MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 861878b319e66fd632f7d7623f0b56028f18d1e315680a15fc161a451ac9c788. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

QuasarRAT

Vendor detections: 7

Intelligence 7 IOCs YARA 2 File information Comments

SHA256 hash:	861878b319e66fd632f7d7623f0b56028f18d1e315680a15fc161a451ac9c788
SHA3-384 hash:	5ff9abbfb22d0f567eddbafee666d2186c9ef451ab30e072dfb302ead1d45998f55ecae7ad1c66a940b30c477ad97e27
SHA1 hash:	f538fe80f76330e7d548e4f9b5171a56116d8e5e
MD5 hash:	7dba2e8ecbad5b33646e03a4af78967a
humanhash:	beer-bacon-sink-cold
File name:	DataStealer from 1_2
Download:	download sample
Signature	QuasarRAT Create hunting rule
File size:	1'219'584 bytes
First seen:	2020-07-17 08:57:24 UTC
Last seen:	2020-07-17 09:37:43 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	12288:LntHgG2FtTvZBpYOhhANdAAXQAXWQzhLP32jsXT7rlLiCJNTaaipq:Lntw/7ouAXRXBP32jGpHDlipq
Threatray	11 similar samples on MalwareBazaar
TLSH	7A455B017BE8DB07E0AF17B2E4B24A1807F9F485F6A7EB4F058855EA2C523406D417AF
Reporter	JAMESWT_WT
Tags:	DataStealer QuasarRAT

Intelligence

File Origin

# of uploads :

# of downloads :

118

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/27290/

Detection(s):

SecuriteInfo.com.Win32.Hedo.7586.2270.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Unauthorized injection to a recently created process

Sending an HTTP GET request

Launching the default Windows debugger (dwwin.exe)

Sending a TCP request to an infection source

Result

Threat name:

Unknown

Detection:

malicious

Classification:

troj.spyw.evad

Score:

96 / 100

Link:

https://www.joesandbox.com/analysis/389048

Signature

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Found many strings related to Crypto-Wallets (likely being stolen)

Hides threads from debuggers

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Queries memory information (via WMI often done to detect virtual machines)

Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to steal Mail credentials (via file access)

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/861878b319e66fd632f7d7623f0b56028f18d1e315680a15fc161a451ac9c788/

Threat name:

ByteCode-MSIL.Trojan.DarkStealer

Status:

Malicious

First seen:

2020-06-29 08:51:48 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

21 of 29 (72.41%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=qymhrmyz4zx5mmxx25rd6c2wakhrrupdcvuaufp4cynekgwjy6ea._file

Verdict:

unknown

QuasarRAT

264662e60005a099f9aaaa88e1dcee1381a3a187a158fdfbc40bbd5024407cb1

QuasarRAT

36f7bb3f776e1b4d97a2cf8cd65aac04593a797a8d46936d0900041995020465

QuasarRAT

422761ce807ba569d378b3130493e84a531d310d1ed8e0559d6313fdf91cd5b0

QuasarRAT

4e14841c96a09f5850d1cf5fcb3526714c22d7174e3f75c8a309d8db36ecef93

QuasarRAT

517e1659c9d9ee4de266b3ade2d06965b670d17082ae2c2c97b4c694bb29152a

QuasarRAT

9a3b89ea2396b22020fc8e3bde1b832ca70d8b875b088f451f54e85f359380df

QuasarRAT

b60f00c8d27d8282118e085eb407d706388186487ff014b1dcf238efe1ed940f

QuasarRAT

e2e45cb35a6a9aaa1c827fb3bfcc102650bf3fa8df381e5d52cb8cd908119d91

QuasarRAT

e892e7f5b3919e1c3d92ee26e7b4313e753cad797e3397138a1ccef2b1289b1d

QuasarRAT

+ 1 additional samples on MalwareBazaar

Result

Malware family:

echelon

Score:

10/10

Tags:

spyware discovery stealer family:echelon

Link:

https://tria.ge/reports/200717-t4z5zfvwwe/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Modifies system certificate store

Suspicious use of NtSetInformationThreadHideFromDebugger

Looks up external IP address via web service

Checks installed software on the system

Reads user/profile data of web browsers

Echelon log file

Echelon

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Unknown

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/861878b319e66fd632f7d7623f0b56028f18d1e315680a15fc161a451ac9c788

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Agenttesla_type2 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Agenttesla in memory
Reference:	internal research

Rule name:	Quasar_RAT_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Quasar RAT
Reference:	https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/27290/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample