MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9aabc9de4fbef67b8b8596428afa7dfa2754ac84e492b3d1f0a945b941fbac96. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuasarRAT


Vendor detections: 10


Intelligence 10 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9aabc9de4fbef67b8b8596428afa7dfa2754ac84e492b3d1f0a945b941fbac96
SHA3-384 hash: 18a4eb74e4a63290eeb03a7a39f7abf89ec740c5aca0cb7cc67c405dfe52fe82f80a1059c6e62f99541abdf0be1171cd
SHA1 hash: 93200549967310b0fc63757d9438ca7ad160c895
MD5 hash: cbcdbaaaf27d1c265f2aa27bd762070d
humanhash: harry-crazy-freddie-charlie
File name:cbcdbaaaf27d1c265f2aa27bd762070d.exe
Download: download sample
Signature QuasarRAT
Create hunting rule
File size:226'304 bytes
First seen:2022-06-24 08:36:09 UTC
Last seen:2022-06-24 09:57:45 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash bb23f8918a154bd0aa10d42dbfb8da18 (1 x QuasarRAT)
ssdeep 3072:sDpnknrhvkJXKHlDML1Hwt6xZ1HMEFO3Tt7nlcaff3UTNqPTaEoY468tay4ou:sJknrhcJ6Hl4L1HFxZ1HL45ohHk
Threatray 5'739 similar samples on MalwareBazaar
TLSH T15D248D497BA94CF5E9728139CC125945EA73BC160572DB3F03A0431ADF37691AE2FB22
TrID 48.7% (.EXE) Win64 Executable (generic) (10523/12/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
Reporter abuse_ch
Tags:exe QuasarRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
199
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/282962/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a file in the %temp% directory
Replacing executable files
Creating a file
Searching for the window
Creating a file in the %AppData% subdirectories
Using the Windows Management Instrumentation requests
Modifying an executable file
Running batch commands
Launching a process
Moving of the original file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/62b577b162d792dc574143fd/reports/98d6eaa4-65ac-4b12-99e0-7be8fba74da8/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a3f5b3d1-3625-48ae-b31b-b0de51543597
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/1019230
Signature
Antivirus detection for dropped file
Hides threads from debuggers
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
Tries to detect debuggers (CloseHandle check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to evade analysis by execution special instruction (VM detection)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 651727 Sample: dmTIRVid3Q.exe Startdate: 24/06/2022 Architecture: WINDOWS Score: 92 33 Antivirus detection for dropped file 2->33 35 Multi AV Scanner detection for dropped file 2->35 37 Multi AV Scanner detection for submitted file 2->37 39 2 other signatures 2->39 6 dmTIRVid3Q.exe 17 2->6         started        process3 dnsIp4 25 cdn.discordapp.com 162.159.134.233, 443, 49716 CLOUDFLARENETUS United States 6->25 17 C:\Users\user\...\dmTIRVid3Q.exe_tmp (copy), PE32+ 6->17 dropped 19 C:\Users\user\Desktop\dmTIRVid3Q.exe, PE32+ 6->19 dropped 21 C:\Users\user\AppData\Local\Temp\stuff2.tmp, PE32+ 6->21 dropped 23 C:\Users\user\AppData\Local\...\Xvl[1].exe, PE32+ 6->23 dropped 41 Antivirus detection for dropped file 6->41 43 Multi AV Scanner detection for dropped file 6->43 45 Tries to evade analysis by execution special instruction (VM detection) 6->45 47 Tries to detect virtualization through RDTSC time measurements 6->47 11 dmTIRVid3Q.exe 1 26 6->11         started        15 conhost.exe 6->15         started        file5 signatures6 process7 dnsIp8 27 51.79.119.221, 13371, 49744, 49752 OVHFR Canada 11->27 29 51.79.119.228, 13371, 49743, 49749 OVHFR Canada 11->29 31 3 other IPs or domains 11->31 49 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 11->49 51 Tries to detect debuggers (CloseHandle check) 11->51 53 Hides threads from debuggers 11->53 signatures9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9aabc9de4fbef67b8b8596428afa7dfa2754ac84e492b3d1f0a945b941fbac96/
Threat name:
Win64.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2022-06-19 23:05:00 UTC
File Type:
PE+ (Exe)
Extracted files:
1
AV detection:
11 of 26 (42.31%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=tkv4txspx33hxc4fszbiv6t57itvjlee4sjlhupqvfc3sqp3vsla._file
Verdict:
malicious
Similar samples:
41ae907a2bb73794bb2cff40b429e62305847a3e1a95f188b596f1cf925c4547
QuasarRAT
51037666d1982db93e3123e88594d409805d3f1d970e9f926dcadb99f77f50f6
QuasarRAT
84becd454a058c325e514ac677c33b1493833b35d8b566a2275a9542bea4ca03
QuasarRAT
a5cff8be9bcf62d52112968e176e33103c2589f7fad004023543a041adfa9578
QuasarRAT
c8ac98c4e43e4290cdaefce51ebf9165143c31d3fbce0f9f80cf5a3258058c4a
QuasarRAT
ea10f282be1864ccfe204fcba69fea1b172213a5dc114ef46c629a1ea98c8c24
QuasarRAT
edb86e9c3d29b3d13c82562dc1aeb1cd7e2c33e2bfcbae30791bf1d1aaf4345f
QuasarRAT
+ 5'729 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
suricata
Link:
https://tria.ge/reports/220624-kkwalsdhf3/
Behaviour
Modifies system certificate store
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Loads dropped DLL
Downloads MZ/PE file
Executes dropped EXE
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
Unpacked files
SH256 hash:
9aabc9de4fbef67b8b8596428afa7dfa2754ac84e492b3d1f0a945b941fbac96
MD5 hash:
cbcdbaaaf27d1c265f2aa27bd762070d
SHA1 hash:
93200549967310b0fc63757d9438ca7ad160c895
Link:
https://www.unpac.me/results/ec7df464-0239-4fe3-825f-1688a1cf0dd2/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9aabc9de4fbef67b8b8596428afa7dfa2754ac84e492b3d1f0a945b941fbac96

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:dsc
Create hunting rule
Author:Aaron DeVera
Description:Discord domains
Rule name:INDICATOR_SUSPICIOUS_EXE_DiscordURL
Create hunting rule
Author:ditekSHen
Description:Detects executables Discord URL observed in first stage droppers
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:SUSP_PE_Discord_Attachment_Oct21_1
Create hunting rule
Author:Florian Roth
Description:Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN)
Reference:Internal Research
Rule name:SUSP_Websites
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects the reference of suspicious sites that might be used to download further malware

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/282962/

Comments