MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9bf5171dd1229ee3e488e3fd3d2a067a85e227d0ed54e1ed18bbc35a89f698b7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuasarRAT


Vendor detections: 13


Intelligence 13 IOCs YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9bf5171dd1229ee3e488e3fd3d2a067a85e227d0ed54e1ed18bbc35a89f698b7
SHA3-384 hash: 0f9cdf459020cf5b6e207bd8ae05f9340a7b9f06b48e98312d46534a1ce53e7ad9b1ab43a92f920d7fcc7aa4c61ef4b1
SHA1 hash: 39f017290209564e34eb7aec80eb2a91a2f5d2d5
MD5 hash: 8338bbdd6ab3ad35c0fbfbebe29813fe
humanhash: vegan-bluebird-charlie-jig
File name:8338bbdd6ab3ad35c0fbfbebe29813fe
Download: download sample
Signature QuasarRAT
Create hunting rule
File size:11'367'936 bytes
First seen:2024-03-09 10:48:49 UTC
Last seen:2024-03-09 12:35:23 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 4cea7ae85c87ddc7295d39ff9cda31d1 (85 x RedLineStealer, 70 x LummaStealer, 61 x Rhadamanthys)
ssdeep 196608:FvqmYcUiDN2WUFUb7+sK9D2lmLZSJYDHcECkFQT8eqolovLaSC5Mn2jOSrD0lzUC:Fy/tiBZU6b7+hSmEJiF7FQgAovLz2KSt
TLSH T143B63302E2E90021F5F9A3369FB789D1987339111E72D7FE1E0B512F0A635AC6E72791
TrID 58.9% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
16.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
10.7% (.EXE) Win64 Executable (generic) (10523/12/4)
5.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
2.1% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter zbetcheckin
Tags:64 exe QuasarRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
342
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
asyncrat
Create hunting rule
ID:
1
File name:
9bf5171dd1229ee3e488e3fd3d2a067a85e227d0ed54e1ed18bbc35a89f698b7.exe
Verdict:
Malicious activity
Analysis date:
2024-03-09 10:52:58 UTC
Tags:
rat asyncrat remote quasar
Link:
https://app.any.run/tasks/3879d3ea-3c66-4b9d-9c38-cbd593cbf83f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/478300/
Detection(s):
SecuriteInfo.com.decompression.bomb.29185.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Running batch commands
Creating a process with a hidden window
Launching cmd.exe command interpreter
Launching a process
Creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
advpack anti-vm CAB explorer installer lolbin packed rundll32 setupapi sfx shell32
Link:
https://www.filescan.io/uploads/65ec3ea20ef6f5eba490b56c/reports/62b98335-7eb1-4118-9c6a-5a10c5689ceb/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/9bf5171dd1229ee3e488e3fd3d2a067a85e227d0ed54e1ed18bbc35a89f698b7
Result
Verdict:
MALICIOUS
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0fa13472-1e45-4e0f-bdb8-55e3fe9422c1
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1405856
Signature
Bypasses PowerShell execution policy
Deletes keys which are related to windows safe boot (disables safe mode boot)
Drops executables to the windows directory (C:\Windows) and starts them
Enables network access during safeboot for specific services
Found suspicious powershell code related to unpacking or dynamic code loading
Multi AV Scanner detection for submitted file
Obfuscated command line found
Powershell drops PE file
Powershell is started from unusual location (likely to bypass HIPS)
Registers a service to start in safe boot mode
Renames powershell.exe to bypass HIPS
Sigma detected: Suspicious PowerShell Parameter Substring
Suspicious powershell command line found
Yara detected Powershell dedcode and execute
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1405856 Sample: 5WSpn4uH1P.exe Startdate: 09/03/2024 Architecture: WINDOWS Score: 100 39 Multi AV Scanner detection for submitted file 2->39 41 Yara detected Powershell dedcode and execute 2->41 43 Obfuscated command line found 2->43 45 2 other signatures 2->45 7 5WSpn4uH1P.exe 1 3 2->7         started        9 $sxr-mshta.exe 1 2->9         started        12 rundll32.exe 2->12         started        process3 signatures4 14 cmd.exe 1 7->14         started        59 Drops executables to the windows directory (C:\Windows) and starts them 9->59 17 $sxr-cmd.exe 1 9->17         started        process5 signatures6 61 Suspicious powershell command line found 14->61 63 Bypasses PowerShell execution policy 14->63 19 powershell.exe 34 33 14->19         started        23 conhost.exe 14->23         started        25 cmd.exe 1 14->25         started        65 Drops executables to the windows directory (C:\Windows) and starts them 17->65 27 $sxr-powershell.exe 13 17->27         started        29 conhost.exe 17->29         started        31 cmd.exe 1 17->31         started        process7 file8 33 C:\Windows\$sxr-powershell.exe, PE32+ 19->33 dropped 35 C:\Windows\$sxr-mshta.exe, PE32+ 19->35 dropped 37 C:\Windows\$sxr-cmd.exe, PE32+ 19->37 dropped 47 Enables network access during safeboot for specific services 19->47 49 Renames powershell.exe to bypass HIPS 19->49 51 Registers a service to start in safe boot mode 19->51 57 2 other signatures 19->57 53 Powershell is started from unusual location (likely to bypass HIPS) 27->53 55 Found suspicious powershell code related to unpacking or dynamic code loading 27->55 signatures9
Score:
98%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/9bf5171dd1229ee3e488e3fd3d2a067a85e227d0ed54e1ed18bbc35a89f698b7
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9bf5171dd1229ee3e488e3fd3d2a067a85e227d0ed54e1ed18bbc35a89f698b7/
Threat name:
Win64.Trojan.Smokeloader
Create hunting rule
Status:
Suspicious
First seen:
2024-03-09 10:49:15 UTC
File Type:
PE+ (Exe)
Extracted files:
36
AV detection:
9 of 24 (37.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=tp2rohorekpohzei4p6t2kqgpkc6ej6q5vkod3iyxpbvvcpwtc3q._file
Result
Malware family:
quasar
Create hunting rule
Score:
  10/10
Tags:
family:quasar persistence spyware trojan
Link:
https://tria.ge/reports/240309-mwnq1sfa59/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Drops file in Windows directory
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
Quasar RAT
Quasar payload
Unpacked files
SH256 hash:
9bf5171dd1229ee3e488e3fd3d2a067a85e227d0ed54e1ed18bbc35a89f698b7
MD5 hash:
8338bbdd6ab3ad35c0fbfbebe29813fe
SHA1 hash:
39f017290209564e34eb7aec80eb2a91a2f5d2d5
Link:
https://www.unpac.me/results/8182f65e-efdf-4014-8245-4b396105a659/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9bf5171dd1229ee3e488e3fd3d2a067a85e227d0ed54e1ed18bbc35a89f698b7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_Redline_Stealer
Create hunting rule
Author:Varp0s

