MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f6fc15d5a8757a3fe1371e1b583c5627f92651cf39456da5cc9caaa53eb7f1c7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuasarRAT


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f6fc15d5a8757a3fe1371e1b583c5627f92651cf39456da5cc9caaa53eb7f1c7
SHA3-384 hash: e86b1caa507cd88a9cc4e85b4797f5298da29b0f8092cee942791a88d3d3d0305d58a8b0839c66ae0d3e5209f7e5491a
SHA1 hash: 0264458f32dcf96068f7599e3738abc70d99db41
MD5 hash: 82879eccfbc0aaecb25a5f79dd849f85
humanhash: gee-single-william-timing
File name:DHLMT-BL-PL-CI08348-SHIPMENT.pdf.xls.au.img
Download: download sample
Signature QuasarRAT
Create hunting rule
File size:1'556'480 bytes
First seen:2020-11-19 07:30:29 UTC
Last seen:Never
File type: img
MIME type:application/x-iso9660-image
ssdeep 12288:zBKGzQIE2J6xBs+jy/BxhX3+Y0EN7v533beKDfGn8I55AA9QqPV1qRNCZfzN66jZ:zEeEGTX3Z0mZq9nAA9QSGNcfzs67R
TLSH 4F75FAF851EB10A1F25F993666AEBCA402B2F587DAD64D48037CF6301ABEB533B0550D
Reporter abuse_ch
Tags:DHL img nVpn QuasarRAT RAT


Avatar
abuse_ch
Malspam distributing QuasarRAT:

HELO: bartletfarms.com
Sending IP: 185.236.231.238
From: DHL Global Delivery <no-replydhlcourierrosenberger@dhl.cn>
Subject: TicketID:32834979185679281349 -BL- Tracking No/Shipping Docs/CI/MT101/PL/ Arrival - 11/19/2020 02:23:41 am
Attachment: DHLMT-BL-PL-CI08348-SHIPMENT.pdf.xls.au.img (contains "DHLMT-BL-PL-CI08348-SHIPMENT.pdf.xls.scr")

QuasarRAT C2:
devils.shacknet.us:4782 (185.244.26.221)

Pointing to nVpn:

% Information related to '185.244.26.192 - 185.244.26.255'

% Abuse contact for '185.244.26.192 - 185.244.26.255' is 'abuse@privacyfirst.sh'

inetnum: 185.244.26.192 - 185.244.26.255
remarks: This prefix is assigned to The PRIVACYFIRST Project, which
remarks: operates infrastructure jointly used by various VPN service
remarks: providers. We have a very strong focus on privacy and freedom.
remarks: In case of abuse, we encourage all international law enforcement
remarks: agencies to get in touch with our abuse contact. Due to the fact
remarks: that we keep no logs of user activities and only share data when
remarks: it is legally required under our jurisdiction, it is very unlikely
remarks: for a demand of user information to be successful. Still, that
remarks: should not deter you from reaching out.
netname: PRIVACYFIRST-EU3
country: EU
admin-c: TPP15-RIPE
tech-c: TPP15-RIPE
org: ORG-TPP6-RIPE
status: ASSIGNED PA
mnt-by: PRIVACYFIRST-MNT
created: 2020-04-16T22:05:10Z
last-modified: 2020-10-18T10:49:56Z
source: RIPE

Intelligence

File Origin
# of uploads :
1
# of downloads :
358
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.Zmutzy.804.26169.17546.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f6fc15d5a8757a3fe1371e1b583c5627f92651cf39456da5cc9caaa53eb7f1c7/
Threat name:
ByteCode-MSIL.Infostealer.ClipBanker
Create hunting rule
Status:
Malicious
First seen:
2020-11-19 04:36:30 UTC
AV detection:
15 of 29 (51.72%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=636blvniov5d7yjxdynvqpcwe74smuophfcw3jomtsvkkpvx6hdq._file
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

QuasarRAT

img f6fc15d5a8757a3fe1371e1b583c5627f92651cf39456da5cc9caaa53eb7f1c7

(this sample)

QuasarRAT

Executable exe 3ca289bac2df826b2d7c4faa05cd9f39a948fdf47872d56ddcfd1a45e60be963

  
Dropping
MD5 2a02d57e4ad5117eb724be65697afd66
  
Dropping
QuasarRAT
  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 3ca289bac2df826b2d7c4faa05cd9f39a948fdf47872d56ddcfd1a45e60be963

Comments