MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ae8c4f72c13b4103e0e977bbf2939a4b97860d1c279994d1b0bd27e00cbf8c2f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuasarRAT


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ae8c4f72c13b4103e0e977bbf2939a4b97860d1c279994d1b0bd27e00cbf8c2f
SHA3-384 hash: b049c48ac917a1491ea87570d04a5fd3aeb5669ed1c7416bf56f26cbd526f46b913e5db8047a365a434d56f6c661ff2e
SHA1 hash: 2891a832f6f327a77b5bf8280c13fce76e35b7fe
MD5 hash: da5de2b74995076618fe814857073997
humanhash: oregon-lake-xray-ten
File name:msjO.hta
Download: download sample
Signature QuasarRAT
Create hunting rule
File size:64'337 bytes
First seen:2023-10-12 12:21:31 UTC
Last seen:Never
File type:HTML Application (hta) hta
MIME type:text/html
ssdeep 768:8lxvAqQiY1Qgph+3/ziRGrirzlQj3KIbd7RJSAIjK+4mmLFpLgZakmM:8xvAqQiSphvrCj3KIbd7RFxdBpMdmM
TLSH T1BF53508D7E733E7464061EB2862B5CBD24BF6431791648F8C144E3B20D794EAAAF2D1D
Reporter abuse_ch
Tags:DHL hta QuasarRAT RAT


