MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cf9635e854291ea0fe4a1dbf494d2b1ebdb2a89b4b321db264fcca47c0813781. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Adware.Generic


Vendor detections: 17


Intelligence 17 IOCs YARA 16 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cf9635e854291ea0fe4a1dbf494d2b1ebdb2a89b4b321db264fcca47c0813781
SHA3-384 hash: 18bc61d355b8a09443f2bfd704d21b53d428fa895e4c0f52ca0a451ceeb972ad32b46563a7fc993099c4e00264977929
SHA1 hash: bdfa395eea9240893b1426499d0967fc581b6ec8
MD5 hash: 5e664961196fc61d2a188e93fbe4b4c3
humanhash: five-coffee-vegan-twelve
File name:OperaSetup.exe
Download: download sample
Signature Adware.Generic
Create hunting rule
File size:6'351'872 bytes
First seen:2023-07-28 14:24:46 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'655 x AgentTesla, 19'464 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 98304:+Gh5ziNlRUaub+MPDrc/c+NmXnKyFrsqCtHj92AYawl1WPOl6NVLkJ0xWNzR166X:+3NlqaubXgUCqCZBjxy/
Threatray 5 similar samples on MalwareBazaar
TLSH T1BF56CF5437F85E27E0ABE277A5B0041267F0FC1AB363EB0B2591677A1CB3B5058427A7
TrID 30.3% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
17.8% (.EXE) InstallShield setup (43053/19/16)
12.9% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
11.2% (.EXE) UPX compressed Win32 Executable (27066/9/6)
6.8% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
File icon (PE):PE icon
dhash icon aa38ce868282b882 (110 x Adware.Generic, 6 x CoinMiner, 5 x Formbook)
Reporter Anonymous
Tags:Adware.Generic exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
379
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
asyncrat
Create hunting rule
ID:
1
File name:
OperaSetup.exe
Verdict:
Malicious activity
Analysis date:
2023-07-28 14:26:51 UTC
Tags:
installer trojan rat asyncrat quasar remote
Link:
https://app.any.run/tasks/48919ea0-3c7f-4dec-83c6-f2037a5bb9f0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
QuasarStealer
Create hunting rule
Link:
https://www.capesandbox.com/analysis/435920/
Detection(s):
Win.Malware.Generic-9883083-0
Create hunting rule

