz6PJvzyAUDxskKpon:0sKLiLbDq9mocsVOAUDxJn
Threatray 150 similar samples on MalwareBazaar
TLSH 2471A4C2649DC8B40E1E18807F8F6D6AC6F2101E66766084E709C883C6ED20F7BF5766
Reporter abuse_ch
Tags:HostGator QuasarRAT vbs


Avatar
abuse_ch
Malspam distributing QuasarRAT:

HELO: gateway33.websitewelcome.com
Sending IP: 192.185.146.130
From: TheBill <Invoice16@Mail16.homebill.xzp.fr>
Subject: Order Confirmation.
Attachment: RJ27.ISO (contains "RJ27.vbs")

QuasarRAT payload URL:
https://raw.githubusercontent.com/githubuser2x/x/master/New.jpg

QuasarRAT C2:
aptzebi.myq-see.com:5552 (172.98.72.144)

Intelligence

File Origin
# of uploads :
1
# of downloads :
410
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/108649/
Detection(s):
SecuriteInfo.com.BehavesLike.VBS.Dropper.zv.6614.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a process with a hidden window
DNS request
Sending a custom TCP request
Creating a file
Sending a UDP request
Using the Windows Management Instrumentation requests
Sending an HTTP GET request
Forced shutdown of a system process
Creating a file in the %AppData% subdirectories
Enabling autorun by creating a file
Unauthorized injection to a system process
Result
Verdict:
UNKNOWN
Result
Threat name:
Quasar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/567176
Signature
Binary contains a suspicious time stamp
Drops VBS files to the startup folder
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Powershell drops PE file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Sigma detected: Drops script at startup location
VBScript performs obfuscated calls to suspicious functions
Windows Shell Script Host drops VBS files
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected AntiVM_3
Yara detected Quasar RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 332665 Sample: RJ27.vbs Startdate: 21/12/2020 Architecture: WINDOWS Score: 100 46 Malicious sample detected (through community Yara rule) 2->46 48 Multi AV Scanner detection for dropped file 2->48 50 Yara detected AntiVM_3 2->50 52 4 other signatures 2->52 7 wscript.exe 8 2->7         started        11 wscript.exe 6 2->11         started        process3 file4 32 C:\Users\user\AppData\Roaming\...\RJ27.vbs, ASCII 7->32 dropped 60 VBScript performs obfuscated calls to suspicious functions 7->60 62 Wscript starts Powershell (via cmd or directly) 7->62 64 Windows Shell Script Host drops VBS files 7->64 66 Drops VBS files to the startup folder 7->66 13 powershell.exe 14 16 7->13         started        17 powershell.exe 14 11->17         started        signatures5 process6 dnsIp7 38 raw.githubusercontent.com 13->38 40 github.map.fastly.net 151.101.0.133, 443, 49716, 49729 FASTLYUS United States 13->40 42 192.168.2.1 unknown unknown 13->42 68 Writes to foreign memory regions 13->68 70 Injects a PE file into a foreign processes 13->70 72 Powershell drops PE file 13->72 20 MSBuild.exe 15 4 13->20         started        24 conhost.exe 13->24         started        44 raw.githubusercontent.com 17->44 30 C:\Users\Public\Music\xt.jpg, PE32 17->30 dropped 26 MSBuild.exe 3 17->26         started        28 conhost.exe 17->28         started        file8 signatures9 process10 dnsIp11 34 ip-api.com 208.95.112.1, 49721, 49746, 80 TUT-ASUS United States 20->34 36 aptzebi.myq-see.com 172.98.72.144, 49726, 49745, 5552 TOTAL-SERVER-SOLUTIONSUS United States 20->36 54 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 20->54 56 Hides that the sample has been downloaded from the Internet (zone.identifier) 20->56 58 Installs a global keyboard hook 20->58 signatures12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6f3c875ea507bfa07f6631e193d59eaabde66853648798151bb711bf5bbcaef8/
Threat name:
Script-WScript.Trojan.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2020-12-21 07:07:05 UTC
AV detection:
2 of 48 (4.17%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=n46ioxvfa672a73gghqzhvm6vk66m2ctmsdzqfi3w4i36w54v34a._file
Verdict:
malicious
Similar samples:
0edcb04a8c95ff3a62a36af878b9b946a743bf80c37f4c6d9042f1dd2404d368
QuasarRAT
0fadb9fa2742735b1d7001fd5511627318e45fc51d8798f5b9f4bb20cfbd70e8
QuasarRAT
40981ed2079d1c26fa7b1fb1640aa315dfdebd128741fdc1e3629d0e470e9238
QuasarRAT
466bd07ba5662c8787479a2ead7d90419ef31c4b61f36b9384968b9ea1822a10
QuasarRAT
7035da8898c0867d775597910d50f55a1428bc4588558319f70b1b219cb067be
QuasarRAT
8f44f9b4e0716329638b3cf4b2470df57e199e9b66bb58e225aa767d9d48dd7e
QuasarRAT
b3d36e86a478b5223968e34ca51bff54002eb9b1a01ef26d8b657d49dd4dd831
QuasarRAT
c93d2d7d45d531ead9824e70925767ef0e8adc23f88f05baafb7e6435772db58
QuasarRAT
d1fa4207d7c46c5f84b1c45e7b5d09aa9c99c896b0e25664bee3b13fcaabcfad
QuasarRAT
e2d6b8bc603260f1a7564a044523d230c31c8d873deabb579cae90b88f1b92b9
QuasarRAT
+ 140 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/201221-vw1n18x132/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Suspicious use of SetThreadContext
Looks up external IP address via web service
Drops startup file
Blocklisted process makes network request
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6f3c875ea507bfa07f6631e193d59eaabde66853648798151bb711bf5bbcaef8

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

QuasarRAT

iso 647242c2054062a54e0e44caf72e175de5e88981aaf625fcc0ed33a535c310c0

QuasarRAT

Visual Basic Script (vbs) vbs 6f3c875ea507bfa07f6631e193d59eaabde66853648798151bb711bf5bbcaef8

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/932715/
  
Dropped by
MD5 9362c4a3acdd30776230d1c7dbcaa5d9
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 647242c2054062a54e0e44caf72e175de5e88981aaf625fcc0ed33a535c310c0
Cape
Cape
https://www.capesandbox.com/analysis/108649/

Comments