MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7276f014cbee4a7ffd297a0e90472bfa17b024932cb6371a06c0845e143b88e1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuasarRAT


Vendor detections: 9


Intelligence 9 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7276f014cbee4a7ffd297a0e90472bfa17b024932cb6371a06c0845e143b88e1
SHA3-384 hash: 95326c125361e57f69708444f3577d0cfc720f5b489835b133ed57f8c1cafac76c18823e5b491cc01e51ed532861278a
SHA1 hash: 543410c0b93ea9b9f141cae2b088266cad1bf7ab
MD5 hash: edf656ad2586c3c19181d04f33c4fb3f
humanhash: virginia-oranges-oregon-harry
File name:New_Bank_Information.exe
Download: download sample
Signature QuasarRAT
Create hunting rule
File size:818'688 bytes
First seen:2020-07-24 10:21:17 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash a95f64f710239fabb14f8033aa8f32db (5 x AgentTesla, 4 x Loki, 2 x MassLogger)
ssdeep 12288:KIFIvtUFqW6lJMK5/ZCasg48z1IWPhetOLyH/iwjgKeCEz5VssWAh/PRkG:xktUD6lJMmsL8KWPc1pjgKodVsix5kG
Threatray 1'770 similar samples on MalwareBazaar
TLSH 7005B0E2E2D14833D1A7173BDD1B9E789839BD103D289A462BF55C0CAF396C13876297
Reporter abuse_ch
Tags:exe Hostwinds QuasarRAT RAT


Avatar
abuse_ch
Malspam distributing QuasarRAT:

HELO: hwsrv-751170.hostwindsdns.com
Sending IP: 142.11.236.230
From: Accounts Stally <accounts@timsistem-rs.com>
Reply-To: accounts@timsistem-rs.com
Subject: FW: Re: Re: Please Confirm Change Of Bank Details
Attachment: New_Bank_Information.zip (contains "New_Bank_Information.exe")

QuasarRAT C2:
79.134.225.69:4782

Hosted on nVpn:
% Information related to '79.134.225.0 - 79.134.225.127'

% Abuse contact for '79.134.225.0 - 79.134.225.127' is 'abuse@privacyfirst.sh'

inetnum: 79.134.225.0 - 79.134.225.127
netname: PRIVACYFIRST-EU
country: EU
remarks: This prefix is assigned to The PRIVACYFIRST Project, which
remarks: operates infrastructure jointly used by various VPN service
remarks: providers. We have a very strong focus on privacy and freedom.
remarks: In case of abuse, we encourage all international law enforcement
remarks: agencies to get in touch with our abuse contact. Due to the fact
remarks: that we keep no logs of user activities and only share data when
remarks: it is legally required under our jurisdiction, it is very unlikely
remarks: for a demand of user information to be successful. Still, that
remarks: should not deter you from reaching out.
admin-c: TPP15-RIPE
tech-c: TPP15-RIPE
status: ASSIGNED PA
mnt-by: AF15-MNT
org: ORG-TPP6-RIPE
created: 2020-07-14T15:26:02Z
last-modified: 2020-07-14T15:31:06Z
source: RIPE

Intelligence

File Origin
# of uploads :
1
# of downloads :
104
Origin country :
n/a
Vendor Threat Intelligence
Detection:
QuasarRAT
Create hunting rule
Link:
https://www.capesandbox.com/analysis/32148/
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Using the Windows Management Instrumentation requests
Sending an HTTP GET request
Creating a file in the Windows subdirectories
Enabling the 'hidden' option for recently created files
Creating a process from a recently created file
Creating a file
Deleting a recently created file
Setting a keyboard event handler
Creating a file in the %AppData% subdirectories
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Connection attempt to an infection source
Unauthorized injection to a system process
Enabling autorun with Startup directory
Result
Threat name:
Quasar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/397238
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 250835 Sample: New_Bank_Information.exe Startdate: 24/07/2020 Architecture: WINDOWS Score: 100 73 Malicious sample detected (through community Yara rule) 2->73 75 Multi AV Scanner detection for submitted file 2->75 77 Yara detected Quasar RAT 2->77 79 6 other signatures 2->79 10 New_Bank_Information.exe 2->10         started        13 wscript.exe 1 2->13         started        15 New_Bank_Information.exe 2->15         started        17 2 other processes 2->17 process3 signatures4 109 Detected unpacking (changes PE section rights) 10->109 111 Detected unpacking (creates a PE file in dynamic memory) 10->111 113 Detected unpacking (overwrites its own PE header) 10->113 121 3 other signatures 10->121 19 New_Bank_Information.exe 16 5 10->19         started        24 notepad.exe 1 10->24         started        26 svchost.exe 13->26         started        115 Writes to foreign memory regions 15->115 117 Allocates memory in foreign processes 15->117 119 Maps a DLL or memory area into another process 15->119 28 notepad.exe 15->28         started        30 New_Bank_Information.exe 15->30         started        32 notepad.exe 1 17->32         started        34 notepad.exe 17->34 injected 36 notepad.exe 17->36         started        38 2 other processes 17->38 process5 dnsIp6 71 ip-api.com 208.95.112.1, 49722, 49723, 80 TUT-ASUS United States 19->71 61 C:\Windows\SysWOW64\SubDir\svchost.exe, PE32 19->61 dropped 63 C:\Users\...63ew_Bank_Information.exe.log, ASCII 19->63 dropped 87 Hides that the sample has been downloaded from the Internet (zone.identifier) 19->87 40 svchost.exe 19->40         started        43 schtasks.exe 1 19->43         started        89 Drops VBS files to the startup folder 24->89 91 Delayed program exit found 24->91 93 Drops executables to the windows directory (C:\Windows) and starts them 26->93 95 Writes to foreign memory regions 26->95 97 Allocates memory in foreign processes 26->97 99 Maps a DLL or memory area into another process 26->99 45 notepad.exe 26->45         started        47 svchost.exe 26->47         started        65 C:\Users\user\AppData\...\Java Update.vbs, ASCII 28->65 dropped file7 signatures8 process9 signatures10 101 Multi AV Scanner detection for dropped file 40->101 103 Detected unpacking (changes PE section rights) 40->103 105 Detected unpacking (overwrites its own PE header) 40->105 107 5 other signatures 40->107 49 svchost.exe 14 4 40->49         started        53 notepad.exe 1 40->53         started        55 conhost.exe 43->55         started        process11 dnsIp12 67 79.134.225.69, 4782, 49724, 49725 FINK-TELECOM-SERVICESCH Switzerland 49->67 69 ip-api.com 49->69 81 System process connects to network (likely due to code injection or exploit) 49->81 83 Hides that the sample has been downloaded from the Internet (zone.identifier) 49->83 85 Installs a global keyboard hook 49->85 57 schtasks.exe 49->57         started        signatures13 process14 process15 59 conhost.exe 57->59         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7276f014cbee4a7ffd297a0e90472bfa17b024932cb6371a06c0845e143b88e1/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-07-24 04:11:16 UTC
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=oj3pafgl5zfh77jjpihjarzl7il3ajetfs3dogqgyccf4fb3rdqq._file
Verdict:
malicious
Label(s):
hawkeyekeylogger
Create hunting rule
Similar samples:
26cb425375a7613736c367866d0b79b8b7d8845437ec88e87bc83146445f892e
QuasarRAT
2df82d12b3e4627ffb2f7c0e6c8371f23c4beabb935f93b2c88389953fc07027
QuasarRAT
40ac8e128b78d30d49accda865a6ca90a23cf7b7e5f31042c7df55a9fe1b5af4
QuasarRAT
707bb653348d222860771a6117aa869ab2a032f6cdfe0d29a251374462e59058
QuasarRAT
b29a1b48648aacf2fe60861692bd0991cf226956ea986b687972667496e1d7d7
QuasarRAT
b3d36e86a478b5223968e34ca51bff54002eb9b1a01ef26d8b657d49dd4dd831
QuasarRAT
bbf62b7d87429bb832abb5c8f37635c05be6724eaab9afd13a7780595919f3a2
QuasarRAT
cf09bc45a7101670e26f9468d7425a42880ee539626b1653216c4ceb4a89b7fb
QuasarRAT
d6031bb15fd16cac9b514985035e18f08f0beaaa0542a66274467cb66e76a8fd
QuasarRAT
e2d6b8bc603260f1a7564a044523d230c31c8d873deabb579cae90b88f1b92b9
QuasarRAT
+ 1'760 additional samples on MalwareBazaar
Result
Malware family:
quasar
Create hunting rule
Score:
  10/10
Tags:
upx trojan spyware family:quasar
Link:
https://tria.ge/reports/200724-qevksq764x/
Behaviour
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Drops file in System32 directory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Drops startup file
Loads dropped DLL
Executes dropped EXE
UPX packed file
Quasar RAT
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.96
Link:
https://yomi.yoroi.company/submissions/7276f014cbee4a7ffd297a0e90472bfa17b024932cb6371a06c0845e143b88e1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CN_disclosed_20180208_KeyLogger_1
Create hunting rule
Author:Florian Roth
Description:Detects malware from disclosed CN malware set
Reference:https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details
Rule name:MAL_QuasarRAT_May19_1
Create hunting rule
Author:Florian Roth
Description:Detects QuasarRAT malware
Reference:https://blog.ensilo.com/uncovering-new-activity-by-apt10
Rule name:MSILStealer
Create hunting rule
Author:https://github.com/hwvs
Description:Detects strings from C#/VB Stealers and QuasarRat
Reference:https://github.com/quasar/QuasarRAT
Rule name:Quasar_RAT_1
Create hunting rule
Author:Florian Roth
Description:Detects Quasar RAT
Reference:https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
Rule name:Quasar_RAT_2
Create hunting rule
Author:Florian Roth
Description:Detects Quasar RAT
Reference:https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
Rule name:Vermin_Keylogger_Jan18_1
Create hunting rule
Author:Florian Roth
Description:Detects Vermin Keylogger
Reference:https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/
Rule name:xRAT_1
Create hunting rule
Author:Florian Roth
Description:Detects Patchwork malware
Reference:https://goo.gl/Pg3P4W

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

QuasarRAT

zip 9a880244ee13ab681d92e238d7376ef65cac418cdd2ec64f8f7f2edf9503d4e2

QuasarRAT

Executable exe 7276f014cbee4a7ffd297a0e90472bfa17b024932cb6371a06c0845e143b88e1

(this sample)

  
Dropped by
MD5 4202fef3278ec9625192a4ea2a0971be
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/32148/
  
Dropped by
SHA256 9a880244ee13ab681d92e238d7376ef65cac418cdd2ec64f8f7f2edf9503d4e2

Comments