MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 866b5bcc067af55b26fae2013af4310fb27381a585e720a1dd39c722f1a18c19. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuasarRAT


Vendor detections: 17


Intelligence 17 IOCs YARA 19 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 866b5bcc067af55b26fae2013af4310fb27381a585e720a1dd39c722f1a18c19
SHA3-384 hash: 7bd601500a5bd6a5197ea956c92d0132fd05d145c6e731c8de733128b35acb0819320c1bca213c952274713bff097302
SHA1 hash: 99a8f137febd7a34cdcd6f3f867a02666cdb35be
MD5 hash: 35978426c438be50ff71a09d303054e3
humanhash: oscar-south-apart-shade
File name:Sevkiyat-Bilgisi..com
Download: download sample
Signature QuasarRAT
Create hunting rule
File size:1'435'566 bytes
First seen:2023-07-11 12:47:57 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 00be6e6c4f9e287672c8301b72bdabf3 (116 x RedLineStealer, 70 x AsyncRAT, 55 x AgentTesla)
ssdeep 24576:CNA3R5drXP/2ai/O+Bo2DxkmgP6L7Z8D5b2bM5MccqBhn1urp+Cq:b53V1kioL7ZccM5M214od
Threatray 849 similar samples on MalwareBazaar
TLSH T1ED65F1326E8B03B1D4E2D6753825BD40F22F7C162A36661A3297F21FC23D89191BDF56
TrID 89.0% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
3.5% (.EXE) Win64 Executable (generic) (10523/12/4)
2.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
1.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.5% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 04dcd6a6a6a6a018 (1 x QuasarRAT)
Reporter TeamDreier
Tags:exe QuasarRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
325
Origin country :
DK DK
Vendor Threat Intelligence
Malware family:
quasar
Create hunting rule
ID:
1
File name:
Sevkiyat-Bilgisi..com
Verdict:
Malicious activity
Analysis date:
2023-07-11 12:48:15 UTC
Tags:
quasar evasion
Link:
https://app.any.run/tasks/9e297d9d-2311-47c1-8ebb-663602267330

