MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c6deef7825e9fc588ee77c25398896ac695e0c02c44276fc4382218807b01e17. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuasarRAT


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c6deef7825e9fc588ee77c25398896ac695e0c02c44276fc4382218807b01e17
SHA3-384 hash: a33a334de931f95c3c5a0d4d377197df6088f3312d49fccf8ee77c1650334ef70c55d6d9b09695ed34f9fda5bd6ad396
SHA1 hash: 978dbdd1de6938658fd2bb7fa62504bc9854e7df
MD5 hash: 779aba07d9e38600f5d56b1cdb4b13b3
humanhash: uniform-robin-double-summer
File name:SecuriteInfo.com.Win32.PWSX-gen.16062.16220
Download: download sample
Signature QuasarRAT
Create hunting rule
File size:965'632 bytes
First seen:2022-11-29 06:37:10 UTC
Last seen:2022-12-10 04:53:00 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'599 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:njm1ajgVIqHZCWRehw84H+ZzF0ImT9JfeDH8EM1xr:cajysjhw+MImTbfmrwxr
Threatray 5'449 similar samples on MalwareBazaar
TLSH T17B257CFDE3E34B93E8312A36CA91563412323EC564F5EEF516C8B62C4D312DE921A95C
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 31f0c0b2b2c0f071 (8 x Formbook, 7 x AgentTesla, 4 x AsyncRAT)
Reporter SecuriteInfoCom
Tags:exe QuasarRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
220
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
quasar
Create hunting rule
ID:
1
File name:
SecuriteInfo.com.Win32.PWSX-gen.16062.16220
Verdict:
Malicious activity
Analysis date:
2022-11-29 06:39:53 UTC
Tags:
evasion stealer quasar
Link:
https://app.any.run/tasks/afee822c-22e8-4461-bd7b-3efd7d913143

