MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ab59fbf0ee10b8c5428479b1f5dfdb5cfc87dd40407b3742814ab34611f32b1d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuasarRAT


Vendor detections: 8


Intelligence 8 IOCs YARA 11 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ab59fbf0ee10b8c5428479b1f5dfdb5cfc87dd40407b3742814ab34611f32b1d
SHA3-384 hash: 71e064fed3ecd37696253dfb4d10baa4d925062927d5d780fb6c39d597844253af7174da2f113b3466aa758cc9d3258c
SHA1 hash: 73131c00bc2d3554f53c56b487488efeef9ffb40
MD5 hash: 9fa6a03205eb87f89ad6b8dc678f8c62
humanhash: lion-oklahoma-oscar-vegan
File name:Reciept_ups.vbs
Download: download sample
Signature QuasarRAT
Create hunting rule
File size:1'140 bytes
First seen:2021-07-30 06:06:48 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 24:APQ1B03iMUhjzeArpIqmnAMvAN5STD69P1EI3SDKV:giVz5rK/AN5SPc1EI3D
Threatray 209 similar samples on MalwareBazaar
TLSH T1C52103343A4FF1354445E6C65DBA9A24F3A762ABC5605485317CC188507F4EE19C3FCE
Reporter abuse_ch
Tags:aggah hagga QuasarRAT vbs


Avatar
abuse_ch
QuasaRAT payload URLs:
https://ia601408.us.archive.org/10/items/pervey/pervey.txt
https://ia601403.us.archive.org/32/items/vceo_20210729/vceo.txt

Intelligence

File Origin
# of uploads :
1
# of downloads :
341
Origin country :
n/a
Vendor Threat Intelligence
Detection:
QuasarRAT
Create hunting rule
Link:
https://www.capesandbox.com/analysis/175187/
Detection(s):
SecuriteInfo.com.VBS.TrojanDownloader.Agent.VUC.20475.2805.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/824345
Signature
Multi AV Scanner detection for submitted file
Obfuscated command line found
Sigma detected: Suspicious PowerShell Command Line
VBScript performs obfuscated calls to suspicious functions
Wscript starts Powershell (via cmd or directly)
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ab59fbf0ee10b8c5428479b1f5dfdb5cfc87dd40407b3742814ab34611f32b1d/
Threat name:
Script.Trojan.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2021-07-30 06:07:03 UTC
AV detection:
4 of 46 (8.70%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=vnm7x4hocc4mkquepgy7lx63lt6ipxkaib5toqubjkzumeptfmoq._file
Verdict:
malicious
Similar samples:
10a30b9776bb8981976fe678e4538e68c8fbbb0a57f34934978b3df7238be8d5
QuasarRAT
13f297d03a1dea9495fbd57508fdf3bc1975954ed97338bb4d35adcd9e02536d
QuasarRAT
357a1d94af889c7d73ca1a767222066f3550e007c7f52d3f83895fc5bf2e17b6
QuasarRAT
61cf72b64353f9154f3ba984f08d65e1a29dafed131cc283d9b56cf9808b4536
QuasarRAT
71b437c875d90c7b16ba9d671c5932aacc2f30cd63005ccb0fe7ba5373a0a5bd
QuasarRAT
972d8fcd3083eb6c81e2dc704d8e0ec1b097e43b7ef5576cf8cccc4e8fc85925
QuasarRAT
ba4b51ae64c68b32d126322b51b41dce7c300c01faed97aca35ff142e121a914
QuasarRAT
bc7cbed34a28008fed6c5c7d7fea8658d4abeb1eff5b06e06a917680d5091fcf
QuasarRAT
d623a286ae90c977b62d9520a819731a7af894481103b703c97b699d45ea90e1
QuasarRAT
db95252c51380bd1270af501cbc040ce72a3ad551156526580e4ce39b3feb0de
QuasarRAT
+ 199 additional samples on MalwareBazaar
Result
Malware family:
quasar
Create hunting rule
Score:
  10/10
Tags:
family:quasar spyware trojan
Link:
https://tria.ge/reports/210730-vqm2arckss/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Looks up external IP address via web service
Blocklisted process makes network request
Quasar Payload
Quasar RAT
Malware Config
Dropper Extraction:
https://ia601403.us.archive.org/32/items/vceo_20210729/vceo.txt
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ab59fbf0ee10b8c5428479b1f5dfdb5cfc87dd40407b3742814ab34611f32b1d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse
Create hunting rule
Author:ditekSHen
Description:Detects file containing reversed ASEP Autorun registry keys
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCMD
Create hunting rule
Author:ditekSHen
Description:Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer
Create hunting rule
Author:ditekSHen
Description:detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Rule name:MALWARE_Win_DLAgent09
Create hunting rule
Author:ditekSHen
Description:Detects known downloader agent
Rule name:MALWARE_Win_DLAgent10
Create hunting rule
Author:ditekSHen
Description:Detects known downloader agent
Rule name:MALWARE_Win_QuasarRAT
Create hunting rule
Author:ditekSHen
Description:QuasarRAT payload
Rule name:MAL_QuasarRAT_May19_1
Create hunting rule
Author:Florian Roth
Description:Detects QuasarRAT malware
Reference:https://blog.ensilo.com/uncovering-new-activity-by-apt10
Rule name:pe_imphash
Create hunting rule
Rule name:Quasar
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect QuasarRAT in memory
Rule name:RDPWrap
Create hunting rule
Author:@bartblaze
Description:Identifies RDP Wrapper, sometimes used by attackers to maintain persistence.
Reference:https://github.com/stascorp/rdpwrap
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

QuasarRAT

Visual Basic Script (vbs) vbs ab59fbf0ee10b8c5428479b1f5dfdb5cfc87dd40407b3742814ab34611f32b1d

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/175187/

Comments