MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b23274e47a003476681da8925f2c15ff1c7ef988cabf76dbf1e5799a914a3ab1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



Threat unknown


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments

SHA256 hash: b23274e47a003476681da8925f2c15ff1c7ef988cabf76dbf1e5799a914a3ab1
SHA3-384 hash: 07bbfc14c18e07f536523200a5cd32d9108c803c0f86b402b47df5758aa4b8b1d9c6b29f143f11a25d74c4d6c72fe4dd
SHA1 hash: ad964c582b329fb7be213c4ad59c94aa1c793042
MD5 hash: 154cee097fe7c1a1012e43ef7f0fe994
humanhash: cola-summer-snake-oregon
File name:b23274e47a003476681da8925f2c15ff1c7ef988cabf76dbf1e5799a914a3ab1
Download: download sample
File size:494'716 bytes
First seen:2020-07-06 06:46:23 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 8c16c795b57934183422be5f6df7d891 (36 x Mofksys, 18 x CryptOne, 6 x AveMariaRAT)
ssdeep 6144:UsLqdufVUNDaS1+8Fj8TyoiTkTiOYqNFd4DbOx/LrGMRS3G46WB8/:PFUNDaZ5TylB8rGmS3G46WB8/
Threatray 177 similar samples on MalwareBazaar
TLSH 77B49D137B90A93FD0BE0771B471461A6BB1DC173B51EB4B69546AF42C323836EA03A7
Reporter JAMESWT_WT

Intelligence


File Origin
# of uploads :
1
# of downloads :
63
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the Windows subdirectories
Creating a file
Creating a process from a recently created file
Creating a process with a hidden window
Enabling the 'hidden' option for recently created files
Using the Windows Management Instrumentation requests
Launching a process
Searching for the window
DNS request
Sending an HTTP GET request
Creating a file in the %AppData% subdirectories
Deleting a recently created file
Replacing files
Setting a single autorun event
Enabling a "Do not show hidden files" option
Enabling autorun with Startup directory
Threat name:
Win32.Worm.Mofksys
Status:
Malicious
First seen:
2020-06-30 22:48:47 UTC
File Type:
PE (Exe)
Extracted files:
6
AV detection:
29 of 29 (100.00%)
Threat level:
  5/5
Result
Malware family:
Score:
  10/10
Tags:
persistence trojan spyware family:quasar
Behaviour
Creates scheduled task(s)
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Drops file in System32 directory
Looks up external IP address via web service
Adds Run entry to start application
Loads dropped DLL
Modifies the visibility of hidden or system files
Executes dropped EXE
Quasar RAT
Please note that we are no longer able to provide a coverage score for Virus Total.

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments