MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bb9a1578f59d63b185023ada6c485e8b5cf9336e4b6bd3cad139d234b4f03c6d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuasarRAT


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bb9a1578f59d63b185023ada6c485e8b5cf9336e4b6bd3cad139d234b4f03c6d
SHA3-384 hash: c6069409ffe85e3df987531a203b3e8d4df9f5262d79da557a0fb3f4eaa3886f478d978925203ea41cf65a8bc5ee3df7
SHA1 hash: 537a94d82b04e03e51a722e51244d0cd9e93ad19
MD5 hash: 8386c61f08a88476c47f9073d44f4e40
humanhash: winner-music-september-bulldog
File name:yb5aca44
Download: download sample
Signature QuasarRAT
Create hunting rule
File size:1'699'328 bytes
First seen:2020-12-24 16:01:43 UTC
Last seen:2020-12-24 18:26:46 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 24576:vocRr+rXfsQTZ1ttw3WgkZs4b+BD+PEz68DRlPdAVWIrLk1o/hcD/js89+u:AbBZBiwZsxsPEz66Pc9JcD/I
Threatray 153 similar samples on MalwareBazaar
TLSH D9752321B5F1E164C86C8F7A9C4115079B28E97CD957EF7F3C8827E908AB31943A3789
Reporter j_dubp
Tags:Quasar QuasarRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
735
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
https://tinyurl.com/yb5aca44
Verdict:
Malicious activity
Analysis date:
2020-12-24 15:46:56 UTC
Tags:
evasion trojan rat quasar
Link:
https://app.any.run/tasks/a4f437f6-f3b4-432d-82a9-b2f5fa25d9e1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/109371/
Detection(s):
SecuriteInfo.com.CIL.HeapOverride.Heur.4350.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
DNS request
Sending an HTTP GET request
Sending a custom TCP request
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Connection attempt
Launching cmd.exe command interpreter
Creating a process with a hidden window
Launching the process to change the firewall settings
Launching a process
Enabling autorun with the shell\open\command registry branches
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Quasar
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/569802
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Connects to a pastebin service (likely for C&C)
Connects to many ports of the same IP (likely port scanning)
Contains functionality to disable the Task Manager (.Net Source)
Contains functionality to hide user accounts
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Modifies the windows firewall
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses netsh to modify the Windows network and firewall settings
Yara detected AntiVM_3
Yara detected Quasar RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 333961 Sample: httpscdndiscordappcomattach... Startdate: 24/12/2020 Architecture: WINDOWS Score: 100 48 prda.aadg.msidentity.com 2->48 50 ip-api.com 2->50 58 Multi AV Scanner detection for domain / URL 2->58 60 Malicious sample detected (through community Yara rule) 2->60 62 Multi AV Scanner detection for submitted file 2->62 64 14 other signatures 2->64 9 httpscdndiscordappcomattachments785319022966997035791667564027052052aGBWK3jv8vMhTU3.exe 3 2->9         started        signatures3 process4 file5 44 httpscdndiscordapp...K3jv8vMhTU3.exe.log, ASCII 9->44 dropped 66 Injects a PE file into a foreign processes 9->66 13 httpscdndiscordappcomattachments785319022966997035791667564027052052aGBWK3jv8vMhTU3.exe 16 6 9->13         started        signatures6 process7 dnsIp8 52 54.39.152.114, 21, 49734, 49737 OVHFR Canada 13->52 54 ip-api.com 208.95.112.1, 49731, 49768, 80 TUT-ASUS United States 13->54 56 2 other IPs or domains 13->56 46 C:\Users\user\AppData\Roaming\Venom.exe, PE32 13->46 dropped 68 Hides that the sample has been downloaded from the Internet (zone.identifier) 13->68 18 cmd.exe 1 13->18         started        20 cmd.exe 1 13->20         started        22 cmd.exe 1 13->22         started        24 7 other processes 13->24 file9 signatures10 process11 process12 26 netsh.exe 3 18->26         started        28 conhost.exe 18->28         started        30 netsh.exe 3 20->30         started        32 conhost.exe 20->32         started        34 netsh.exe 3 22->34         started        36 conhost.exe 22->36         started        38 netsh.exe 3 24->38         started        40 netsh.exe 3 24->40         started        42 12 other processes 24->42
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bb9a1578f59d63b185023ada6c485e8b5cf9336e4b6bd3cad139d234b4f03c6d/