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

QuasarRAT

Executable exe 9bf5171dd1229ee3e488e3fd3d2a067a85e227d0ed54e1ed18bbc35a89f698b7

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2778433/
Cape
Cape
https://www.capesandbox.com/analysis/478300/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (FORCE_INTEGRITY)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::AllocateAndInitializeSid
ADVAPI32.dll::EqualSid
ADVAPI32.dll::FreeSid
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::AdjustTokenPrivileges
ADVAPI32.dll::GetTokenInformation
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessA
ADVAPI32.dll::OpenProcessToken
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::LoadLibraryExA
KERNEL32.dll::GetDriveTypeA
KERNEL32.dll::GetVolumeInformationA
KERNEL32.dll::GetSystemInfo
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryA
KERNEL32.dll::CreateFileA
KERNEL32.dll::DeleteFileA
KERNEL32.dll::GetWindowsDirectoryA
KERNEL32.dll::GetSystemDirectoryA
KERNEL32.dll::GetFileAttributesA
WIN_BASE_USER_APIRetrieves Account InformationADVAPI32.dll::LookupPrivilegeValueA
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExA
ADVAPI32.dll::RegOpenKeyExA
ADVAPI32.dll::RegQueryInfoKeyA
ADVAPI32.dll::RegQueryValueExA
ADVAPI32.dll::RegSetValueExA
WIN_USER_APIPerforms GUI ActionsUSER32.dll::PeekMessageA

Comments


Avatar
zbet commented on 2024-03-09 10:48:50 UTC

url : hxxp://218.38.52.227:8000/exrVkB/Update.exe