MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 76fb1494f160bb15a94de3401187fa0f4e64c1cff9a4dad27f0b24a8c8786950. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuasarRAT


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 76fb1494f160bb15a94de3401187fa0f4e64c1cff9a4dad27f0b24a8c8786950
SHA3-384 hash: a75a6458eedcee496170997f5d71aeff9795a12c73f6284ba48a25283f26b3e9322baf3b12b06a523bcfaa72a438919f
SHA1 hash: 176206c562e04e715d3a2823cdef62c7f3773a6c
MD5 hash: 2c4102facf34d60785c2e882121f46fb
humanhash: delta-ceiling-kilo-kilo
File name:Електронний запит.EXE
Download: download sample
Signature QuasarRAT
Create hunting rule
File size:209'408 bytes
First seen:2024-01-11 11:40:05 UTC
Last seen:2024-01-11 13:20:59 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 013c74198fc6e42dcf33737d6c40c012 (11 x RedLineStealer, 4 x NanoCore, 1 x Formbook)
ssdeep 3072:FHlM7TYmySIQIvuxU5GWp1icKAArDZz4N9GhbkrNEk6/Lx94cDQqBS44/zmHnw:Fz7Tp0yN90QE5x1BObmQ
TLSH T10B24BF4767E800A6F4B5937599F207831532BDA0AB34C3DF138AA96E1E336B1B635353
TrID 75.6% (.EXE) Win32 MS Cabinet Self-Extractor (WExtract stub) (303567/2/11)
14.3% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
4.1% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
2.6% (.EXE) Win64 Executable (generic) (10523/12/4)
1.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter angel11VR
Tags:exe Quasar RAT NET RAR PWD PS QuasarRAT


Avatar
angel11VR
#Quasar #RAT #NET #RAR #PWD #PS
email attach .zip > .rar1 > .rar2 (multi) PWD > .exe1 > cmd > powershell > get exe2 > AppData\Roaming\DVG8873\Update.exe
IOC`s
https://pastebin.com/EnDmzkhL

