MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 aa9deb2a1d67a4e73e7419b86535f1197dc8b7ffebdd392fb35f7c10d92b9dc1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuasarRAT


Vendor detections: 14


Intelligence 14 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: aa9deb2a1d67a4e73e7419b86535f1197dc8b7ffebdd392fb35f7c10d92b9dc1
SHA3-384 hash: 849ea3ff754691abd8b562665f75c2a513a47c07239e76355b8b5b19166a4099308860a56e02edc0a1d8c22a8e602711
SHA1 hash: b8993d7cdeab70f1775f486837ae671ed3cce456
MD5 hash: 3d8c4196a887f0056103f09ca6717826
humanhash: south-georgia-texas-cup
File name:3d8c4196a887f0056103f09ca6717826
Download: download sample
Signature QuasarRAT
Create hunting rule
File size:20'992 bytes
First seen:2022-10-19 07:18:06 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 140094f13383e9ae168c4b35b6af3356 (32 x DCRat, 11 x CoinMiner, 10 x njrat)
ssdeep 384:MntlikEpJ6xs9oNUhW2Ob0JaMRPJFInKZBsgbN1aO9sdBnfk7:MntZ0fyb0JpEalpv6nfk
Threatray 30 similar samples on MalwareBazaar
TLSH T1D492AE01DED0E4F2D9A70434048F16A66FF6BA3006A5BB2E4A9E3479FC4A1B57C54B38
TrID 28.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
25.4% (.EXE) Win32 Executable (generic) (4505/5/1)
11.7% (.EXE) Win16/32 Executable Delphi generic (2072/23)
11.4% (.EXE) OS/2 Executable (generic) (2029/13)
11.3% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter zbetcheckin
Tags:32 exe QuasarRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
234
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
orcus
Create hunting rule
ID:
1
File name:
3d8c4196a887f0056103f09ca6717826
Verdict:
Malicious activity
Analysis date:
2022-10-19 07:18:29 UTC
Tags:
opendir loader rat orcus quasar trojan
Link:
https://app.any.run/tasks/751ae967-357e-45fa-a91e-2f98974be1dc

