MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 78a881cbc86ce0458d8db0eae0c92a8e016537796ef3ab7928037f4a51d4ca2f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuasarRAT


Vendor detections: 8


Intelligence 8 IOCs YARA 14 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 78a881cbc86ce0458d8db0eae0c92a8e016537796ef3ab7928037f4a51d4ca2f
SHA3-384 hash: 20d511ac4afcf3b897b4cd593b54061dcfae7497515f526ebc1f1d4079d113875205e65faf10ceca6e8517d1a421a305
SHA1 hash: 73c2226a8592f0a729a837013d40e5b55ecb4415
MD5 hash: 07b8be238ea7e4d28ab60dd6c485f663
humanhash: nine-sweet-ink-low
File name:smokeweed.vbs
Download: download sample
Signature QuasarRAT
Create hunting rule
File size:3'190 bytes
First seen:2021-02-26 06:13:41 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 48:Y2O+d1AJcccx2pJD+Jg9JuJIJIJgOezAK2O+Gcccx2pJD+Jg9JuJIJIJgOg:VA7kK
Threatray 173 similar samples on MalwareBazaar
TLSH F661BE0576D84A00ACE102438CDD76F48D1578C51CA8EDF2B9B86E1FADB4A84B9E4BD8
Reporter abuse_ch
Tags:QuasarRAT RAT vbs


