MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d4771dbf9066fec456aba9736643c4f5b9578fdecb4a475e6aff737323e37fe4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuasarRAT


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d4771dbf9066fec456aba9736643c4f5b9578fdecb4a475e6aff737323e37fe4
SHA3-384 hash: f311776da95c1890458df0e4f1be87164471767f95f1dcdb7d1e944b2de55408e5ace07f7e80ea578a8c5b14974258de
SHA1 hash: d6e066005bb5b69d5dbc5088f214012a7ab8b080
MD5 hash: 4d28365c5342f773b394205ef9eaec69
humanhash: sodium-diet-coffee-solar
File name:4d28365c5342f773b394205ef9eaec69
Download: download sample
Signature QuasarRAT
Create hunting rule
File size:145'089 bytes
First seen:2022-05-04 00:44:05 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 8c16c795b57934183422be5f6df7d891 (36 x Mofksys, 18 x CryptOne, 6 x AveMariaRAT)
ssdeep 1536:UfsEqouTRcG/Mzvgf7xEuvnXNTRdUzwTekUOisZ1yDDajtXbVhpalhWeW:UVqoCl/YgjxEufVU0TbTyDDalQlBW
TLSH T192E31B236E105C7FE9568AF1B8B5DA3DBA262E361F95AD077252FB00163220375F530B
TrID 52.9% (.EXE) Win32 Executable (generic) (4505/5/1)
23.5% (.EXE) Generic Win/DOS Executable (2002/3)
23.5% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon 0196969696969669 (1 x QuasarRAT, 1 x CryptOne, 1 x MassLogger)
Reporter zbetcheckin
Tags:exe QuasarRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
252
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
discord.exe
Verdict:
Malicious activity
Analysis date:
2022-04-30 20:21:56 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/127b4b74-37d5-4e79-93a5-6dde8020fc58

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/268492/
Detection(s):
Win.Trojan.VBGeneric-6735875-0
Create hunting rule

Win.Trojan.Agent-1109049
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Creating a file in the Windows subdirectories
Creating a file
Creating a process from a recently created file
DNS request
Sending a custom TCP request
Creating a file in the %AppData% directory
Creating a process with a hidden window
Enabling the 'hidden' option for recently created files
Setting a keyboard event handler
Running batch commands
Launching a process
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Setting a single autorun event
Enabling a "Do not show hidden files" option
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
overlay packed packed shell32.dll
Link:
https://www.filescan.io/uploads/6271ccaa2b32b1c37c8f7144/reports/9214222e-022c-4f3e-97a4-426f264a1977/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2efe0d0f-3ca9-4833-91b3-37bf6db48bf6
Result
Threat name:
CryptOne Mofksys Quasar
Create hunting rule
Detection:
malicious
Classification:
spre.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/987429
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Changes security center settings (notifications, updates, antivirus, firewall)
Detected CryptOne packer
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Performs DNS queries to domains with low reputation
System process connects to network (likely due to code injection or exploit)
Uses dynamic DNS services
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected Mofksys
Yara detected Quasar RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 619922 Sample: QPG5coTUH4 Startdate: 04/05/2022 Architecture: WINDOWS Score: 100 98 dlldns.duckdns.org 2->98 100 dlldns.co.uk 2->100 134 Multi AV Scanner detection for domain / URL 2->134 136 Found malware configuration 2->136 138 Malicious sample detected (through community Yara rule) 2->138 140 14 other signatures 2->140 13 QPG5coTUH4.exe 1 3 2->13         started        18 payload.exe 2->18         started        20 svchost.exe 2->20         started        22 13 other processes 2->22 signatures3 process4 dnsIp5 118 192.168.2.1 unknown unknown 13->118 88 C:\Users\user\Desktop\qpg5cotuh4.exe, PE32 13->88 dropped 90 C:\Windows\Resources\Themes\icsys.icn.exe, MS-DOS 13->90 dropped 182 Installs a global keyboard hook 13->182 24 icsys.icn.exe 2 13->24         started        28 qpg5cotuh4.exe 15 5 13->28         started        184 Drops executables to the windows directory (C:\Windows) and starts them 18->184 31 icsys.icn.exe 18->31         started        33 payload.exe 18->33         started        186 Changes security center settings (notifications, updates, antivirus, firewall) 20->186 35 MpCmdRun.exe 20->35         started        120 127.0.0.1 unknown unknown 22->120 file6 signatures7 process8 dnsIp9 84 C:\Windows\Resources\Themes\explorer.exe, MS-DOS 24->84 dropped 154 Antivirus detection for dropped file 24->154 156 Machine Learning detection for dropped file 24->156 158 Drops PE files with benign system names 24->158 37 explorer.exe 14 24->37         started        114 dlldns.co.uk 217.160.0.177, 443, 49749, 49759 ONEANDONE-ASBrauerstrasse48DE Germany 28->114 86 C:\Users\user\AppData\Roaming\payload.exe, MS-DOS 28->86 dropped 42 payload.exe 2 28->42         started        160 Drops executables to the windows directory (C:\Windows) and starts them 31->160 162 Installs a global keyboard hook 31->162 44 explorer.exe 31->44         started        116 dlldns.duckdns.org 33->116 164 Hides that the sample has been downloaded from the Internet (zone.identifier) 33->164 46 conhost.exe 35->46         started        file10 signatures11 process12 dnsIp13 108 codecmd03.googlecode.com 37->108 110 codecmd02.googlecode.com 37->110 112 2 other IPs or domains 37->112 80 C:\Windows\Resources\spoolsv.exe, MS-DOS 37->80 dropped 142 Antivirus detection for dropped file 37->142 144 System process connects to network (likely due to code injection or exploit) 37->144 146 Machine Learning detection for dropped file 37->146 148 Drops PE files with benign system names 37->148 48 spoolsv.exe 37->48         started        82 C:\Users\user\AppData\Roaming\payload.exe, PE32 42->82 dropped 150 Multi AV Scanner detection for dropped file 42->150 152 Installs a global keyboard hook 42->152 52 payload.exe 14 4 42->52         started        55 icsys.icn.exe 1 42->55         started        file14 signatures15 process16 dnsIp17 78 C:\Windows\Resources\svchost.exe, MS-DOS 48->78 dropped 122 Antivirus detection for dropped file 48->122 124 Machine Learning detection for dropped file 48->124 126 Drops executables to the windows directory (C:\Windows) and starts them 48->126 128 Drops PE files with benign system names 48->128 57 svchost.exe 48->57         started        102 dlldns.duckdns.org 80.66.64.146, 20000, 49761, 49774 VAD-SRL-AS1MD Russian Federation 52->102 104 whoru222.xyz 198.187.29.31, 20000 NAMECHEAP-NETUS United States 52->104 106 2 other IPs or domains 52->106 130 Hides that the sample has been downloaded from the Internet (zone.identifier) 52->130 132 Installs a global keyboard hook 52->132 60 cmd.exe 52->60         started        file18 signatures19 process20 signatures21 166 Antivirus detection for dropped file 57->166 168 Detected CryptOne packer 57->168 170 Machine Learning detection for dropped file 57->170 176 2 other signatures 57->176 62 spoolsv.exe 57->62         started        172 Uses ping.exe to sleep 60->172 174 Uses ping.exe to check the status of other devices and networks 60->174 65 payload.exe 60->65         started        68 conhost.exe 60->68         started        70 chcp.com 60->70         started        72 PING.EXE 60->72         started        process22 dnsIp23 92 whoru222.xyz 65->92 94 whereami3.xyz 65->94 96 2 other IPs or domains 65->96 178 Hides that the sample has been downloaded from the Internet (zone.identifier) 65->178 180 Installs a global keyboard hook 65->180 74 cmd.exe 65->74         started        signatures24 process25 process26 76 conhost.exe 74->76         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d4771dbf9066fec456aba9736643c4f5b9578fdecb4a475e6aff737323e37fe4/
Threat name:
Win32.Trojan.Golsys
Create hunting rule
Status:
Malicious
First seen:
2022-04-28 05:58:33 UTC
File Type:
PE (Exe)
Extracted files:
5
AV detection:
41 of 42 (97.62%)
Threat level:
  5/5
Verdict:
malicious
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion persistence
Link:
https://tria.ge/reports/220504-a326rscgb7/
Behaviour
Creates scheduled task(s)
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Drops file in System32 directory
Adds Run key to start application
Checks computer location settings
Loads dropped DLL
Downloads MZ/PE file
Executes dropped EXE
Modifies visiblity of hidden/system files in Explorer
Unpacked files
SH256 hash:
d01bee7c29bfaaf22f9cae59280edb4e4dfdbb3bf30ec6f8adcec017063b9410
MD5 hash:
ddadcb6944a202b0e35751ab4a086665
SHA1 hash:
0443ae7ff7b4c5c4a42d897691474c4e282db2c4
Link:
https://www.unpac.me/results/334cc6e0-2978-47c5-aaea-1109b154d227/
SH256 hash:
d4771dbf9066fec456aba9736643c4f5b9578fdecb4a475e6aff737323e37fe4
MD5 hash:
4d28365c5342f773b394205ef9eaec69
SHA1 hash:
d6e066005bb5b69d5dbc5088f214012a7ab8b080
Link:
https://www.unpac.me/results/334cc6e0-2978-47c5-aaea-1109b154d227/
Malware family:
xRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d4771dbf9066/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d4771dbf9066fec456aba9736643c4f5b9578fdecb4a475e6aff737323e37fe4

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

QuasarRAT

Executable exe d4771dbf9066fec456aba9736643c4f5b9578fdecb4a475e6aff737323e37fe4

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/268492/
  
URLhaus
https://urlhaus.abuse.ch/url/2177123/

Comments


Avatar
zbet commented on 2022-05-04 00:44:10 UTC

url : hxxps://dlldns.co.uk/discord.exe