Intelligence

File Origin
# of uploads :
2
# of downloads :
316
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Запит.zip
Verdict:
No threats detected
Analysis date:
2024-01-09 09:20:45 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/d94da54c-a36f-4be5-b540-4ca828ff99a6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.Generic.34568489.11298.3348.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Creating a file in the %temp% subdirectories
Running batch commands
Creating a process with a hidden window
Launching cmd.exe command interpreter
Launching a process
Creating a file
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Creating a file in the %AppData% directory
Enabling autorun with the shell\open\command registry branches
Query of malicious DNS domain
Sending a TCP request to an infection source
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/76fb1494f160bb15a94de3401187fa0f4e64c1cff9a4dad27f0b24a8c8786950
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/10f1dff8-0ee2-4786-837f-50117d748c05
Result
Threat name:
Quasar
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1372992
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Powershell drops PE file
Suspicious powershell command line found
Uses cmd line tools excessively to alter registry or file data
Uses schtasks.exe or at.exe to add and modify task schedules
Very long command line found
Yara detected Generic Downloader
Yara detected Quasar RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1372992 Sample: 0442.EXE.exe Startdate: 11/01/2024 Architecture: WINDOWS Score: 100 72 s3-w.us-east-1.amazonaws.com 2->72 74 s3-1-w.amazonaws.com 2->74 76 2 other IPs or domains 2->76 90 Found malware configuration 2->90 92 Malicious sample detected (through community Yara rule) 2->92 94 Antivirus detection for URL or domain 2->94 96 5 other signatures 2->96 14 0442.EXE.exe 1 4 2->14         started        17 Update.exe 2->17         started        20 rundll32.exe 2->20         started        signatures3 process4 file5 68 C:\Users\user\AppData\Local\...\test2.exe, PE32+ 14->68 dropped 22 cmd.exe 1 14->22         started        88 Injects a PE file into a foreign processes 17->88 25 Update.exe 17->25         started        signatures6 process7 signatures8 104 Suspicious powershell command line found 22->104 106 Very long command line found 22->106 27 powershell.exe 14 17 22->27         started        32 conhost.exe 22->32         started        34 cmd.exe 1 22->34         started        36 xcopy.exe 1 22->36         started        process9 dnsIp10 82 bitbucket.org 18.205.93.1, 443, 49729 AMAZON-AESUS United States 27->82 84 s3-w.us-east-1.amazonaws.com 3.5.9.191, 443, 49730 AMAZON-AESUS United States 27->84 66 C:\Users\user\AppData\Roaming\gbquas.exe, PE32 27->66 dropped 118 Uses cmd line tools excessively to alter registry or file data 27->118 120 Found suspicious powershell code related to unpacking or dynamic code loading 27->120 122 Powershell drops PE file 27->122 38 gbquas.exe 1 27->38         started        41 reg.exe 1 27->41         started        43 reg.exe 1 1 27->43         started        45 3 other processes 27->45 file11 signatures12 process13 signatures14 108 Multi AV Scanner detection for dropped file 38->108 110 Machine Learning detection for dropped file 38->110 112 Uses schtasks.exe or at.exe to add and modify task schedules 38->112 114 Injects a PE file into a foreign processes 38->114 47 gbquas.exe 4 38->47         started        process15 file16 70 C:\Users\user\AppData\Roaming\...\Update.exe, PE32 47->70 dropped 86 Hides that the sample has been downloaded from the Internet (zone.identifier) 47->86 51 Update.exe 1 47->51         started        54 schtasks.exe 1 47->54         started        signatures17 process18 signatures19 98 Multi AV Scanner detection for dropped file 51->98 100 Machine Learning detection for dropped file 51->100 102 Injects a PE file into a foreign processes 51->102 56 Update.exe 2 51->56         started        60 conhost.exe 54->60         started        process20 dnsIp21 78 77.105.132.124, 2525, 4899, 49736 PLUSTELECOM-ASRU Russian Federation 56->78 80 77.105.132.70, 2525, 4899, 49738 PLUSTELECOM-ASRU Russian Federation 56->80 116 Hides that the sample has been downloaded from the Internet (zone.identifier) 56->116 62 schtasks.exe 56->62         started        signatures22 process23 process24 64 conhost.exe 62->64         started       
Score:
92%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/76fb1494f160bb15a94de3401187fa0f4e64c1cff9a4dad27f0b24a8c8786950
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/76fb1494f160bb15a94de3401187fa0f4e64c1cff9a4dad27f0b24a8c8786950/
Threat name:
Win64.Trojan.Pidief
Create hunting rule
Status:
Malicious
First seen:
2024-01-09 09:12:18 UTC
File Type:
PE+ (Exe)
Extracted files:
59
AV detection:
21 of 36 (58.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=o35rjfhrmc5rlkkn4nabdb72b5hgjqop7gsnvut7bmskrsdynfia._file
Verdict:
unknown
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/240111-ntewrsfbaq/
Behaviour
Modifies registry class
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Blocklisted process makes network request
Downloads MZ/PE file
Unpacked files
SH256 hash:
76fb1494f160bb15a94de3401187fa0f4e64c1cff9a4dad27f0b24a8c8786950
MD5 hash:
2c4102facf34d60785c2e882121f46fb
SHA1 hash:
176206c562e04e715d3a2823cdef62c7f3773a6c
Link:
https://www.unpac.me/results/4ddfe45c-b19e-4337-99ee-36fc8ae000e9/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/76fb1494f160bb15a94de3401187fa0f4e64c1cff9a4dad27f0b24a8c8786950

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Check_OutputDebugStringA_iat
Create hunting rule
Rule name:detect_Redline_Stealer
Create hunting rule
Author:Varp0s

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

QuasarRAT

Executable exe 76fb1494f160bb15a94de3401187fa0f4e64c1cff9a4dad27f0b24a8c8786950

(this sample)

  
Link
https://pastebin.com/EnDmzkhL
  
Delivery method
Distributed via e-mail attachment

Comments