MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b4a9350c9b97dd32fe445e00e8d9501279e5845351609c6cd715def5ca98e404. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuasarRAT


Vendor detections: 7


Intelligence 7 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b4a9350c9b97dd32fe445e00e8d9501279e5845351609c6cd715def5ca98e404
SHA3-384 hash: 6626311f1ec7e2f2a3417002d4fd6d6dfc09f6f530c1ba9994fb55494ffa25765e8e26343b507690b8f8183ee7a7a792
SHA1 hash: 0fa65a3099c5ec41c457662e92d53f8e0c170789
MD5 hash: 91d162dafa94fde3c80e8ed73047d03d
humanhash: sink-nebraska-mike-hawaii
File name:CM45.vbs
Download: download sample
Signature QuasarRAT
Create hunting rule
File size:2'051 bytes
First seen:2021-05-31 11:28:09 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 24:E0wASV0mWD9uotUCGUcSCLBMa8vCv+gaV9/mMbhTn8/UM/VK:iKN5uoRGeMB/aV9/pT8/w
Threatray 194 similar samples on MalwareBazaar
TLSH A941A9C34519846285F6521722064BB75DB8E126919F83BBFEB0B44FDC5C378CA3C25D
Reporter abuse_ch
Tags:QuasarRAT RAT vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
209
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/163470/
Detection(s):
SecuriteInfo.com.Trojan.VBS.SAgent.gen.15515.26190.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a process with a hidden window
DNS request
Sending a custom TCP request
Creating a file
Using the Windows Management Instrumentation requests
Sending a UDP request
Unauthorized injection to a system process
Result
Verdict:
UNKNOWN
Result
Threat name:
Unknown
Detection:
malicious
Classification:
expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/794669
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code references suspicious native API functions
Drops VBS files to the startup folder
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Potential evasive VBS script found (sleep loop)
Powershell drops PE file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Sigma detected: Drops script at startup location
Sigma detected: Powershell download and load assembly
VBScript performs obfuscated calls to suspicious functions
Windows Shell Script Host drops VBS files
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 427066 Sample: CM45.vbs Startdate: 31/05/2021 Architecture: WINDOWS Score: 100 42 Malicious sample detected (through community Yara rule) 2->42 44 Sigma detected: Drops script at startup location 2->44 46 Sigma detected: Powershell download and load assembly 2->46 48 3 other signatures 2->48 7 wscript.exe 8 2->7         started        11 wscript.exe 1 2->11         started        process3 file4 30 C:\Users\user\AppData\Roaming\...\Chromes.vbs, ASCII 7->30 dropped 52 VBScript performs obfuscated calls to suspicious functions 7->52 54 Wscript starts Powershell (via cmd or directly) 7->54 56 Potential evasive VBS script found (sleep loop) 7->56 58 2 other signatures 7->58 13 powershell.exe 14 18 7->13         started        18 powershell.exe 12 11->18         started        signatures5 process6 dnsIp7 40 cdn.discordapp.com 162.159.129.233, 443, 49717 CLOUDFLARENETUS United States 13->40 32 C:\Users\Public\Documents\Oneman.htm, PE32 13->32 dropped 60 Writes to foreign memory regions 13->60 62 Injects a PE file into a foreign processes 13->62 64 Powershell drops PE file 13->64 20 jsc.exe 15 2 13->20         started        24 conhost.exe 13->24         started        26 jsc.exe 3 18->26         started        28 conhost.exe 18->28         started        file8 signatures9 process10 dnsIp11 34 ipwhois.app 136.243.172.101, 443, 49726 HETZNER-ASDE Germany 20->34 36 allgetserver.publicvm.com 3.92.185.198, 310, 49729 AMAZON-AESUS United States 20->36 38 192.168.2.1 unknown unknown 20->38 50 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 20->50 signatures12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b4a9350c9b97dd32fe445e00e8d9501279e5845351609c6cd715def5ca98e404/
Threat name:
Script-WScript.Trojan.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2021-05-31 11:28:12 UTC
AV detection:
2 of 45 (4.44%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=wsutkde3s7otf7selyaorwkqcj46lbctkfqjy3gxcxpplsuy4qca._file
Verdict:
malicious
Similar samples:
2399e5acd8e6fec2e83de445cf83b598676f57fdfedd1f67a7872a5009866591
QuasarRAT
4c6c1c0d7925af6c2891164d67743204132fcc8ea3cda471c005f446ea1cfda1
QuasarRAT
618cf92a4d525540b478ce46a3f86da110c479b6327a80fe357b990bba802a3a
QuasarRAT
78a881cbc86ce0458d8db0eae0c92a8e016537796ef3ab7928037f4a51d4ca2f
QuasarRAT
7ca4d82a3c58cde4fefab8647f477ec29e903507c99212c6ae53a6802223423d
QuasarRAT
8df967ecdb95af66b4298060286ce7ba4c05236a6825892f246dda888cd75c6a
QuasarRAT
9bc11a08f96c9b97238ffe8671c801817fe7844e280f479a7b7ce880ec197ed8
QuasarRAT
9cdcc531878d3a23d2da833a058efa100b91d212e4d5780cb21d5d36db0cbd01
QuasarRAT
b71d6728f8709dc2b8b6a57bbd0ea7d27e78a0ea16af5eff61b2d11f983e0129
QuasarRAT
ee1b2c9bdba344c7fe2dc2bec7544a038ad64dbed6add636ecdd426079296c28
QuasarRAT
+ 184 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/210531-2wqz12qspn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Drops startup file
Blocklisted process makes network request
Downloads MZ/PE file
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b4a9350c9b97dd32fe445e00e8d9501279e5845351609c6cd715def5ca98e404

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:MALWARE_Win_QuasarRAT
Create hunting rule
Author:ditekSHen
Description:QuasarRAT payload
Rule name:MAL_QuasarRAT_May19_1
Create hunting rule
Author:Florian Roth
Description:Detects QuasarRAT malware
Reference:https://blog.ensilo.com/uncovering-new-activity-by-apt10
Rule name:pe_imphash
Create hunting rule
Rule name:Quasar
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect QuasarRAT in memory
Rule name:Select_from_enumeration
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Vermin_Keylogger_Jan18_1
Create hunting rule
Author:Florian Roth
Description:Detects Vermin Keylogger
Reference:https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/163470/

Comments