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
QuasarRAT
Create hunting rule
Link:
https://www.capesandbox.com/analysis/415602/
Detection(s):
SecuriteInfo.com.Troj.NanoCo_TZ.22029.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %temp% directory
Running batch commands
Creating a process from a recently created file
Creating a file
Using the Windows Management Instrumentation requests
DNS request
Sending an HTTP GET request
Launching a process
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun by creating a file
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/97153/overview
Behaviour
MalwareBazaar
MeasuringTime
EvasionQueryPerformanceCounter
Verdict:
Malicious
Threat level:
  10/10
Confidence:
90%
Tags:
greyware lolbin masquerade overlay packed quasar replace setupapi shdocvw shell32
Link:
https://www.filescan.io/uploads/64ad4f92a15fc7eb4fd0c1f0/reports/587e8461-5f1c-46d9-88f2-a43b4feac911/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/866b5bcc067af55b26fae2013af4310fb27381a585e720a1dd39c722f1a18c19
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/df288036-3c32-4909-af5d-1dee03375edd
Result
Threat name:
Quasar
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1270866
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Detected unpacking (changes PE section rights)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Snort IDS alert for network traffic
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
Yara detected Quasar RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1270866 Sample: Sevkiyat-Bilgisi..com.exe Startdate: 11/07/2023 Architecture: WINDOWS Score: 100 57 Snort IDS alert for network traffic 2->57 59 Found malware configuration 2->59 61 Malicious sample detected (through community Yara rule) 2->61 63 8 other signatures 2->63 11 Sevkiyat-Bilgisi..com.exe 9 2->11         started        14 eisdvbhg.exe 2->14         started        17 eisdvbhg.exe 2->17         started        19 eisdvbhg.exe 2->19         started        process3 file4 47 C:\Users\user\AppData\...\eisdvbhg.sfx.exe, PE32 11->47 dropped 21 cmd.exe 1 11->21         started        75 Injects a PE file into a foreign processes 14->75 23 eisdvbhg.exe 2 14->23         started        25 eisdvbhg.exe 17->25         started        27 eisdvbhg.exe 19->27         started        signatures5 process6 process7 29 eisdvbhg.sfx.exe 8 21->29         started        32 conhost.exe 21->32         started        34 WerFault.exe 27->34         started        file8 49 C:\Users\user\AppData\Local\...\eisdvbhg.exe, PE32 29->49 dropped 36 eisdvbhg.exe 1 29->36         started        process9 signatures10 65 Antivirus detection for dropped file 36->65 67 Detected unpacking (changes PE section rights) 36->67 69 May check the online IP address of the machine 36->69 71 2 other signatures 36->71 39 eisdvbhg.exe 16 2 36->39         started        process11 dnsIp12 51 kolptyubeatcam.sytes.net 39->51 53 fronadeatcam.sytes.net 39->53 55 5 other IPs or domains 39->55 73 Hides that the sample has been downloaded from the Internet (zone.identifier) 39->73 43 schtasks.exe 1 39->43         started        signatures13 process14 process15 45 conhost.exe 43->45         started       
Detection:
quasar
Create hunting rule
Link:
https://mwdb.cert.pl/sample/866b5bcc067af55b26fae2013af4310fb27381a585e720a1dd39c722f1a18c19/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-07-11 08:16:53 UTC
File Type:
PE (Exe)
Extracted files:
39
AV detection:
17 of 37 (45.95%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=qzvvxtagpl2vwjx24iatv5brb6zhhanfqxtsbio5hhdsf4nbrqmq._file
Verdict:
malicious
Similar samples:
59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4
QuasarRAT
8b21d5d222c521b730f85690aa3f88c00b2c9ce7e8b208564509e093b5eed814
QuasarRAT
8dddf22e96a6a22b5ed6ddcab093052a7f2e5419a8e3edc25eee6fc4a90076f3
QuasarRAT
c8277e88b37878917b46d509324a57846d58e285c3e06720a282e7bb34fd9bc0
QuasarRAT
d7b743b3582875c7901a0af05f9428e89d50aecb319425f7a800c80924f81a50
QuasarRAT
f548d4d3dd4866eac8b73b912b2ec15abd29afd8377dbec57094689e306b196f
QuasarRAT
+ 839 additional samples on MalwareBazaar
Result
Malware family:
quasar
Create hunting rule
Score:
  10/10
Tags:
family:quasar botnet:kbop spyware trojan
Link:
https://tria.ge/reports/230711-p1sa4sab4z/
Behaviour
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Looks up external IP address via web service
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Quasar RAT
Quasar payload
Malware Config
C2 Extraction:
kolptyubeatcam.sytes.net:64594
fronpeatcam.publicvm.com:64595
fronadeatcam.publicvm.com:64595
fronadeatcam.sytes.net:64595
Unpacked files
SH256 hash:
dfd5ffbf3ef08e2dea89771b8cee04dd433a92f383c925c2e2da24a373e791e2
MD5 hash:
f933cc8284240083977d1393c4895dc1
SHA1 hash:
8c3cc20cfd0a3bfb3bac873ef4bd89b6dd11fbfe
Detections:
QuasarRAT
Create hunting rule
QuasarRAT
Create hunting rule
QuasarRAT
Create hunting rule
Link:
https://www.unpac.me/results/92a66a17-5620-4ea7-af57-5699696fcf60/
SH256 hash:
28de76b034c0ea5a05624c77a5d23e08192006352eed6adf7824fbd122591756
MD5 hash:
533ecaf759a58a7e419538ae91e4661b
SHA1 hash:
67654c6bc0119eac4d1dc8b77248791fb2572a74
Link:
