MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b603bb5bf05a55c7687cbfa64566cb5608947284b8eaf0da2b1b6d282fee3ecd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuasarRAT


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b603bb5bf05a55c7687cbfa64566cb5608947284b8eaf0da2b1b6d282fee3ecd
SHA3-384 hash: 34b2cb31edcc3d85bcefa2708c4da77fc585ae6ce394698942920c5d5fba10c113091c468a34976d83db6e9c1614dbe4
SHA1 hash: 79fbffc4c4b90d58ea179ece6153302e8dd4012d
MD5 hash: 75a0dff08308ea7de7a5a7a0528683de
humanhash: july-princess-batman-five
File name:b603bb5bf05a55c7687cbfa64566cb5608947284b8eaf0da2b1b6d282fee3ecd
Download: download sample
Signature QuasarRAT
Create hunting rule
File size:712'305 bytes
First seen:2021-02-28 17:52:53 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 8c16c795b57934183422be5f6df7d891 (36 x Mofksys, 18 x CryptOne, 6 x AveMariaRAT)
ssdeep 12288:PFUNDatkxfIayFMNpPCA52ABhxsu67CrZgBL+/:PFOatwPyFM/hxhr++/
Threatray 4'429 similar samples on MalwareBazaar
TLSH 08E4AE1177E04E5BE1AE4B7EF0348601EB71BC466762FB4F1E42A5992D32306BD907A3
Reporter c3rb3ru5d3d53c2
Tags:QuasarRAT RAT


Avatar
c3rb3ru5d3d53c
@c3rb3ru5d3d53c Live Hunt

Intelligence

File Origin
# of uploads :
1
# of downloads :
438
Origin country :
n/a
Vendor Threat Intelligence
Detection:
QuasarRAT
Create hunting rule
Link:
https://www.capesandbox.com/analysis/120045/
Detection(s):
Win.Trojan.VBGeneric-6735875-0
Create hunting rule