Avatar
abuse_ch
QuasarRAT C2:
newss.myq-see.com

Intelligence

File Origin
# of uploads :
1
# of downloads :
163
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/119314/
Detection(s):
SecuriteInfo.com.PUA.PowerShell.Agent-13.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Sending a UDP request
Creating a process with a hidden window
DNS request
Sending a custom TCP request
Creating a file
Using the Windows Management Instrumentation requests
Sending an HTTP GET request
Enabling autorun by creating a file
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Result
Threat name:
Quasar
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/619350
Signature
.NET source code references suspicious native API functions
Bypasses PowerShell execution policy
Creates an undocumented autostart registry key
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Potential malicious VBS script found (suspicious strings)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Sigma detected: MSHTA Spawning Windows Shell
Suspicious powershell command line found
VBScript performs obfuscated calls to suspicious functions
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected Quasar RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 358671 Sample: smokeweed.vbs Startdate: 26/02/2021 Architecture: WINDOWS Score: 100 50 Multi AV Scanner detection for domain / URL 2->50 52 Malicious sample detected (through community Yara rule) 2->52 54 Yara detected Quasar RAT 2->54 56 6 other signatures 2->56 9 wscript.exe 1 2->9         started        process3 signatures4 62 VBScript performs obfuscated calls to suspicious functions 9->62 12 wscript.exe 1 9->12         started        process5 signatures6 64 Suspicious powershell command line found 12->64 66 Wscript starts Powershell (via cmd or directly) 12->66 15 powershell.exe 14 35 12->15         started        19 mshta.exe 25 12->19         started        process7 dnsIp8 38 104.21.234.56, 443, 49739 CLOUDFLARENETUS United States 15->38 44 Creates an undocumented autostart registry key 15->44 46 Writes to foreign memory regions 15->46 48 Injects a PE file into a foreign processes 15->48 22 jsc.exe 15 2 15->22         started        26 conhost.exe 15->26         started        40 z.zz.ht 104.21.234.57, 443, 49730 CLOUDFLARENETUS United States 19->40 42 192.168.2.1 unknown unknown 19->42 32 C:\Users\Public\Datax.ps1, ASCII 19->32 dropped 28 powershell.exe 26 19->28         started        file9 signatures10 process11 dnsIp12 34 ip-api.com 208.95.112.1, 49746, 80 TUT-ASUS United States 22->34 36 newss.myq-see.com 154.16.67.107, 1999, 49747 AS40676US South Africa 22->36 58 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 22->58 60 Hides that the sample has been downloaded from the Internet (zone.identifier) 22->60 30 conhost.exe 28->30         started        signatures13 process14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/78a881cbc86ce0458d8db0eae0c92a8e016537796ef3ab7928037f4a51d4ca2f/
Threat name:
Script-WScript.Trojan.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2021-02-26 06:14:08 UTC
AV detection:
5 of 47 (10.64%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=pcuids6intqeldmnwdvobsjkryawkn3zn3z2w6jian7uuuouzixq._file
Verdict:
malicious
Similar samples:
2399e5acd8e6fec2e83de445cf83b598676f57fdfedd1f67a7872a5009866591
QuasarRAT
381d4a53dc6d69491c703d2f35888b64a675c2b3de8f6572720828dd428a359b
QuasarRAT
4c6c1c0d7925af6c2891164d67743204132fcc8ea3cda471c005f446ea1cfda1
QuasarRAT
51ad568171d6a835bc1edd45cfe1fee659085dfc4522ac3d93c1458688d44bd5
QuasarRAT
6fb60c80bdc9cd558a384b468dc8b8467fb2e02764728e6a0ebc28ca865f31f6
QuasarRAT
810bbf258484b94bf2e51c7fba2f8a19f6aaf1137c982d2d6a97e600159c16fa
QuasarRAT
9990052a8a0d0a5eb3586f44e4f3a66a5d7748c9768d2efc470dd7034be6c1af
QuasarRAT
9cdcc531878d3a23d2da833a058efa100b91d212e4d5780cb21d5d36db0cbd01
QuasarRAT
b71d6728f8709dc2b8b6a57bbd0ea7d27e78a0ea16af5eff61b2d11f983e0129
QuasarRAT
b7f09be3bf95632ac3219b3d402a419e9bc40a54a3fc6ac1c57c183798e525fe
QuasarRAT
+ 163 additional samples on MalwareBazaar
Result
Malware family:
quasar
Create hunting rule
Score:
  10/10
Tags:
family:quasar spyware trojan
Link:
https://tria.ge/reports/210226-1xfrn8csxx/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Looks up external IP address via web service
Blocklisted process makes network request
Quasar RAT
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Chrome_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Chrome in files like avemaria
Rule name:CN_disclosed_20180208_KeyLogger_1
Create hunting rule
Author:Florian Roth
Description:Detects malware from disclosed CN malware set
Reference:https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details
Rule name:INDICATOR_SUSPICIOUS_GENInfoStealer
Create hunting rule
Author:ditekSHen
Description:Detects executables containing common artifcats observed in infostealers
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:MALWARE_Win_QuasarRAT
Create hunting rule
Author:ditekSHen
Description:QuasarRAT payload
Rule name:MAL_QuasarRAT_May19_1
Create hunting rule
Author:Florian Roth
Description:Detects QuasarRAT malware
Reference:https://blog.ensilo.com/uncovering-new-activity-by-apt10
Rule name:MSILStealer
Create hunting rule
Author:https://github.com/hwvs
Description:Detects strings from C#/VB Stealers and QuasarRat
Reference:https://github.com/quasar/QuasarRAT
Rule name:Quasar
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect QuasarRAT in memory
Rule name:Quasar_RAT_1
Create hunting rule
Author:Florian Roth
Description:Detects Quasar RAT
Reference:https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
Rule name:Quasar_RAT_2
Create hunting rule
Author:Florian Roth
Description:Detects Quasar RAT
Reference:https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
Rule name:Select_from_enumeration
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:Vermin_Keylogger_Jan18_1
Create hunting rule
Author:Florian Roth
Description:Detects Vermin Keylogger
Reference:https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/
Rule name:WScript_Shell_PowerShell_Combo
Create hunting rule
Author:Florian Roth
Description:Detects malware from Middle Eastern campaign reported by Talos
Reference:http://blog.talosintelligence.com/2018/02/targeted-attacks-in-middle-east.html
Rule name:xRAT_1
Create hunting rule
Author:Florian Roth
Description:Detects Patchwork malware
Reference:https://goo.gl/Pg3P4W

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

QuasarRAT

Visual Basic Script (vbs) vbs 78a881cbc86ce0458d8db0eae0c92a8e016537796ef3ab7928037f4a51d4ca2f

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/119314/

Comments