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/321622/
Detection(s):
SecuriteInfo.com.Variant.ExNuma.1.18340.14627.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %AppData% subdirectories
Moving a file to the %AppData% subdirectory
Creating a file in the Windows subdirectories
Creating a service
Launching a service
Searching for synchronization primitives
Creating a file in the Program Files subdirectories
Creating a file in the %AppData% directory
Running batch commands
Launching the process to interact with network services
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a file in the %temp% directory
Сreating synchronization primitives
Creating a process from a recently created file
Setting a keyboard event handler
Creating a file
Creating a window
Enabling the 'hidden' option for recently created files
Launching a process
Creating a process with a hidden window
Unauthorized injection to a recently created process
Enabling autorun for a service
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun by creating a file
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/43779/overview
Behaviour
MalwareBazaar
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
update.exe
Link:
https://www.filescan.io/uploads/634fa4e7b5f60e72b8c77aa3/reports/7dbb564e-8f38-4e18-8034-ce989735932a/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Orcus RAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/abcdee62-5709-4f39-bf97-3c941400598c
Result
Threat name:
Blank Grabber, Orcus, Quasar
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1093284
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Disables Windows Defender (via service or powershell)
DLL side loading technique detected
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files to the startup folder
Drops PE files with a suspicious file extension
Hides that the sample has been downloaded from the Internet (zone.identifier)
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Modifies the windows firewall
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Dot net compiler compiles file from suspicious location
Snort IDS alert for network traffic
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Blank Grabber
Yara detected Costura Assembly Loader
Yara detected Generic Downloader
Yara detected Orcus RAT
Yara detected PersistenceViaHiddenTask
Yara detected Quasar RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 725906 Sample: jKceAU0Wls.exe Startdate: 19/10/2022 Architecture: WINDOWS Score: 100 132 discord.com 2->132 138 Snort IDS alert for network traffic 2->138 140 Malicious sample detected (through community Yara rule) 2->140 142 Antivirus detection for URL or domain 2->142 144 15 other signatures 2->144 11 jKceAU0Wls.exe 25 2->11         started        15 nitrsso64.exe 2->15         started        18 winmgr.exe 2->18         started        20 9 other processes 2->20 signatures3 process4 dnsIp5 134 146.70.143.176, 49696, 49698, 49699 TENET-1ZA United Kingdom 11->134 118 C:\Users\user\Downloads\plage.exe, PE32 11->118 dropped 120 C:\Users\user\AppData\Local\Temp\orc.exe, PE32 11->120 dropped 122 C:\Users\user\AppData\Local\...\nitrsso64.exe, PE32+ 11->122 dropped 124 9 other malicious files 11->124 dropped 22 blmkgrp.exe 11->22         started        26 FileHistory.exe 5 11->26         started        28 orc.exe 19 11->28         started        30 2 other processes 11->30 182 Multi AV Scanner detection for dropped file 15->182 file6 signatures7 process8 dnsIp9 100 C:\Users\user\AppData\...\win32crypt.pyd, PE32+ 22->100 dropped 114 21 other files (19 malicious) 22->114 dropped 162 Multi AV Scanner detection for dropped file 22->162 164 May check the online IP address of the machine 22->164 166 Drops PE files with a suspicious file extension 22->166 180 4 other signatures 22->180 33 blmkgrp.exe 22->33         started        102 C:\Users\user\AppData\...\FileHistory.exe, PE32 26->102 dropped 168 Antivirus detection for dropped file 26->168 170 Machine Learning detection for dropped file 26->170 172 Hides that the sample has been downloaded from the Internet (zone.identifier) 26->172 38 FileHistory.exe 4 26->38         started        40 schtasks.exe 1 26->40         started        104 C:\Windows\SysWOW64\WindowsInput.exe, PE32 28->104 dropped 116 3 other malicious files 28->116 dropped 174 Drops executables to the windows directory (C:\Windows) and starts them 28->174 42 WindowsInput.exe 28->42         started        44 csc.exe 3 28->44         started        46 orc.exe 28->46         started        136 173.225.115.99, 5050, 7702, 80 WEBAIR-INTERNET-3CA United States 30->136 106 C:\Users\user\AppData\Roaming\...\winmgr.exe, PE32 30->106 dropped 108 C:\Users\user\AppData\Roaming\...