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
A310Logger
Create hunting rule
Link:
https://www.capesandbox.com/analysis/339621/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.16062.16220.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a process with a hidden window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
clipbanker packed
Link:
https://www.filescan.io/uploads/6385a8cb94f9bac087b3bb15/reports/3349e331-616b-40c5-834b-47d614adc111/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
BluStealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/43c154d8-edec-4854-a16f-0af2b248a8f7
Result
Threat name:
BluStealer, SpyEx, StormKitty
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1123069
Signature
.NET source code contains method to dynamically call methods (often used by packers)
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected BluStealer
Yara detected SpyEx stealer
Yara detected StormKitty Stealer
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 755793 Sample: SecuriteInfo.com.Win32.PWSX... Startdate: 29/11/2022 Architecture: WINDOWS Score: 100 45 Malicious sample detected (through community Yara rule) 2->45 47 Sigma detected: Scheduled temp file as task from temp location 2->47 49 Multi AV Scanner detection for submitted file 2->49 51 8 other signatures 2->51 7 SecuriteInfo.com.Win32.PWSX-gen.16062.16220.exe 7 2->7         started        11 lOtOQV.exe 5 2->11         started        process3 file4 33 C:\Users\user\AppData\Roaming\lOtOQV.exe, PE32 7->33 dropped 35 C:\Users\user\...\lOtOQV.exe:Zone.Identifier, ASCII 7->35 dropped 37 C:\Users\user\AppData\Local\...\tmpCBCB.tmp, XML 7->37 dropped 39 SecuriteInfo.com.W...16062.16220.exe.log, ASCII 7->39 dropped 53 Uses schtasks.exe or at.exe to add and modify task schedules 7->53 55 Writes to foreign memory regions 7->55 57 Allocates memory in foreign processes 7->57 59 Adds a directory exclusion to Windows Defender 7->59 13 RegSvcs.exe 1 7->13         started        15 powershell.exe 21 7->15         started        17 schtasks.exe 1 7->17         started        61 Multi AV Scanner detection for dropped file 11->61 63 Machine Learning detection for dropped file 11->63 65 Injects a PE file into a foreign processes 11->65 19 schtasks.exe 1 11->19         started        21 RegSvcs.exe 11->21         started        signatures5 process6 process7 23 AppLaunch.exe 15 3 13->23         started        27 conhost.exe 15->27         started        29 conhost.exe 17->29         started        31 conhost.exe 19->31         started        dnsIp8 41 icanhazip.com 104.18.115.97, 49695, 80 CLOUDFLARENETUS United States 23->41 43 251.241.3.0.in-addr.arpa 23->43 67 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 23->67 69 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 23->69 71 May check the online IP address of the machine 23->71 73 2 other signatures 23->73 signatures9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c6deef7825e9fc588ee77c25398896ac695e0c02c44276fc4382218807b01e17/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2022-11-29 04:19:26 UTC
File Type:
PE (.Net Exe)
Extracted files:
9
AV detection:
23 of 41 (56.10%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=y3po66bf5h6frdxhpqsttcewvruv4dacyrbhn7cdqiqyqb5qdylq._file
Verdict:
malicious
Similar samples:
208591b78135b397fcf22a58338bea5c086935362fb5e255e40ecb1a78245209
QuasarRAT
29865b75c412f1ac28c7d971b011806080c583640b0130bfe9603d35c5665fce
QuasarRAT
458fefa707435c36315bf410b3318c34a83da7e4bb2429986ba4ab95986d9d11
QuasarRAT
84c53b0151ffcb22f8c50057daf61f41f6eb39381f41ca4db908fb93170382db
QuasarRAT
a5a5d6cf9bac9b05754400ae9f7c0caee913fc42c3584e2dfe33b655c4d206fc
QuasarRAT
d079abc9b57395804589c2583f98855b02d8aab8f850df5c56a9ce0aa1114508
QuasarRAT
e5d26dfcae4e341af30d44b23d647da25d217ddc3787c2e705ebbef0a3c132b8
QuasarRAT
f0aadf2a2f9a5dfab9ca866cbb2162e8ff55f47991e28895e34ca255559f681a
QuasarRAT
+ 5'439 additional samples on MalwareBazaar
Result
Malware family:
stormkitty
Create hunting rule
Score:
  10/10
Tags:
family:blustealer family:stormkitty collection stealer
Link:
https://tria.ge/reports/221129-hd24gaeb27/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
BluStealer
StormKitty
StormKitty payload
Malware Config
C2 Extraction:
https://api.telegram.org/bot5412597166:AAGUaWxuTxxhNb-NRhiURcTMzuW9nhGoEs/sendMessage?chat_id=932962718
Unpacked files
SH256 hash:
23384fde4083620818416bd1a03dcc4c1818ce406d4b26f28304fca986a1ebe6
MD5 hash:
01a36f0899622d0c585dac507ef8a119
SHA1 hash:
d2ea5cebfa4ed2765a846a955b81abc55b989d47
Detections:
win_agent_tesla_g2
Create hunting rule
win_masslogger_w0
Create hunting rule
Link:
https://www.unpac.me/results/dc31c380-4f25-4b75-9d87-8c8c44ab9b89/
SH256 hash:
0c4dbcff6efc78135b5bb23d63b4aa666c3c7039cd8406cfde8addd03aa525a5
MD5 hash:
dae8cbf4e5ce6115855eb05a8bfc1230
SHA1 hash:
382b2f3f4cd8560f900ee9942b3e0626efdc2b0a
Link:
https://www.unpac.me/results/dc31c380-4f25-4b75-9d87-8c8c44ab9b89/
SH256 hash:
490d68f6554d360a5ff5fe98882bd458236bc312d613d29c105372e581bead6d
MD5 hash:
19cc8c5972d9bdce294584473870f92b
SHA1 hash:
cf048b41771a69c6e0a0db276adc970b8990ef93
Link:
https://www.unpac.me/results/dc31c380-4f25-4b75-9d87-8c8c44ab9b89/
SH256 hash:
3624268b1bf67fd3f560f345e5171f3a2f8968a776c23816ea76fc0ef41b0f03
MD5 hash:
1619753b625e58c25b73fbf1f0bff482
SHA1 hash:
c0d7922bdbc10ef0ee1606a40c2dedd22cb180d4
Link:
https://www.unpac.me/results/dc31c380-4f25-4b75-9d87-8c8c44ab9b89/
SH256 hash:
c32b54bd021a591dc85915cb20acd006c0db37ba830edec8ed2dc2212b8f2943
MD5 hash:
6e0582a21a1e98f76e61462ecdbd5f35
SHA1 hash:
7c4e0ca068648a70af2b369a5ad7eb14ef95ca19
Link:
https://www.unpac.me/results/dc31c380-4f25-4b75-9d87-8c8c44ab9b89/
SH256 hash:
340ba2312d5cdfc3d89f3f35f627187dcb406e5afea134bc76b04f52f4285df3
MD5 hash:
85f9290aa8900e9fd74b01ee23125706
SHA1 hash:
310eb5e4aea5471b74a6385f1da283b9d8e3d698
Link:
https://www.unpac.me/results/dc31c380-4f25-4b75-9d87-8c8c44ab9b89/
SH256 hash:
a66f8df767cda60195f0bc3bc88dbb2c75af7fbd547308fbe985301190a97cc5
MD5 hash:
cd4a6b5dd49a7731cbe69c5f93124a4a
SHA1 hash:
0c875ec06df1594064c6f203ae1603b2faaa95bc
Link:
https://www.unpac.me/results/dc31c380-4f25-4b75-9d87-8c8c44ab9b89/
SH256 hash:
c6deef7825e9fc588ee77c25398896ac695e0c02c44276fc4382218807b01e17
MD5 hash:
779aba07d9e38600f5d56b1cdb4b13b3
SHA1 hash:
978dbdd1de6938658fd2bb7fa62504bc9854e7df
Link:
https://www.unpac.me/results/dc31c380-4f25-4b75-9d87-8c8c44ab9b89/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c6deef7825e9/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c6deef7825e9fc588ee77c25398896ac695e0c02c44276fc4382218807b01e17

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/339621/

Comments