MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bc9cc50af2bb6edf9a3c343311bfc20f90b5244e4d126c22a41a3d2475f2ef76. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

QuasarRAT

Vendor detections: 7

Intelligence 7 IOCs YARA 3 File information Comments

SHA256 hash:	bc9cc50af2bb6edf9a3c343311bfc20f90b5244e4d126c22a41a3d2475f2ef76
SHA3-384 hash:	c12d3047907b892dc3558da1f53f537c200a3d0657b881b9d73b3c532800f1bab65fb30cea5382d0a9ce661e55ce5c18
SHA1 hash:	2e1203c174c15d07abf2b61eec0d405c754c5051
MD5 hash:	509b71c21edb94cd886708245ea3d522
humanhash:	blossom-seven-hot-river
File name:	TW#9898748948-TZE.exe
Download:	download sample
Signature	QuasarRAT Create hunting rule
File size:	858'112 bytes
First seen:	2021-04-05 06:33:07 UTC
Last seen:	2021-04-05 08:24:46 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	12288:rmEPPlNWVIuJhhsqsY1aclvlJnXvfSnC/N9OzFgmIA9T4lSozSk8:lVNHYwqsYY6XvkC/N9Mz6b
Threatray	21 similar samples on MalwareBazaar
TLSH	1E05E01276849365ECAA2F34182795550373FE057D2EE60EADCCB15E2F33B878B12792
Reporter	abuse_ch
Tags:	exe QuasarRAT

Intelligence

File Origin

# of uploads :

# of downloads :

184

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

TW#9898748948-TZE.exe

Verdict:

Suspicious activity

Analysis date:

2021-04-05 06:41:37 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/fd9110f8-b833-4219-8c62-aa447180b317

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/132162/

Detection(s):

SecuriteInfo.com.Artemis509B71C21EDB.8068.11834.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Sending a UDP request

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/0db89dad-deaf-4f12-b299-12fc28e2b7fa

Result

Threat name:

Orion Logger

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/665856

Signature

.NET source code contains potential unpacker

Antivirus detection for dropped file

Contains functionality to register a low level keyboard hook

Injects a PE file into a foreign processes

Installs a global keyboard hook

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Yara detected AntiVM3

Yara detected Orion Logger

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/bc9cc50af2bb6edf9a3c343311bfc20f90b5244e4d126c22a41a3d2475f2ef76/

Threat name:

Win32.Backdoor.Blakken

Status:

Malicious

First seen:

2021-04-05 06:34:24 UTC

AV detection:

4 of 48 (8.33%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=xsomkcxsxnxn7gr4gqzrdp6cb6ilkjcojujgyivedi6si5ps553a._file

Verdict:

suspicious

QuasarRAT

198c41255ba24b553540eecc84e89e0a9c367798c2c980c9e871e30f32bb9db4

QuasarRAT

267126396c3c2edf406eecf6072b3acbee74dfbde7630cd184b9824ed18aac92

QuasarRAT

3b7f5600ea7bfb0af990233fb399996066af428042afc0bdc1ed468acfee750f

QuasarRAT

57bc81f09c26a67ebfbf6ed01a86c622b298fcb166ed09e93c4a03db6be28910

QuasarRAT

629b3cae35bc68dd937d25e65631dcaa81a436286292c0be2d308708964f4417

QuasarRAT

7a144e303252fe9f71887b9fdf4578009ea5b83186c30a8430306eb787c48e76

QuasarRAT

8dd5ff17f444a8642bcd3601849987c6c202eaf344ba4dc606a216adffbdae4d

QuasarRAT

b2ccefc9809053d0d590ad346ee8a3fc38ff405eefb28b9e4d8fb287bee761a8

QuasarRAT

ed4351f2a2d480f3bc7e25389753b9c640cf34b7b2b9a0cab16aae41754eb5a1

QuasarRAT

+ 11 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://tria.ge/reports/210405-v5jzahvcrn/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Unpacked files

SH256 hash:

6590b9ec4fa84e44c372fda26f47d6d58859d74869621c6bdd4086e6ae411379

MD5 hash:

95dfa1a9015a17a1d49b4faa3f3d999d

SHA1 hash:

427b72727b28436554d0443d797f19b2ea37cc16

Link:

https://www.unpac.me/results/447d160b-3719-4a45-980f-7d23b983cf96/

SH256 hash:

bc9cc50af2bb6edf9a3c343311bfc20f90b5244e4d126c22a41a3d2475f2ef76

MD5 hash:

509b71c21edb94cd886708245ea3d522

SHA1 hash:

2e1203c174c15d07abf2b61eec0d405c754c5051

Link:

https://www.unpac.me/results/447d160b-3719-4a45-980f-7d23b983cf96/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.35

Link:

https://yomi.yoroi.company/submissions/bc9cc50af2bb6edf9a3c343311bfc20f90b5244e4d126c22a41a3d2475f2ef76

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Keylog_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Contains Keylog

Rule name:	MSILStealer Create hunting rule
Author:	https://github.com/hwvs
Description:	Detects strings from C#/VB Stealers and QuasarRat
Reference:	https://github.com/quasar/QuasarRAT

Rule name:	Quasar_RAT_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Quasar RAT
Reference:	https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

QuasarRAT

exe bc9cc50af2bb6edf9a3c343311bfc20f90b5244e4d126c22a41a3d2475f2ef76

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/132162/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample