MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d1fa4207d7c46c5f84b1c45e7b5d09aa9c99c896b0e25664bee3b13fcaabcfad. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuasarRAT


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d1fa4207d7c46c5f84b1c45e7b5d09aa9c99c896b0e25664bee3b13fcaabcfad
SHA3-384 hash: 52569f80da2908acddf0d7b59a10f53358de46ff8211322d38487004d66078d118f95f8a9cea348aa15363e37168cc9b
SHA1 hash: e682b84622bd5b026271a4e1f32ee26c54f51d14
MD5 hash: 4e360770f75b71af91ff81711df27411
humanhash: foxtrot-colorado-eight-spaghetti
File name:ZY44.vbs
Download: download sample
Signature QuasarRAT
Create hunting rule
File size:3'603 bytes
First seen:2020-12-20 12:08:53 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 24:rmTOFtaBH2DE3D2Lr6HrLT2LaTy0AzHATjmElT0TRvTj6TdTPP0TL4GT5TYsGTuB:rt2sK2m+LF9f5Hu04dSYQIZas43dMUVj
Threatray 155 similar samples on MalwareBazaar
TLSH 1C71A6C9562FE9F53816E080385FCB6BC6705A1B74C4A050FBDF8AA0C67D216F135666
Reporter abuse_ch
Tags:HostGator QuasarRAT vbs


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: gateway24.websitewelcome.com
Sending IP: 192.185.50.71
From: TheBill <Invoice69@Mail10.homebill.xzp.fr>
Subject: Order Confirmation.
Attachment: ZY44.ISO (contains "ZY44.vbs")

Intelligence

File Origin
# of uploads :
1
# of downloads :
475
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/108610/
Detection(s):
SecuriteInfo.com.BehavesLike.VBS.Dropper.zv.20518.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a process with a hidden window
DNS request
Sending a custom TCP request
Creating a file
Sending a UDP request
Using the Windows Management Instrumentation requests
Sending an HTTP GET request
Creating a file in the %AppData% subdirectories
Enabling autorun by creating a file
Unauthorized injection to a system process
Result
Verdict:
UNKNOWN
Result
Threat name:
Quasar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/566995
Signature
Binary contains a suspicious time stamp
Drops VBS files to the startup folder
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Powershell drops PE file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Sigma detected: Drops script at startup location
VBScript performs obfuscated calls to suspicious functions
Windows Shell Script Host drops VBS files
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected AntiVM_3
Yara detected Quasar RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 332580 Sample: ZY44.vbs Startdate: 20/12/2020 Architecture: WINDOWS Score: 100 46 Malicious sample detected (through community Yara rule) 2->46 48 Yara detected AntiVM_3 2->48 50 Yara detected Quasar RAT 2->50 52 3 other signatures 2->52 7 wscript.exe 8 2->7         started        11 wscript.exe 6 2->11         started        process3 file4 32 C:\Users\user\AppData\Roaming\...\ZY44.vbs, ASCII 7->32 dropped 60 VBScript performs obfuscated calls to suspicious functions 7->60 62 Wscript starts Powershell (via cmd or directly) 7->62 64 Windows Shell Script Host drops VBS files 7->64 66 Drops VBS files to the startup folder 7->66 13 powershell.exe 14 18 7->13         started        17 powershell.exe 17 11->17         started        signatures5 process6 dnsIp7 40 raw.githubusercontent.com 13->40 42 github.map.fastly.net 151.101.0.133, 443, 49732, 49741 FASTLYUS United States 13->42 68 Writes to foreign memory regions 13->68 70 Injects a PE file into a foreign processes 13->70 72 Powershell drops PE file 13->72 20 MSBuild.exe 15 4 13->20         started        24 conhost.exe 13->24         started        44 raw.githubusercontent.com 17->44 30 C:\Users\Public\Music\xt.jpg, PE32 17->30 dropped 26 MSBuild.exe 3 17->26         started        28 conhost.exe 17->28         started        file8 signatures9 process10 dnsIp11 34 ip-api.com 208.95.112.1, 49733, 80 TUT-ASUS United States 20->34 36 aptzebi.myq-see.com 172.98.72.144, 49734, 5552 TOTAL-SERVER-SOLUTIONSUS United States 20->36 38 192.168.2.1 unknown unknown 20->38 54 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 20->54 56 Hides that the sample has been downloaded from the Internet (zone.identifier) 20->56 58 Installs a global keyboard hook 20->58 signatures12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d1fa4207d7c46c5f84b1c45e7b5d09aa9c99c896b0e25664bee3b13fcaabcfad/
Threat name:
Script-WScript.Trojan.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2020-12-20 12:09:09 UTC
AV detection:
2 of 48 (4.17%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2h5eeb6xyrwf7bfryrphwxijvkojtsewwdrfmzf64oyt7svlz6wq._file
Verdict:
malicious
Similar samples:
0edcb04a8c95ff3a62a36af878b9b946a743bf80c37f4c6d9042f1dd2404d368
QuasarRAT
0fadb9fa2742735b1d7001fd5511627318e45fc51d8798f5b9f4bb20cfbd70e8
QuasarRAT
40981ed2079d1c26fa7b1fb1640aa315dfdebd128741fdc1e3629d0e470e9238
QuasarRAT
466bd07ba5662c8787479a2ead7d90419ef31c4b61f36b9384968b9ea1822a10
QuasarRAT
5285fc4f59a5847a66117240c59925f42dd6e5c7a17c2e90c49234d7913b6afb
QuasarRAT
7035da8898c0867d775597910d50f55a1428bc4588558319f70b1b219cb067be
QuasarRAT
8f44f9b4e0716329638b3cf4b2470df57e199e9b66bb58e225aa767d9d48dd7e
QuasarRAT
b3d36e86a478b5223968e34ca51bff54002eb9b1a01ef26d8b657d49dd4dd831
QuasarRAT
c93d2d7d45d531ead9824e70925767ef0e8adc23f88f05baafb7e6435772db58
QuasarRAT
e2d6b8bc603260f1a7564a044523d230c31c8d873deabb579cae90b88f1b92b9
QuasarRAT
+ 145 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/201220-cf9eb9w27n/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Suspicious use of SetThreadContext
Looks up external IP address via web service
Drops startup file
Blocklisted process makes network request
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d1fa4207d7c46c5f84b1c45e7b5d09aa9c99c896b0e25664bee3b13fcaabcfad

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

QuasarRAT

iso a9b53acfb1fdca1885e5b2c3bbb68d558f237a68f033c594e0cf1120cf65b115

QuasarRAT

Visual Basic Script (vbs) vbs d1fa4207d7c46c5f84b1c45e7b5d09aa9c99c896b0e25664bee3b13fcaabcfad

(this sample)

  
Dropped by
MD5 0f638a7c6c2a8602cf629e0eaf351282
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/108610/
  
Dropped by
SHA256 a9b53acfb1fdca1885e5b2c3bbb68d558f237a68f033c594e0cf1120cf65b115

Comments