Win.Malware.Msilheracles-9900242-0
Create hunting rule

ditekSHen.MALWARE.Win.Trojan.QuasarStealer.UNOFFICIAL
Create hunting rule

Win.Packed.Downeks-6898097-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a file in the %AppData% subdirectories
Sending a custom TCP request
Creating a process from a recently created file
Creating a file
Launching a process
Unauthorized injection to a recently created process
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
91%
Tags:
anti-vm evasive fingerprint infostealer keylogger packed quasarrat rat stealer
Link:
https://www.filescan.io/uploads/64c3cfbf5154a489a4595019/reports/dbc5ec77-5c70-4099-a103-5afd4ffcf459/overview
Verdict:
Malicious
Labled as:
Zusy.Generic
Link:
https://www.hybrid-analysis.com/sample/cf9635e854291ea0fe4a1dbf494d2b1ebdb2a89b4b321db264fcca47c0813781
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/206a7f12-1342-4279-9f25-ea864b52bf74
Result
Threat name:
Quasar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
62 / 100
Link:
https://www.joesandbox.com/analysis/1281881
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Installs a global keyboard hook
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
Yara detected Quasar RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1281881 Sample: OperaSetup.exe Startdate: 28/07/2023 Architecture: WINDOWS Score: 62 101 eu-autoupdate.opera.com 2->101 103 autoupdate.geo.opera.com 2->103 119 Snort IDS alert for network traffic 2->119 121 Found malware configuration 2->121 123 Malicious sample detected (through community Yara rule) 2->123 125 9 other signatures 2->125 10 OperaSetup.exe 14 2->10         started        13 launcher.exe 2->13         started        15 launcher.exe 2->15         started        signatures3 process4 file5 71 C:\Users\user\AppData\Roaming\...\opera.exe, PE32 10->71 dropped 73 C:\Users\user\AppData\...\OperaSetup.exe, PE32 10->73 dropped 75 C:\Users\user\AppData\...\OperaSetup.exe.log, ASCII 10->75 dropped 17 opera.exe 4 10->17         started        21 OperaSetup.exe 48 10->21         started        77 C:\Users\user\AppData\Local\...\installer.exe, PE32+ 13->77 dropped process6 dnsIp7 59 C:\Users\user\AppData\...\launcher.exe, PE32 17->59 dropped 117 Hides that the sample has been downloaded from the Internet (zone.identifier) 17->117 24 launcher.exe 14 2 17->24         started        28 schtasks.exe 1 17->28         started        105 submit-trn.osp.opera.software 107.167.125.189, 443, 49690, 49691 OPERASOFTWAREUS United States 21->105 107 addons.opera.com 185.26.182.111, 443, 49720, 49721 NO-OPERANO Norway 21->107 109 15 other IPs or domains 21->109 61 C:\Users\user\AppData\...\OperaSetup.exe, PE32 21->61 dropped 63 Opera_installer_2307281426300051968.dll, PE32 21->63 dropped 65 C:\Users\user\AppData\Local\...\opera_package, PE32 21->65 dropped 67 4 other files (none is malicious) 21->67 dropped 30 OperaSetup.exe 21->30         started        33 Assistant_100.0.4815.21_Setup.exe_sfx.exe 21->33         started        35 OperaSetup.exe 5 21->35         started        37 2 other processes 21->37 file8 signatures9 process10 dnsIp11 111 ipwho.is 195.201.57.90, 443, 49707 HETZNER-ASDE Germany 24->111 113 5.tcp.eu.ngrok.io 3.67.161.133, 10624, 49704 AMAZON-02US United States 24->113 115 windowsupdatebg.s.llnwi.net 24->115 127 Hides that the sample has been downloaded from the Internet (zone.identifier) 24->127 129 Installs a global keyboard hook 24->129 39 schtasks.exe 24->39         started        41 conhost.exe 28->41         started        87 Opera_installer_2307281427189566972.dll, PE32 30->87 dropped 43 installer.exe 30->43         started        46 OperaSetup.exe 30->46         started        89 C:\Users\user\AppData\Local\...\mojo_core.dll, PE32 33->89 dropped 91 C:\Users\user\AppData\Local\...\launcher.exe, PE32 33->91 dropped 93 C:\Users\user\AppData\Local\...\dbghelp.dll, PE32 33->93 dropped 99 3 other files (none is malicious) 33->99 dropped 95 Opera_installer_2307281426307225236.dll, PE32 35->95 dropped 97 Opera_installer_2307281426365272108.dll, PE32 37->97 dropped 48 assistant_installer.exe 37->48         started        file12 signatures13 process14 file15 50 conhost.exe 39->50         started        79 Opera_installer_2307281428011683664.dll, PE32+ 43->79 dropped 81 C:\Users\user\AppData\Local\...\opera.exe, PE32+ 43->81 dropped 83 C:\Users\user\AppData\Local\...\launcher.exe, PE32+ 43->83 dropped 52 installer.exe 43->52         started        55 installer_helper_64.exe 43->55         started        57 opera.exe 43->57         started        85 Opera_installer_2307281427223144108.dll, PE32 46->85 dropped process16 file17 69 Opera_installer_2307281428031001264.dll, PE32+ 52->69 dropped
Detection:
quasar
Create hunting rule
Link:
https://mwdb.cert.pl/sample/cf9635e854291ea0fe4a1dbf494d2b1ebdb2a89b4b321db264fcca47c0813781/
Threat name:
ByteCode-MSIL.Trojan.Quasar
Create hunting rule
Status:
Malicious
First seen:
2023-07-28 14:25:06 UTC
File Type:
PE (.Net Exe)
Extracted files:
206
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=z6ldl2cufepkb7skdw7ustjld263fke3jmzb3mte7tfepqebg6aq._file
Verdict:
malicious
Similar samples:
1cecb5f04b2bb2994f2f5f3f9413de052a28a33f7efbfa52fa8b71ef47b5d8c5
Adware.Generic
5e8fac6112512b2f2a726424c8acfe486043905a2b8efc0219be0c551a4a6cd6
Adware.Generic
aa18400f1aa2fef6c2a5a50965981a3d668e052ce8ac851a8bd145cac1ee2ace
Adware.Generic
ed4cbfe246783bd7a7d124ac8f67e208f968a805264c3c6883fe77ac8fc4e72c
Adware.Generic
ee3a27163a31b2fbe14fecb33abc0c965e81faeaba4cb379ddbf4f719677c383
Adware.Generic
Result
Malware family:
quasar
Create hunting rule
Score:
  10/10
Tags:
family:quasar botnet:opera spyware stealer trojan upx
Link:
https://tria.ge/reports/230728-rq95aaec7y/
Behaviour
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Legitimate hosting services abused for malware hosting/C2
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
UPX packed file
Quasar RAT
Quasar payload
Malware Config
C2 Extraction:
5.tcp.eu.ngrok.io:10624
Unpacked files
SH256 hash:
cf9635e854291ea0fe4a1dbf494d2b1ebdb2a89b4b321db264fcca47c0813781
MD5 hash:
5e664961196fc61d2a188e93fbe4b4c3
SHA1 hash:
bdfa395eea9240893b1426499d0967fc581b6ec8
Detections:
QuasarRAT
Create hunting rule
Link:
https://www.unpac.me/results/ee574148-edb6-4b74-b760-c279ededcc1b/
Malware family:
QuasarRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/cf9635e85429/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cf9635e854291ea0fe4a1dbf494d2b1ebdb2a89b4b321db264fcca47c0813781

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:grakate_stealer_nov_2021
Create hunting rule
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_B64_Encoded_UserAgent
Create hunting rule
Author:ditekSHen
Description:Detects executables containing base64 encoded User Agent
Rule name:INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
Author:ditekSHen
Description:Detects Windows executables referencing non-Windows User-Agents
Rule name:INDICATOR_SUSPICIOUS_GENInfoStealer
Create hunting rule
Author:ditekSHen
Description:Detects executables containing common artifcats observed in infostealers
Rule name:MALWARE_Win_QuasarStealer
Create hunting rule
Author:ditekshen
Description:Detects Quasar infostealer
Rule name:MAL_QuasarRAT_May19_1
Create hunting rule
Description:Detects QuasarRAT malware
Rule name:MAL_QuasarRAT_May19_1
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects QuasarRAT malware
Reference:https://blog.ensilo.com/uncovering-new-activity-by-apt10
Rule name:MAL_QuasarRAT_May19_1_RID2E1E
Create hunting rule
Author:Florian Roth
Description:Detects QuasarRAT malware
Reference:https://blog.ensilo.com/uncovering-new-activity-by-apt10
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:yara_template
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/435920/

Comments