MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 888497ac8f3cb030dc34d198ef8e307fab6b129f31f4fc9c41ea78f94d831529. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuasarRAT


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 888497ac8f3cb030dc34d198ef8e307fab6b129f31f4fc9c41ea78f94d831529
SHA3-384 hash: dd910c218fb782fd9a2299b84cbffcfe87236f25882ae32c103b36217a8df2ebc4312f4226352c45a20b1f8d293605b3
SHA1 hash: a69b71a21705aed2fdea04945fc44890c08e22b4
MD5 hash: 8e22d4d13e86da51677f67ae09a0aec0
humanhash: alpha-mobile-uranus-table
File name:888497ac8f3cb030dc34d198ef8e307fab6b129f31f4fc9c41ea78f94d831529
Download: download sample
Signature QuasarRAT
Create hunting rule
File size:5'738'496 bytes
First seen:2021-09-21 08:25:27 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash be63889866f6bba2109402ee273e5652 (3 x RemcosRAT, 2 x RedLineStealer, 1 x QuasarRAT)
ssdeep 98304:yDoMg6ltF0fzbiYy3YBKwQFmmtNUZaB+09H6I9FawsPqSheEXW9W:ysM9ltiXiYQdFlULWa60/QEXW9W
Threatray 7'650 similar samples on MalwareBazaar
TLSH T11246331533E185BFE8D32D725BFC17F691BE81085F2108C727CD679E1A38A82A13965E
dhash icon 48a4e07098482c04 (1 x QuasarRAT)
Reporter JAMESWT_WT
Tags:exe QuasarRAT RAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
104
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
888497ac8f3cb030dc34d198ef8e307fab6b129f31f4fc9c41ea78f94d831529
Verdict:
No threats detected
Analysis date:
2021-09-21 08:26:07 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/2fd7b35e-c3a0-41dd-b1a8-206adc83fd30

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Gathering data
Detection(s):
PUA.Win.Packer.Purebasic-2
Create hunting rule