Threat name:
ByteCode-MSIL.Trojan.Taskun
Create hunting rule
Status:
Malicious
First seen:
2020-12-24 16:02:07 UTC
AV detection:
12 of 29 (41.38%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xonbk6hvtvr3dbichlngysc6rnopsm3ojnv5hswrhhjdjnhqhrwq._file
Verdict:
malicious
Similar samples:
183d3d50bf7b49305a37925f69ea1b88e14444122826ce41e19f2f066dbba97e
QuasarRAT
39f5ac290e298e02e5c7854274278b08afae1162569ed4029c8f014425097250
QuasarRAT
471a91b4f8d67792bf0b5a67460fb7fe335db4963a7154c0cc20fe7461a87514
QuasarRAT
703aadea111eae71a7dfb3f2c63c4522b4edd138033fef221295f74d3509e10a
QuasarRAT
774fa620be98d94c8530d9c5e50e48c7595271fb911753b1c16d33dad1bc141d
QuasarRAT
7ed14885068667e9de2ede24522ab5e7bc2b02ed2f5953d590517921a3d77f4f
QuasarRAT
94b4df2a78e60f80472d518819e7383b09f20d18b270d60b99be31a4a12f7156
QuasarRAT
9e33fbfc975a81d62c7ec060a00a42fcdf5e84ba294be3f21d5307b79ddf9555
QuasarRAT
d33b633b962e2851492365a557b624d4682620516513cde765b5e0428c69d917
QuasarRAT
d8032c71de22af1a399435b344ca825689ee175529c98fce2529f128f8357dc2
QuasarRAT
+ 143 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion
Link:
https://tria.ge/reports/201224-a977rzbzve/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Modifies Windows Firewall
Unpacked files
SH256 hash:
bb9a1578f59d63b185023ada6c485e8b5cf9336e4b6bd3cad139d234b4f03c6d
MD5 hash:
8386c61f08a88476c47f9073d44f4e40
SHA1 hash:
537a94d82b04e03e51a722e51244d0cd9e93ad19
Link:
https://www.unpac.me/results/1cbd41c2-ce89-4b08-ad8a-1eff6444b6b6/
SH256 hash:
a0b5fdc0404ff4c96129a8b72a73832b2ee225532a7edacf3fb6a9dcf4f8abba
MD5 hash:
8433653f0027083fa4b3629c54baa2b6
SHA1 hash:
d2f4e0d09fbb1848ae99d7d1bfb73dbaff888b9c
Link:
https://www.unpac.me/results/1cbd41c2-ce89-4b08-ad8a-1eff6444b6b6/
SH256 hash:
3a96d9a797a3b6b3ea0d8264ed1078508df9557e2f453217d52a75907f9b9465
MD5 hash:
547ebc92cac936d8c3459d2765948f4a
SHA1 hash:
09c143d609b65b19a97289ca7645df2a0bc39c83
Link:
https://www.unpac.me/results/1cbd41c2-ce89-4b08-ad8a-1eff6444b6b6/
SH256 hash:
ce7eb857b9728b42bdfe9dd6d1c81b45f364ac3ddec1f9fe8b8792a5d0921f71
MD5 hash:
3f5e9afa7a363e2a37bd2db38c130611
SHA1 hash:
0cbf046a00f94e79221a2499273a459e61540352
Link:
https://www.unpac.me/results/1cbd41c2-ce89-4b08-ad8a-1eff6444b6b6/
SH256 hash:
c1428ec7129ad3e36dad35d8992602cefcd6a593952834897424314fe029dd4b
MD5 hash:
67ca4c5eed9cab4b08064d4314dc0a86
SHA1 hash:
61dfa1d80d9e6b506d29e3897dd3ca08ade30988
Link:
https://www.unpac.me/results/1cbd41c2-ce89-4b08-ad8a-1eff6444b6b6/
Parent samples :
a53a585de940ceb15a7b30f6d6157b0e9722d7b81cea4a2dadb1f0c7410fae87
e2cc914a1df535f2cf88007a518a9990afe5ccdb9cf1262e550e2ce8cc9c7eb0
fbe788dd0db451b33c60b855c9aa18af0d2b87140cfa25a0a78be290d10089cc
ace5504608d43d701becbb246abe3c7b0483fd3904c13a5677084e6f98ef0271
d4e3e9ccf34249744cc8bbeba02fb11626604b8093edc8d85326b467e6aeb7b1
326e0518dab187c2786ffb1429a71dc764ef82211aaf59bcd3a8a78c01579283
2a8c219afd3d9e171dc1515b32185bad9172bbcdaf15a6a7502458b6e7553ff5
8c5659ff1e439fdb199c25ac76fb8d3e9c45b702ac8c99073ccdf7fd1f9cdbfd
SH256 hash:
1667a7a14d473feb784ecec1dbd07f37981ddd9a3f1b85bdaaf29808e75d60ba
MD5 hash:
553e92bfb6ea6455b98809f1ca5542e9
SHA1 hash:
8de2414afcce495f17773e734fbc58a029bc0441
Link:
https://www.unpac.me/results/1cbd41c2-ce89-4b08-ad8a-1eff6444b6b6/
SH256 hash:
3db2b0c012e3e770548b36eb84ea2278f34dfda82a269fc30f38e743b33855e3
MD5 hash:
ef33c4c8efc8c1b355ad64e12b010070
SHA1 hash:
ac30158d8bd81ec0b728a299c9e72789b4f33f31
Link:
https://www.unpac.me/results/1cbd41c2-ce89-4b08-ad8a-1eff6444b6b6/
SH256 hash:
e83cef9cfa4e2ea30e28843e43c60ebf8f6590fb753ad0aa5ed1123c01280527
MD5 hash:
bf99ee5fbf42797bd1ade95b109d634c
SHA1 hash:
e02abfdbca94a24a36b47d49a28360b79aabd294
Link:
https://www.unpac.me/results/1cbd41c2-ce89-4b08-ad8a-1eff6444b6b6/
SH256 hash:
542be6a092437c47aec4c046bf4636f9a3153954b0384141b8cc2922d68a38b5
MD5 hash:
bfb7da75069724d5ec80b44bc2e46d9f
SHA1 hash:
fe757e6a079f7be6efa5d15df7260792560f6576
Link:
https://www.unpac.me/results/1cbd41c2-ce89-4b08-ad8a-1eff6444b6b6/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.61
Link:
https://yomi.yoroi.company/submissions/bb9a1578f59d63b185023ada6c485e8b5cf9336e4b6bd3cad139d234b4f03c6d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

anyrun
any.run
https://app.any.run/tasks/a4f437f6-f3b4-432d-82a9-b2f5fa25d9e1#
Cape
Cape
https://www.capesandbox.com/analysis/109371/

Comments