\RCXA85B.tmp, PE32 30->108 dropped 110 C:\Users\user\AppData\Local\nitrsso64.exe, PE32+ 30->110 dropped 112 C:\Users\user\AppData\Local\...112ewTask.xml, XML 30->112 dropped 176 Uses schtasks.exe or at.exe to add and modify task schedules 30->176 178 Installs a global keyboard hook 30->178 48 schtasks.exe 1 30->48         started        50 schtasks.exe 30->50         started        52 2 other processes 30->52 file10 signatures11 process12 dnsIp13 126 ip-api.com 208.95.112.1, 49710, 80 TUT-ASUS United States 33->126 128 httpbin.org 34.199.239.80, 443, 49707 AMAZON-AESUS United States 33->128 130 2 other IPs or domains 33->130 94 C:\ProgramData\...\ScreenSaver-Ha8Ow.scr, PE32+ 33->94 dropped 146 Adds a directory exclusion to Windows Defender 33->146 148 Disables Windows Defender (via service or powershell) 33->148 54 cmd.exe 33->54         started        57 cmd.exe 33->57         started        69 5 other processes 33->69 150 Multi AV Scanner detection for dropped file 38->150 152 Hides that the sample has been downloaded from the Internet (zone.identifier) 38->152 154 Installs a global keyboard hook 38->154 59 schtasks.exe 38->59         started        61 conhost.exe 40->61         started        96 C:\Users\user\AppData\Local\...\w8pmdfuy.dll, PE32 44->96 dropped 71 2 other processes 44->71 98 C:\Users\user\AppData\Roaming\Watchdog.exe, PE32 46->98 dropped 63 conhost.exe 48->63         started        65 conhost.exe 50->65         started        67 conhost.exe 52->67         started        file14 signatures15 process16 signatures17 158 Adds a directory exclusion to Windows Defender 54->158 160 Disables Windows Defender (via service or powershell) 54->160 73 net.exe 54->73         started        75 conhost.exe 54->75         started        77 conhost.exe 57->77         started        79 powershell.exe 57->79         started        81 conhost.exe 59->81         started        83 WMIC.exe 69->83         started        86 WMIC.exe 69->86         started        88 conhost.exe 69->88         started        90 5 other processes 69->90 process18 signatures19 92 net1.exe 73->92         started        156 DLL side loading technique detected 83->156 process20
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/aa9deb2a1d67a4e73e7419b86535f1197dc8b7ffebdd392fb35f7c10d92b9dc1/
Threat name:
Win32.Trojan.ExNuma
Create hunting rule
Status:
Malicious
First seen:
2022-10-19 07:31:32 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
23 of 26 (88.46%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vko6wkq5m6sooptudg4gknprdf64rn775potsl5tl56bbwjltxaq._file
Verdict:
malicious
Similar samples:
0254039d5d5248ada3a754d8d033ca28627e51e4c5253ad80729e6324391c672
QuasarRAT
2eab200939ee7ca4f928bddc9573fec3f5b6416d09153ad5251c4f327c555f0d
QuasarRAT
8a9d65797203370c9d17d7d125629492d591399f8f4c911a4a8c588c2e0f42c6
QuasarRAT
b9b3e5083556ccba910f8bc4fe3d8fc5fd68cb4a01d020abe40df22a07c019bd
QuasarRAT
f633ff174c68ede50bc38cd4d5971b47aced64305357da5379eed43178689146
QuasarRAT
fb4e1ee6f7fb1b22dd7b4f011ffadab81337cfe2d8171219b49df67e814ce5ef
QuasarRAT
+ 20 additional samples on MalwareBazaar
Result
Malware family:
quasar
Create hunting rule
Score:
  10/10
Tags:
family:orcus family:plaguebot family:quasar botnet:skynet botnet persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/221019-h5htxafegr/
Behaviour
Creates scheduled task(s)
Delays execution with timeout.exe
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Adds Run key to start application
Drops desktop.ini file(s)
Checks computer location settings
Drops startup file
Loads dropped DLL
Downloads MZ/PE file
Executes dropped EXE
Orcurs Rat Executable
PlagueBot Executable
Orcus
Orcus main payload
PlagueBot
Quasar RAT
Quasar payload
Malware Config
C2 Extraction:
173.225.115.99:7702
146.70.143.176:81
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/4d2d7f1d-9e80-4a38-8aff-1512466eca14
Unpacked files
SH256 hash:
841e201f7f62f5623ddea01568dcfcb14fbd7531da75ed1cfc246da87783f19e
MD5 hash:
d297104356b9de511304365279fa421d
SHA1 hash:
19e965e4b887bc5299fca1b5f301ab5047c23dbc
Link:
https://www.unpac.me/results/cd67af04-f686-44dd-8352-ccd0874ef5dc/
SH256 hash:
aa9deb2a1d67a4e73e7419b86535f1197dc8b7ffebdd392fb35f7c10d92b9dc1
MD5 hash:
3d8c4196a887f0056103f09ca6717826
SHA1 hash:
b8993d7cdeab70f1775f486837ae671ed3cce456
Link:
https://www.unpac.me/results/cd67af04-f686-44dd-8352-ccd0874ef5dc/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.16
Link:
https://yomi.yoroi.company/submissions/aa9deb2a1d67a4e73e7419b86535f1197dc8b7ffebdd392fb35f7c10d92b9dc1

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

QuasarRAT

Executable exe aa9deb2a1d67a4e73e7419b86535f1197dc8b7ffebdd392fb35f7c10d92b9dc1

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2378020/
Cape
Cape
https://www.capesandbox.com/analysis/321622/

Comments


Avatar
zbet commented on 2022-10-19 07:18:10 UTC

url : hxxp://146.70.143.176/MAL/bin/dream/native32.exe