Avatar
abuse_ch
Spread via dhlmissed.com

Intelligence

File Origin
# of uploads :
1
# of downloads :
138
Origin country :
CH CH
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.DownLoader46.23697.13598.585.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malicious
File Type:
HTA File - Malicious
Link:
https://app.docguard.net/ae8c4f72c13b4103e0e977bbf2939a4b97860d1c279994d1b0bd27e00cbf8c2f/results/dashboard
Behaviour
BlacklistAPI detected
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/6527e4ecd9aa1327018091ea/reports/dc861a2e-f41f-46a3-84e2-cccaa9933d95/overview
Verdict:
Malicious
Labled as:
TrojanDownloader/VBS.Maloader
Link:
https://www.hybrid-analysis.com/sample/ae8c4f72c13b4103e0e977bbf2939a4b97860d1c279994d1b0bd27e00cbf8c2f
Result
Verdict:
MALICIOUS
Result
Threat name:
Quasar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1324654
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Drops PE files with benign system names
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Installs a global keyboard hook
Malicious sample detected (through community Yara rule)
Monitors registry run keys for changes
Powershell drops PE file
Sigma detected: Schedule system process
Snort IDS alert for network traffic
Suspicious powershell command line found
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Uses dynamic DNS services
Uses netsh to modify the Windows network and firewall settings
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Very long command line found
Yara detected Generic Downloader
Yara detected Quasar RAT
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1324654 Sample: msjO.hta Startdate: 12/10/2023 Architecture: WINDOWS Score: 100 72 ipwho.is 2->72 74 frankmullers.duckdns.org 2->74 76 4 other IPs or domains 2->76 90 Snort IDS alert for network traffic 2->90 92 Found malware configuration 2->92 94 Malicious sample detected (through community Yara rule) 2->94 96 8 other signatures 2->96 11 mshta.exe 1 2->11         started        14 svchost.exe 1 1 2->14         started        17 explorer.exe 2->17         started        19 3 other processes 2->19 signatures3 process4 dnsIp5 116 Suspicious powershell command line found 11->116 118 Very long command line found 11->118 21 powershell.exe 19 20 11->21         started        86 127.0.0.1 unknown unknown 14->86 signatures6 process7 dnsIp8 78 frankmullers.duckdns.org 193.42.33.145, 443, 49712, 49713 EENET-ASEE Germany 21->78 66 C:\Users\user\AppData\Roaming\svchost.exe, PE32+ 21->66 dropped 68 C:\Users\user\AppData\Roaming\stub.exe, PE32+ 21->68 dropped 112 Drops PE files with benign system names 21->112 114 Powershell drops PE file 21->114 26 svchost.exe 21->26         started        30 stub.exe 9 21->30         started        33 Acrobat.exe 60 21->33         started        35 conhost.exe 21->35         started        file9 signatures10 process11 dnsIp12 70 C:\Users\user\AppData\Roaming\...\svchost.exe, PE32+ 26->70 dropped 120 Uses schtasks.exe or at.exe to add and modify task schedules 26->120 122 Drops PE files with benign system names 26->122 124 Hides that the sample has been downloaded from the Internet (zone.identifier) 26->124 37 svchost.exe 26->37         started        41 powershell.exe 26->41         started        43 schtasks.exe 26->43         started        88 api.telegram.org 149.154.167.220, 443, 49726 TELEGRAMRU United Kingdom 30->88 126 Tries to harvest and steal ftp login credentials 30->126 128 Tries to harvest and steal browser information (history, passwords, etc) 30->128 45 cmd.exe 30->45         started        47 AcroCEF.exe 69 33->47         started        file13 signatures14 process15 dnsIp16 80 185.17.0.246, 1419, 49729 SUPERSERVERSDATACENTERRU Russian Federation 37->80 82 ipwho.is 108.181.47.111, 443, 49730 ASN852CA Canada 37->82 84 api4.ipify.org 64.185.227.156, 443, 49731 WEBNXUS United States 37->84 102 System process connects to network (likely due to code injection or exploit) 37->102 104 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 37->104 106 Tries to harvest and steal browser information (history, passwords, etc) 37->106 110 2 other signatures 37->110 49 schtasks.exe 37->49         started        51 conhost.exe 41->51         started        54 explorer.exe 41->54         started        56 conhost.exe 43->56         started        108 Uses netsh to modify the Windows network and firewall settings 45->108 58 conhost.exe 45->58         started        60 netsh.exe 45->60         started        62 AcroCEF.exe 2 47->62         started        signatures17 process18 signatures19 64 conhost.exe 49->64         started        98 Monitors registry run keys for changes 51->98 100 Installs a global keyboard hook 51->100 process20
Score:
37%
Verdict:
Susipicious
File Type:
ASCII
Link:
https://malprob.io/report/ae8c4f72c13b4103e0e977bbf2939a4b97860d1c279994d1b0bd27e00cbf8c2f
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ae8c4f72c13b4103e0e977bbf2939a4b97860d1c279994d1b0bd27e00cbf8c2f/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=v2ge64wbhnaqhyhjo657fe42jolymdi4e6mzjunqxut6adf7rqxq._file
Result
Malware family:
quasar
Create hunting rule
Score:
  10/10
Tags:
family:quasar botnet:cashing persistence spyware stealer trojan
Link:
https://tria.ge/reports/231012-pjwxzaca66/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Blocklisted process makes network request
Downloads MZ/PE file
Quasar RAT
Quasar payload
Malware Config
C2 Extraction:
185.17.0.246:1419
Malware family:
QuasarRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ae8c4f72c13b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Quasar
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/ae8c4f72c13b4103e0e977bbf2939a4b97860d1c279994d1b0bd27e00cbf8c2f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:QbotStuff
Create hunting rule
Author:anonymous

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

QuasarRAT

zip 99308e45b1e121c7164e9057a3650924dbafab27dadacd4dd6f7a51bff55ec26

QuasarRAT

Shortcut (lnk) lnk f152336d161c279526b7909693c8f3fe8775f5c037cf471a41bb22ae0c4b2f85

QuasarRAT

HTML Application (hta) hta ae8c4f72c13b4103e0e977bbf2939a4b97860d1c279994d1b0bd27e00cbf8c2f

(this sample)

  
Delivery method
Distributed via web download
  
Dropped by
SHA256 f152336d161c279526b7909693c8f3fe8775f5c037cf471a41bb22ae0c4b2f85
  
Dropped by
MD5 a19a7ae54479ea7636738f50f79b2daa

Comments