Win.Trojan.Razy-6794929-0
Create hunting rule

Win.Packed.Passwordstealera-9792228-0
Create hunting rule

Win.Malware.Ursu-9794593-0
Create hunting rule

Win.Trojan.Agent-1109049
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the Windows subdirectories
Creating a file
Creating a process from a recently created file
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
Enabling the 'hidden' option for recently created files
DNS request
Sending an HTTP GET request
Launching a process
Setting a keyboard event handler
Creating a file in the %AppData% subdirectories
Sending a custom TCP request
Sending a UDP request
Unauthorized injection to a recently created process
Setting a single autorun event
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling a "Do not show hidden files" option
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Mofksys Quasar
Create hunting rule
Detection:
malicious
Classification:
spre.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/621431
Signature
.NET source code references suspicious native API functions
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Contains functionality to hide user accounts
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Protects its processes via BreakOnTermination flag
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Sigma detected: Suspicious Svchost Process
Sigma detected: System File Execution Location Anomaly
System process connects to network (likely due to code injection or exploit)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Mofksys
Yara detected Quasar RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 359707 Sample: 8dazsN65iH Startdate: 28/02/2021 Architecture: WINDOWS Score: 100 66 Malicious sample detected (through community Yara rule) 2->66 68 Antivirus detection for URL or domain 2->68 70 Antivirus detection for dropped file 2->70 72 16 other signatures 2->72 10 8dazsN65iH.exe 1 3 2->10         started        14 explorer.exe 1 2->14         started        16 OpenWith.exe 17 8 2->16         started        18 5 other processes 2->18 process3 file4 50 C:\Users\user\Desktop\8dazsn65ih.exe, PE32 10->50 dropped 52 C:\Windows\Resources\Themes\icsys.icn.exe, MS-DOS 10->52 dropped 104 Drops executables to the windows directory (C:\Windows) and starts them 10->104 106 Installs a global keyboard hook 10->106 20 icsys.icn.exe 2 10->20         started        24 8dazsn65ih.exe 15 4 10->24         started        signatures5 process6 dnsIp7 48 C:\Windows\Resources\Themes\explorer.exe, MS-DOS 20->48 dropped 82 Antivirus detection for dropped file 20->82 84 Machine Learning detection for dropped file 20->84 86 Drops executables to the windows directory (C:\Windows) and starts them 20->86 88 Drops PE files with benign system names 20->88 27 explorer.exe 2 15 20->27         started        56 zxii12.ddns.net 80.193.200.66, 49734, 54984 NTLGB United Kingdom 24->56 58 ip-api.com 208.95.112.1, 49732, 80 TUT-ASUS United States 24->58 90 Protects its processes via BreakOnTermination flag 24->90 92 Hides that the sample has been downloaded from the Internet (zone.identifier) 24->92 94 Installs a global keyboard hook 24->94 32 schtasks.exe 1 24->32         started        file8 signatures9 process10 dnsIp11 60 codecmd03.googlecode.com 27->60 62 codecmd02.googlecode.com 27->62 64 3 other IPs or domains 27->64 54 C:\Windows\Resources\spoolsv.exe, MS-DOS 27->54 dropped 110 Antivirus detection for dropped file 27->110 112 System process connects to network (likely due to code injection or exploit) 27->112 114 Machine Learning detection for dropped file 27->114 116 2 other signatures 27->116 34 spoolsv.exe 2 27->34         started        38 conhost.exe 32->38         started        file12 signatures13 process14 file15 46 C:\Windows\Resources\svchost.exe, MS-DOS 34->46 dropped 74 Antivirus detection for dropped file 34->74 76 Machine Learning detection for dropped file 34->76 78 Drops executables to the windows directory (C:\Windows) and starts them 34->78 80 2 other signatures 34->80 40 svchost.exe 1 34->40         started        signatures16 process17 signatures18 96 Antivirus detection for dropped file 40->96 98 Machine Learning detection for dropped file 40->98 100 Drops executables to the windows directory (C:\Windows) and starts them 40->100 102 Installs a global keyboard hook 40->102 43 spoolsv.exe 1 40->43         started        process19 signatures20 108 Installs a global keyboard hook 43->108
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b603bb5bf05a55c7687cbfa64566cb5608947284b8eaf0da2b1b6d282fee3ecd/
Threat name:
DOS.Worm.Mofksys
Create hunting rule
Status:
Malicious
First seen:
2021-02-28 17:53:08 UTC
File Type:
PE (Exe)
Extracted files:
13
AV detection:
47 of 48 (97.92%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
avemaria
Create hunting rule
Similar samples:
04fb4d7876dc1e4c31448a62dbc77223b453fb6abd187c92f51658807c21eaa5
QuasarRAT
1e2773c36054c3392f3e220d4c22cce63f31750c2ee6707198e4d15648f11897
QuasarRAT
2e1eda10e2bbd19418706a23888807e50c0407eb191cc26d541c85279193c3db
QuasarRAT
5e74c2b7ac2d1ad593abac2e47d690a083bf96f1566901e58a5f59d221bc9853
QuasarRAT
7482b140488cd74ef0403293fac39ef04971a50072ab191dd84ec9471b2f0b25
QuasarRAT
94b4df2a78e60f80472d518819e7383b09f20d18b270d60b99be31a4a12f7156
QuasarRAT
9e33fbfc975a81d62c7ec060a00a42fcdf5e84ba294be3f21d5307b79ddf9555
QuasarRAT
b23274e47a003476681da8925f2c15ff1c7ef988cabf76dbf1e5799a914a3ab1
QuasarRAT
b46a76c6240983b927fa789dbfd5214bb513285da9205c52539736286346ddaf
QuasarRAT
e83d13fcdc0f133482d558c8ce25b45a491ba3aff13849ce8169f05bb4972f0d
QuasarRAT
+ 4'419 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:venomrat family:xmrig evasion miner persistence rat rootkit stealer
Link:
https://tria.ge/reports/210228-wq1rjc8g1a/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Drops file in System32 directory
Adds Run key to start application
Looks up external IP address via web service
Loads dropped DLL
Executes dropped EXE
Contains code to disable Windows Defender
Modifies visiblity of hidden/system files in Explorer
VenomRAT
xmrig
Unpacked files
SH256 hash:
b603bb5bf05a55c7687cbfa64566cb5608947284b8eaf0da2b1b6d282fee3ecd
MD5 hash:
75a0dff08308ea7de7a5a7a0528683de
SHA1 hash:
79fbffc4c4b90d58ea179ece6153302e8dd4012d
Link:
https://www.unpac.me/results/c6a3ebdb-b5a6-47e0-b554-0bc05393e83e/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Link
https://www.virustotal.com/gui/file/b603bb5bf05a55c7687cbfa64566cb5608947284b8eaf0da2b1b6d282fee3ecd/details
  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/120045/

Comments