https://www.unpac.me/results/92a66a17-5620-4ea7-af57-5699696fcf60/
SH256 hash:
dfd5ffbf3ef08e2dea89771b8cee04dd433a92f383c925c2e2da24a373e791e2
MD5 hash:
f933cc8284240083977d1393c4895dc1
SHA1 hash:
8c3cc20cfd0a3bfb3bac873ef4bd89b6dd11fbfe
Detections:
QuasarRAT
Create hunting rule
QuasarRAT
Create hunting rule
QuasarRAT
Create hunting rule
Link:
https://www.unpac.me/results/92a66a17-5620-4ea7-af57-5699696fcf60/
SH256 hash:
28de76b034c0ea5a05624c77a5d23e08192006352eed6adf7824fbd122591756
MD5 hash:
533ecaf759a58a7e419538ae91e4661b
SHA1 hash:
67654c6bc0119eac4d1dc8b77248791fb2572a74
Link:
https://www.unpac.me/results/92a66a17-5620-4ea7-af57-5699696fcf60/
SH256 hash:
8133638022a7761142adf575f451d6b968e9db87a5682019f2047d5b06be4c3b
MD5 hash:
3cf61504fd3d32b7c9f76cdbe2da11ae
SHA1 hash:
f90d36dfc66fce519e737a4b086f61d6991cd1b8
Link:
https://www.unpac.me/results/92a66a17-5620-4ea7-af57-5699696fcf60/
SH256 hash:
dfd5ffbf3ef08e2dea89771b8cee04dd433a92f383c925c2e2da24a373e791e2
MD5 hash:
f933cc8284240083977d1393c4895dc1
SHA1 hash:
8c3cc20cfd0a3bfb3bac873ef4bd89b6dd11fbfe
Detections:
QuasarRAT
Create hunting rule
QuasarRAT
Create hunting rule
QuasarRAT
Create hunting rule
Link:
https://www.unpac.me/results/92a66a17-5620-4ea7-af57-5699696fcf60/
SH256 hash:
8133638022a7761142adf575f451d6b968e9db87a5682019f2047d5b06be4c3b
MD5 hash:
3cf61504fd3d32b7c9f76cdbe2da11ae
SHA1 hash:
f90d36dfc66fce519e737a4b086f61d6991cd1b8
Link:
https://www.unpac.me/results/92a66a17-5620-4ea7-af57-5699696fcf60/
SH256 hash:
28de76b034c0ea5a05624c77a5d23e08192006352eed6adf7824fbd122591756
MD5 hash:
533ecaf759a58a7e419538ae91e4661b
SHA1 hash:
67654c6bc0119eac4d1dc8b77248791fb2572a74
Link:
https://www.unpac.me/results/92a66a17-5620-4ea7-af57-5699696fcf60/
SH256 hash:
8133638022a7761142adf575f451d6b968e9db87a5682019f2047d5b06be4c3b
MD5 hash:
3cf61504fd3d32b7c9f76cdbe2da11ae
SHA1 hash:
f90d36dfc66fce519e737a4b086f61d6991cd1b8
Link:
https://www.unpac.me/results/92a66a17-5620-4ea7-af57-5699696fcf60/
SH256 hash:
866b5bcc067af55b26fae2013af4310fb27381a585e720a1dd39c722f1a18c19
MD5 hash:
35978426c438be50ff71a09d303054e3
SHA1 hash:
99a8f137febd7a34cdcd6f3f867a02666cdb35be
Link:
https://www.unpac.me/results/92a66a17-5620-4ea7-af57-5699696fcf60/
Malware family:
xRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/866b5bcc067a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CN_disclosed_20180208_KeyLogger_1
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects malware from disclosed CN malware set
Reference:https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details
Rule name:CN_disclosed_20180208_KeyLogger_1_RID3227
Create hunting rule
Author:Florian Roth
Description:Detects malware from disclosed CN malware set
Reference:https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details
Rule name:INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
Author:ditekSHen
Description:Detects Windows executables referencing non-Windows User-Agents
Rule name:INDICATOR_SUSPICIOUS_GENInfoStealer
Create hunting rule
Author:ditekSHen
Description:Detects executables containing common artifcats observed in infostealers
Rule name:malware_Quasar_strings
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect QuasarRAT in memory
Rule name:MALWARE_Win_QuasarRAT
Create hunting rule
Author:ditekSHen
Description:QuasarRAT payload
Rule name:MAL_QuasarRAT_May19_1
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects QuasarRAT malware
Reference:https://blog.ensilo.com/uncovering-new-activity-by-apt10
Rule name:MAL_QuasarRAT_May19_1_RID2E1E
Create hunting rule
Author:Florian Roth
Description:Detects QuasarRAT malware
Reference:https://blog.ensilo.com/uncovering-new-activity-by-apt10
Rule name:pe_imphash
Create hunting rule
Rule name:Quasar_RAT_1
Create hunting rule
Author:@SOCRadar
Description:Detects Quasar RAT
Rule name:Quasar_RAT_1_RID2B54
Create hunting rule
Author:Florian Roth
Description:Detects Quasar RAT
Reference:https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
Rule name:Quasar_RAT_2
Create hunting rule
Description:Detects Quasar RAT
Rule name:Quasar_RAT_2_RID2B55
Create hunting rule
Author:Florian Roth
Description:Detects Quasar RAT
Reference:https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
Rule name:SelfExtractingRAR
Create hunting rule
Author:Xavier Mertens
Description:Detects an SFX archive with automatic script execution
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Vermin_Keylogger_Jan18_1
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects Vermin Keylogger
Reference:https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/
Rule name:Windows_Trojan_Quasarrat_e52df647
Create hunting rule
Author:Elastic Security
Rule name:xRAT_1
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects Patchwork malware
Reference:https://goo.gl/Pg3P4W
Rule name:xRAT_1_RID2900
Create hunting rule
Author:Florian Roth
Description:Detects Patchwork malware
Reference:https://goo.gl/Pg3P4W

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

QuasarRAT

Executable exe 866b5bcc067af55b26fae2013af4310fb27381a585e720a1dd39c722f1a18c19

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/415602/

Comments