MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f859bddda5d049e5449032b8a4373515a6a06cbc2019f9fc1c0c269ba4d90153. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuasarRAT


Vendor detections: 17


Intelligence 17 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f859bddda5d049e5449032b8a4373515a6a06cbc2019f9fc1c0c269ba4d90153
SHA3-384 hash: fa9fb5b136df66eeae8885e8250bfcfbb86997fb0a0356d79988d5dd4998de5cbbac70119d51206fd245a86b4d0c22e6
SHA1 hash: 791d1648ee703e05b4749fcb99c8f45692e73787
MD5 hash: 2e9ba9334449304220a549e7a75447f4
humanhash: blue-victor-vegan-mango
File name:Adobe Download Manager.exe
Download: download sample
Signature QuasarRAT
Create hunting rule
File size:2'110'648 bytes
First seen:2023-12-21 18:21:23 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash afcdf79be1557326c854b6e20cb900a7 (1'102 x FormBook, 936 x AgentTesla, 399 x RemcosRAT)
ssdeep 24576:su6J33O0c+JY5UZ+XC0kGso6FaI1IXgM6YmenKKSUlmDaGJTA4Pqa6jUvOkQwKY1:2u0c++OCvkGs9Fap5aLKLkDl+dUvO9YL
TLSH T17AA5BE41A3DC82A1CE6A4372BA36DB219B777C692634F70E1ED83D7A3E723521518353
TrID 52.1% (.OCX) Windows ActiveX control (116521/4/18)
25.7% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
7.4% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
4.7% (.EXE) Win64 Executable (generic) (10523/12/4)
2.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon d4c4c4d8ccd4f0cc (241 x AgentTesla, 65 x Loki, 41 x Formbook)
Reporter adm1n_usa32
Tags:exe QuasarRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
305
Origin country :
RO RO
Vendor Threat Intelligence
Malware family:
quasar
Create hunting rule
ID:
1
File name:
f859bddda5d049e5449032b8a4373515a6a06cbc2019f9fc1c0c269ba4d90153.zip
Verdict:
No threats detected
Analysis date:
2023-12-21 23:31:22 UTC
Tags:
rat quasar
Link:
https://app.any.run/tasks/37576c87-6846-45d7-9da5-015d9b45ab7e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
QuasarRAT
Create hunting rule
Link:
https://www.capesandbox.com/analysis/468855/
Detection(s):
Win.Dropper.Miner-7086570-0
Create hunting rule

Win.Packed.Autoit-7640561-0
Create hunting rule

Win.Malware.Carberp-9796259-0
Create hunting rule

Win.Packed.Generic-9830106-0
Create hunting rule

Win.Packed.QuasarRAT-10012744-0
Create hunting rule

Win.Malware.Generic-6623004-0
Create hunting rule

SecuriteInfo.com.BehavesLike.Win32.Generic.vh.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug anti-vm autoit carberp control crypto evasive eventvwr explorer fingerprint greyware hook infostealer keylogger keylogger lolbin lolbin miner overlay packed quasar quasarrat rat schtasks shell32 stealer stealer ursnif vermin xrat
Link:
https://www.filescan.io/uploads/6584824dffafd83ebc973ae4/reports/bc76ef7b-8270-4e38-be2f-94672e4a8993/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/f859bddda5d049e5449032b8a4373515a6a06cbc2019f9fc1c0c269ba4d90153
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
DarkVNC
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6059fe92-d4d8-4b8b-a15c-5f2e2090fd8a
Result
Threat name:
AZORult, Quasar, Ramnit
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1365741
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to modify clipboard data
Contains VNC / remote desktop functionality (version string found)
Detected AZORult Info Stealer
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Azorult
Yara detected Azorult Info Stealer
Yara detected Generic Downloader
Yara detected Quasar RAT
Yara detected Ramnit VNC Module
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1365741 Sample: Adobe_Download_Manager.exe Startdate: 21/12/2023 Architecture: WINDOWS Score: 100 65 0x21.in 2->65 67 ip-api.com 2->67 91 Snort IDS alert for network traffic 2->91 93 Found malware configuration 2->93 95 Malicious sample detected (through community Yara rule) 2->95 97 13 other signatures 2->97 10 Adobe_Download_Manager.exe 5 2->10         started        14 SystemPropertiesPerformance.exe 1 2->14         started        16 winsock.exe 2->16         started        signatures3 process4 file5 59 C:\Users\...\SystemPropertiesPerformance.exe, PE32 10->59 dropped 61 C:\Users\user\AppData\Local\Temp\windef.exe, PE32 10->61 dropped 63 C:\Users\user\AppData\Local\Temp\vnc.exe, PE32 10->63 dropped 111 Detected AZORult Info Stealer 10->111 113 Binary is likely a compiled AutoIt script file 10->113 115 Found many strings related to Crypto-Wallets (likely being stolen) 10->115 123 4 other signatures 10->123 18 vnc.exe 10->18         started        21 windef.exe 15 5 10->21         started        25 Adobe_Download_Manager.exe 12 10->25         started        27 schtasks.exe 1 10->27         started        117 Antivirus detection for dropped file 14->117 119 Machine Learning detection for dropped file 14->119 121 Contains VNC / remote desktop functionality (version string found) 14->121 29 vnc.exe 14->29         started        31 SystemPropertiesPerformance.exe 14->31         started        33 schtasks.exe 14->33         started        35 windef.exe 14->35         started        signatures6 process7 dnsIp8 73 Antivirus detection for dropped file 18->73 75 Multi AV Scanner detection for dropped file 18->75 77 Machine Learning detection for dropped file 18->77 89 2 other signatures 18->89 37 svchost.exe 18->37         started        69 ip-api.com 208.95.112.1, 49730, 49731, 80 TUT-ASUS United States 21->69 57 C:\Users\user\AppData\Roaming\...\winsock.exe, PE32 21->57 dropped 79 Hides that the sample has been downloaded from the Internet (zone.identifier) 21->79 41 winsock.exe 14 4 21->41         started        43 schtasks.exe 1 21->43         started        81 Binary is likely a compiled AutoIt script file 25->81 45 conhost.exe 27->45         started        83 Contains VNC / remote desktop functionality (version string found) 29->83 85 Writes to foreign memory regions 29->85 87 Allocates memory in foreign processes 29->87 47 svchost.exe 29->47         started        49 conhost.exe 33->49         started        file9 signatures10 process11 dnsIp12 71 5.8.88.191, 443, 49732, 8080 KOMETA-ASRU Russian Federation 37->71 99 Contains VNC / remote desktop functionality (version string found) 37->99 101 Contains functionality to modify clipboard data 37->101 103 Antivirus detection for dropped file 41->103 105 Multi AV Scanner detection for dropped file 41->105 107 Machine Learning detection for dropped file 41->107 109 2 other signatures 41->109 51 schtasks.exe 41->51         started        53 conhost.exe 43->53         started        signatures13 process14 process15 55 conhost.exe 51->55         started       
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/f859bddda5d049e5449032b8a4373515a6a06cbc2019f9fc1c0c269ba4d90153
Detection:
quasar
Create hunting rule
Link:
https://mwdb.cert.pl/sample/f859bddda5d049e5449032b8a4373515a6a06cbc2019f9fc1c0c269ba4d90153/
Threat name:
Win32.Trojan.MoksSteal
Create hunting rule
Status:
Malicious
First seen:
2023-12-21 15:09:57 UTC
File Type:
PE (Exe)
Extracted files:
49
AV detection:
32 of 37 (86.49%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7bm33xnf2be6kreqgk4kinzvcwtka3f4eam7t7a4bqtjxjgzafjq._file
Verdict:
malicious
Label(s):
azorult
Create hunting rule
Result
Malware family:
quasar
Create hunting rule
Score:
  10/10
Tags:
family:azorult family:quasar botnet:ebayprofiles infostealer spyware trojan
Link:
https://tria.ge/reports/231221-wzv4yabeaj/
Behaviour
Creates scheduled task(s)
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
AutoIT Executable
Suspicious use of SetThreadContext
Enumerates connected drives
Looks up external IP address via web service
Maps connected drives based on registry
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Azorult
Quasar RAT
Quasar payload
Malware Config
C2 Extraction:
5.8.88.191:443
sockartek.icu:443
http://0x21.in:8000/_az/
Unpacked files
SH256 hash:
f859bddda5d049e5449032b8a4373515a6a06cbc2019f9fc1c0c269ba4d90153
MD5 hash:
2e9ba9334449304220a549e7a75447f4
SHA1 hash:
791d1648ee703e05b4749fcb99c8f45692e73787
Detections:
QuasarRAT
Create hunting rule
malware_windows_xrat_quasarrat
Create hunting rule
AutoIT_Compiled
Create hunting rule
cn_utf8_windows_terminal
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
Quasar_RAT_2
Create hunting rule
Quasar
Create hunting rule
MAL_QuasarRAT_May19_1
Create hunting rule
MALWARE_Win_QuasarRAT
Create hunting rule
SUSP_Imphash_Mar23_3
Create hunting rule
INDICATOR_SUSPICIOUS_GENInfoStealer
Create hunting rule
Quasar_RAT_1
Create hunting rule
win_quasarrat_j1
Create hunting rule
Link:
https://www.unpac.me/results/1a439c0c-6b7c-43df-91b6-557ad02262d5/
Malware family:
QuasarRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f859bddda5d0/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f859bddda5d049e5449032b8a4373515a6a06cbc2019f9fc1c0c269ba4d90153

File information

The table below shows additional information about this malware sample such as delivery method and external references.

anyrun
any.run
https://app.any.run/tasks/237645f4-16ce-489e-810c-224fded6cf30
Cape
Cape
https://www.capesandbox.com/analysis/468855/

Comments