Win.Malware.Razy-7697300-0
Create hunting rule

Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/fda2ebc3-47dc-40d3-9754-f9ba3c2a7d80
Result
Threat name:
Quasar
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/855042
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Creates a thread in another existing process (thread injection)
Creates autostart registry keys with suspicious names
Creates files in alternative data streams (ADS)
Creates files in the system32 config directory
Deletes shadow drive data (may be related to ransomware)
Detected unpacking (overwrites its own PE header)
Disable Windows Defender notifications (registry)
Found suspicious powershell code related to unpacking or dynamic code loading
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
Sample uses process hollowing technique
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Svchost Process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses cmd line tools excessively to alter registry or file data
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Very long command line found
Writes to foreign memory regions
Yara detected Quasar RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 487478 Sample: rOpFMfE0R1 Startdate: 21/09/2021 Architecture: WINDOWS Score: 100 73 stellacy.ydns.eu 2->73 75 stellacy.duckdns.org 2->75 89 Malicious sample detected (through community Yara rule) 2->89 91 Antivirus / Scanner detection for submitted sample 2->91 93 Multi AV Scanner detection for dropped file 2->93 95 13 other signatures 2->95 11 rOpFMfE0R1.exe 3 2->11         started        14 powershell.exe 2->14         started        17 powershell.exe 2->17         started        19 $77Stellacy.exe 2->19         started        signatures3 process4 file5 59 C:\Users\$77Redownloader.exe, PE32 11->59 dropped 61 C:\Program Files (x86)\$77main.exe, PE32 11->61 dropped 21 $77main.exe 8 11->21         started        121 Creates files in the system32 config directory 14->121 123 Writes to foreign memory regions 14->123 125 Modifies the context of a thread in another process (thread injection) 14->125 24 dllhost.exe 14->24         started        27 conhost.exe 14->27         started        127 Sample uses process hollowing technique 17->127 129 Found suspicious powershell code related to unpacking or dynamic code loading 17->129 131 Injects a PE file into a foreign processes 17->131 29 conhost.exe 17->29         started        signatures6 process7 file8 57 C:\Users\user\AppData\Local\Temp\...\4579.bat, ISO-8859 21->57 dropped 31 cmd.exe 10 21->31         started        97 Writes to foreign memory regions 24->97 99 Creates a thread in another existing process (thread injection) 24->99 101 Injects a PE file into a foreign processes 24->101 34 svchost.exe 24->34         started        36 svchost.exe 24->36         started        38 svchost.exe 24->38         started        40 2 other processes 24->40 signatures9 process10 signatures11 133 Uses cmd line tools excessively to alter registry or file data 31->133 135 Uses schtasks.exe or at.exe to add and modify task schedules 31->135 137 Adds a directory exclusion to Windows Defender 31->137 42 $77Stellacy.exe 15 4 31->42         started        46 $77STBR.exe 31->46         started        49 $77Redownloader.exe 7 31->49         started        51 14 other processes 31->51 process12 dnsIp13 77 ip-api.com 208.95.112.1, 49746, 80 TUT-ASUS United States 42->77 79 stellacy.tk 79.134.225.53, 49786, 55562 FINK-TELECOM-SERVICESCH Switzerland 42->79 87 2 other IPs or domains 42->87 103 Antivirus detection for dropped file 42->103 105 Multi AV Scanner detection for dropped file 42->105 107 May check the online IP address of the machine 42->107 119 3 other signatures 42->119 53 schtasks.exe 42->53         started        81 stellacy.duckdns.org 46->81 83 stellacy.duckdns.org 107.175.178.6, 12321, 55562 AS-COLOCROSSINGUS United States 46->83 85 192.168.2.1 unknown unknown 46->85 63 C:\Users\user\AppData\Local:21-09-2021, HTML 46->63 dropped 109 Creates files in alternative data streams (ADS) 46->109 111 Machine Learning detection for dropped file 46->111 113 Hides threads from debuggers 46->113 65 C:\Users\user\AppData\Local\...\Install.exe, PE32 49->65 dropped 67 C:\Users\user\AppData\Local\...\$77STBR.exe, PE32 49->67 dropped 69 C:\Users\user\AppData\...\$77Stellacy.exe, MS-DOS 49->69 dropped 71 2 other files (none is malicious) 49->71 dropped 115 Disable Windows Defender notifications (registry) 51->115 file14 117 Uses dynamic DNS services 81->117 signatures15 process16 process17 55 conhost.exe 53->55         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/888497ac8f3cb030dc34d198ef8e307fab6b129f31f4fc9c41ea78f94d831529/
