MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8e9a3943e6d8e8409b427e7ad9f60e43164d8ea99ae2755df7804013508c15a2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuasarRAT


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8e9a3943e6d8e8409b427e7ad9f60e43164d8ea99ae2755df7804013508c15a2
SHA3-384 hash: ce9d9aa556e753889c92db4b7a3ed676a53f0cb6459b906696c5ce93ef84a9cfff8d49556beae94dd95849f32ab8eb50
SHA1 hash: 99d51b78c64d187d9e8eaa36d8a3d39e0bbb4df6
MD5 hash: 7087da8128aa173da193dd4b8432ed71
humanhash: wisconsin-salami-connecticut-freddie
File name:SF24.vbs
Download: download sample
Signature QuasarRAT
Create hunting rule
File size:836 bytes
First seen:2021-01-12 07:20:30 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 12:UrFgvWdXJ5tvANruoKkKJGcBY+096ea02WcAEr7JUsSJ9O7wWZqJJ3A1pEI+yJHI:QgAX1AQrkKS9pFct7nSTOt03AAIVlllw
Threatray 168 similar samples on MalwareBazaar
TLSH E701223F854282B88157D2869D35F8A7DE985288321B690EDDBDCADC348DCDC5631752
Reporter abuse_ch
Tags:QuasarRAT vbs


Avatar
abuse_ch
Malspam distributing QuasarRAT:

HELO: mout.perfora.net
Sending IP: 74.208.4.197
From: TechBill#67549524625 <BillGlobal-id6754952@domain.com>
Subject: your order has been placed##675495
Attachment: SF24.ISO (contains "SF24.vbs")

QuasarRAT payload URL:
https://z.zz.ht/nlOiE.jpg

Intelligence

File Origin
# of uploads :
1
# of downloads :
443
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/111415/
Detection(s):
SecuriteInfo.com.ISB.Downloadergen48.23419.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a process with a hidden window
DNS request
Sending a custom TCP request
Sending a UDP request
Using the Windows Management Instrumentation requests
Sending an HTTP GET request
Forced shutdown of a system process
Creating a file in the %AppData% subdirectories
Unauthorized injection to a system process
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Result
Threat name:
Quasar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/578777
Signature
.NET source code references suspicious native API functions
Drops VBS files to the startup folder
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Obfuscated command line found
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Sigma detected: Drops script at startup location
VBScript performs obfuscated calls to suspicious functions
Windows Shell Script Host drops VBS files
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected AntiVM_3
Yara detected Costura Assembly Loader
Yara detected Quasar RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 338437 Sample: SF24.vbs Startdate: 12/01/2021 Architecture: WINDOWS Score: 100 45 Malicious sample detected (through community Yara rule) 2->45 47 Multi AV Scanner detection for submitted file 2->47 49 Yara detected AntiVM_3 2->49 51 6 other signatures 2->51 7 wscript.exe 10 2->7         started        11 wscript.exe 7 2->11         started        process3 file4 33 C:\Users\user\...\SF24.vbs:Zone.Identifier, ASCII 7->33 dropped 35 C:\Users\user\AppData\Roaming\...\SF24.vbs, ASCII 7->35 dropped 59 VBScript performs obfuscated calls to suspicious functions 7->59 61 Wscript starts Powershell (via cmd or directly) 7->61 63 Obfuscated command line found 7->63 65 2 other signatures 7->65 13 powershell.exe 14 16 7->13         started        17 powershell.exe 16 11->17         started        signatures5 process6 dnsIp7 41 z.zz.ht 104.28.23.56, 443, 49743, 49751 CLOUDFLARENETUS United States 13->41 67 Writes to foreign memory regions 13->67 69 Injects a PE file into a foreign processes 13->69 19 MSBuild.exe 15 4 13->19         started        23 MSBuild.exe 13->23         started        25 conhost.exe 13->25         started        27 MSBuild.exe 13->27         started        43 192.168.2.1 unknown unknown 17->43 29 MSBuild.exe 3 17->29         started        31 conhost.exe 17->31         started        signatures8 process9 dnsIp10 37 ip-api.com 208.95.112.1, 49745, 80 TUT-ASUS United States 19->37 39 sdffgre.myq-see.com 51.89.204.178, 49746, 9999 OVHFR France 19->39 53 Hides that the sample has been downloaded from the Internet (zone.identifier) 19->53 55 Installs a global keyboard hook 19->55 57 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 23->57 signatures11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8e9a3943e6d8e8409b427e7ad9f60e43164d8ea99ae2755df7804013508c15a2/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-01-12 07:21:09 UTC
AV detection:
4 of 46 (8.70%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=r2ndsq7g3duebg2cpz5nt5qoimle3dvjtlrhkxpxqbabguemcwra._file
Verdict:
malicious
Similar samples:
025432a99764f95f01790ed77271c9f52c44bd6f08763d4ea77b81afbcad6485
QuasarRAT
0294e192621b21d5c8f2288496930fe5e947fd66cdff1a119ca2f8bbdd8a537e
QuasarRAT
092223938bed5fec479602f4bf2cb0fd28dd628e8754714047b0b7939cd2e298
QuasarRAT
23ed6ef7aec39fbc37b613e5ad3611a84ba1facc92489ed818dcc72bee129022
QuasarRAT
41144a1619fe90c98275683389f032396d09687a336817bc65db220836c006b7
QuasarRAT
60d1ea55d2ecbd3f8289c2d11413ad2378551b8c87126d81483d18101bbd8e4a
QuasarRAT
60d4d26d3a67ea86d793602fa94ea83bdb8e888c4742b2a2601c68f577be4371
QuasarRAT
b31fb3832c2f366796fcc9165c60c58da5c866973377ab0d43f71586c461b8fb
QuasarRAT
b7823b23e2ef21045e77a01f2f34f86f387a607f4c1d949571c01c1fcdfd7fa1
QuasarRAT
fec56ffb3c5a61bffba235044da127eae17d9772dbd3817b8a5ce8cad0e93cb1
QuasarRAT
+ 158 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
n/a
Link:
https://tria.ge/reports/210112-6m54s9ljrs/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Suspicious use of SetThreadContext
Looks up external IP address via web service
Drops startup file
Blocklisted process makes network request
Malware Config
Dropper Extraction:
https://z.zz.ht/nlOiE.jpg
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8e9a3943e6d8e8409b427e7ad9f60e43164d8ea99ae2755df7804013508c15a2

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

QuasarRAT

iso 4f4f87b7f22385d5877154cb66780170f19ba39fe17e90b6ddd1581e0cf26bd2

QuasarRAT

Visual Basic Script (vbs) vbs 8e9a3943e6d8e8409b427e7ad9f60e43164d8ea99ae2755df7804013508c15a2

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/954554/
  
Dropped by
MD5 8e9331615105320c8012868a644b31c5
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/111415/
  
Dropped by
SHA256 4f4f87b7f22385d5877154cb66780170f19ba39fe17e90b6ddd1581e0cf26bd2

Comments