Threat name:
Win32.Dropper.FrauDrop
Create hunting rule
Status:
Malicious
First seen:
2021-09-19 02:40:33 UTC
AV detection:
33 of 45 (73.33%)
Threat level:
  3/5
Verdict:
malicious
Similar samples:
0b6efdd0f3f4dddee58af21631051999c5e9d7968a3ba2e7a34388c42375a457
QuasarRAT
250c1dda429b8b2c8b638ddc80999039267bda7b959d5a854c5f4855601df548
QuasarRAT
32e30f494b7bb01ab18836029193c2a79fb63795f978eeed31103f368c6d8fba
QuasarRAT
39fedea34c95f00316eea05223cfee5d55775c5bf2b756aafc810eb237019541
QuasarRAT
5d27c5ce2a1d2fce056737174e34cb776773e9a35dd928537cb523a4df304733
QuasarRAT
5d7bc178cb3eafae7b2c99b2cfd2ceec87119cf2403f86af87435d4479f36724
QuasarRAT
6fc04a654d0dc23d00e0c36a173fcfe7f12a28e09fb9420f366be2bfb1b18d21
QuasarRAT
c565ce12f63b1cb897156e0234907a49517439247747cc7df5b69952c1e7ce43
QuasarRAT
cceb5da1ebba042d949f4afef5f5e4638826493201564245be0448920dac639c
QuasarRAT
eb639e9d45ed4d4cf911195b7ef53d61897dd8f826c542ae411854ddec3aea87
QuasarRAT
+ 7'640 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
discovery evasion exploit persistence trojan upx
Link:
https://tria.ge/reports/210921-kbvmqaggh4/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Delays execution with timeout.exe
Kills process with taskkill
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Looks up external IP address via web service
Loads dropped DLL
Modifies file permissions
Blocks application from running via registry modification
Executes dropped EXE
Modifies Windows Firewall
Possible privilege escalation attempt
Registers new Print Monitor
UPX packed file
Modifies Windows Defender notification settings
Suspicious use of NtCreateUserProcessOtherParentProcess
Unpacked files
SH256 hash:
f006a5ad7b17adf5d9e41df49a6e9b867a86ad7215071af44515f90f75a7a420
MD5 hash:
1df4469fa0a5ecaf52e6691fe7280c0c
SHA1 hash:
5572514b3d9836d6727f8811ac72c049e7d51cf3
Link:
https://www.unpac.me/results/d6e71497-020a-42fa-890d-21202380f884/
SH256 hash:
2127872bf69c1f791b429f681fc1775b8ca0aaaeb62d2ee969b55de9e66f3f58
MD5 hash:
b5c403eecd801600383a91bdb6224798
SHA1 hash:
d291958d730211cfe777485ceb56d55aec679289
Link:
https://www.unpac.me/results/d6e71497-020a-42fa-890d-21202380f884/
SH256 hash:
d7a2e665b7dfc4e4321dc454039070214e659eee1149185d4a91be7d2ad9756e
MD5 hash:
8d9a71c667073eada93d6a1e7f3bb87f
SHA1 hash:
a6c8fdf29d48c3aaece0f94df4b78f5e3e2ba0ed
Link:
https://www.unpac.me/results/d6e71497-020a-42fa-890d-21202380f884/
SH256 hash:
757c68bf39d019e4582f5eaa18dbefb5465de2a4819b82c6b59ffc778fe09ff0
MD5 hash:
d8ea1b723b850519ff71d5a7226a8730
SHA1 hash:
277e24c3f016400e623f8a787720517996dcd76f
Link:
https://www.unpac.me/results/d6e71497-020a-42fa-890d-21202380f884/
SH256 hash:
3d6c81ee274a23bfac0eb41f77c2c2c6167198eae37a6aa80db77536bd72c6ab
MD5 hash:
fa848070553ca81d5f6abfd811728a95
SHA1 hash:
de3c060f931ddf8463a65b483f2432876f84ebc7
Link:
https://www.unpac.me/results/d6e71497-020a-42fa-890d-21202380f884/
SH256 hash:
8a9b8a19869256c089e94855439c40c0b1e49995a8d36e5862583891023c47c5
MD5 hash:
578174415c78721dc0a4c388c1fbc235
SHA1 hash:
5e2f0eeebb8574fd4985a0c0335300325b39c3a2
Link:
https://www.unpac.me/results/d6e71497-020a-42fa-890d-21202380f884/
SH256 hash:
6bc8e296f6935f5688234c3810f0326faebd898688688dfe3d5475e19cc5a83a
MD5 hash:
ecfb232ae47a07667a5850104ebebe26
SHA1 hash:
53db1507d46209797cad3d4029964cdfea708d8e
Link:
https://www.unpac.me/results/d6e71497-020a-42fa-890d-21202380f884/
SH256 hash:
ff7d01279d04b59a6520a91a1a5ad9564150117c6825ecc7c3b8e158732ffc9a
MD5 hash:
b107579893bd84be35019313b8f80e02
SHA1 hash:
bf39ea7e4cd4281e1b6cdb6817a90c80c3d6ac09
Link:
https://www.unpac.me/results/d6e71497-020a-42fa-890d-21202380f884/
SH256 hash:
888497ac8f3cb030dc34d198ef8e307fab6b129f31f4fc9c41ea78f94d831529
MD5 hash:
8e22d4d13e86da51677f67ae09a0aec0
SHA1 hash:
a69b71a21705aed2fdea04945fc44890c08e22b4
Link:
https://www.unpac.me/results/d6e71497-020a-42fa-890d-21202380f884/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/888497ac8f3cb030dc34d198ef8e307fab6b129f31f4fc9c41ea78f94d831529

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/189702/

Comments