MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f9265a0554ffd7971bacbd4335ab32109aa2f8ba7f70dba315f4e1f48674b990. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuasarRAT


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f9265a0554ffd7971bacbd4335ab32109aa2f8ba7f70dba315f4e1f48674b990
SHA3-384 hash: 3aa554ca8384c760164b02e3d6ff9d95cf3f9fc119d6b0c605984f9536852c1569ded826f490fa61c0d2a1f16d395242
SHA1 hash: 17affd9bceb5b254a65f2b918008118b3e771f5d
MD5 hash: 22070488e8b05fa3d1555e35cb02e2c4
humanhash: johnny-william-august-dakota
File name:$sxr-seroxen.bat
Download: download sample
Signature QuasarRAT
Create hunting rule
File size:8'088'042 bytes
First seen:2022-11-14 20:36:57 UTC
Last seen:Never
File type:Batch (bat) bat
MIME type:text/x-msdos-batch
ssdeep 49152:E1Knuw9suLZqlYvKn2jUftGqD68t0vgVuX3e/YI7G6YLgkHB6yNKvNBynnHeZhCN:P
Threatray 2'599 similar samples on MalwareBazaar
TLSH T1B0863321EE6E6EAA073C873C356F6F0E1BA05FC4A048A69F97E579C7135E742051B078
Reporter BringOnDon
Tags:bat QuasarRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
167
Origin country :
GB GB
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Fifa23.bat
Verdict:
No threats detected
Analysis date:
2022-11-13 15:46:10 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/e2128266-308f-471c-ab90-750b9147ce5a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/333929/
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
stealer warp
Link:
https://www.filescan.io/uploads/6372a6f14cfa4744015c5312/reports/c3aeb86b-ed91-44b4-b122-3082ec855d0c/overview
Result
Verdict:
MALICIOUS
Result
Threat name:
Quasar
Create hunting rule
Detection:
malicious
Classification:
troj.evad.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1113259
Signature
Antivirus detection for URL or domain
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Drops executables to the windows directory (C:\Windows) and starts them
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hooks files or directories query functions (used to hide files and directories)
Hooks processes query functions (used to hide processes)
Hooks registry keys query functions (used to hide registry keys)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Installs a global keyboard hook
May check the online IP address of the machine
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Obfuscated command line found
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Renames powershell.exe to bypass HIPS
Snort IDS alert for network traffic
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Yara detected Quasar RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 745955 Sample: $sxr-seroxen.bat Startdate: 14/11/2022 Architecture: WINDOWS Score: 100 61 private123.duckdns.org 2->61 63 tools.keycdn.com 2->63 65 2 other IPs or domains 2->65 89 Snort IDS alert for network traffic 2->89 91 Antivirus detection for URL or domain 2->91 93 Yara detected Quasar RAT 2->93 95 7 other signatures 2->95 11 cmd.exe 2 2->11         started        signatures3 process4 file5 49 C:\Users\user\Desktop\$sxr-seroxen.bat.exe, PE32+ 11->49 dropped 103 Obfuscated command line found 11->103 105 Renames powershell.exe to bypass HIPS 11->105 15 $sxr-seroxen.bat.exe 18 11->15         started        19 conhost.exe 11->19         started        signatures6 process7 file8 59 C:\Windows\$sxr-seroxen.bat, DOS 15->59 dropped 73 Deletes itself after installation 15->73 75 Writes to foreign memory regions 15->75 77 Modifies the context of a thread in another process (thread injection) 15->77 79 Injects a PE file into a foreign processes 15->79 21 cmd.exe 2 15->21         started        25 dllhost.exe 15->25         started        signatures9 process10 file11 47 C:\Windows\$sxr-seroxen.bat.exe, PE32+ 21->47 dropped 97 Obfuscated command line found 21->97 99 Drops executables to the windows directory (C:\Windows) and starts them 21->99 101 Renames powershell.exe to bypass HIPS 21->101 27 $sxr-seroxen.bat.exe 14 21 21->27         started        32 conhost.exe 21->32         started        signatures12 process13 dnsIp14 67 private123.duckdns.org 91.178.236.90, 49841, 8808 PROXIMUS-ISP-ASBE Belgium 27->67 69 tools.keycdn.com 185.172.148.96, 443, 49842 PROINITYPROINITYDE Germany 27->69 71 api.ipify.org.herokudns.com 3.220.57.224, 443, 49843 AMAZON-AESUS United States 27->71 51 C:\Windows\System32\vcruntime140d.dll, PE32+ 27->51 dropped 53 C:\Windows\System32\vcruntime140_1d.dll, PE32+ 27->53 dropped 55 C:\Windows\System32\ucrtbased.dll, PE32+ 27->55 dropped 57 C:\Windows\$sxr-seroxen\$sxr-nircmd.exe, PE32 27->57 dropped 107 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 27->107 109 Writes to foreign memory regions 27->109 111 Modifies the context of a thread in another process (thread injection) 27->111 113 3 other signatures 27->113 34 dllhost.exe 1 27->34         started        37 dllhost.exe 27->37         started        file15 signatures16 process17 signatures18 81 Injects code into the Windows Explorer (explorer.exe) 34->81 83 Writes to foreign memory regions 34->83 85 Creates a thread in another existing process (thread injection) 34->85 87 Injects a PE file into a foreign processes 34->87 39 winlogon.exe 34->39 injected 41 lsass.exe 34->41 injected 43 svchost.exe 34->43 injected 45 28 other processes 34->45 process19
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f9265a0554ffd7971bacbd4335ab32109aa2f8ba7f70dba315f4e1f48674b990/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7etfubku77lzog5mxvbtlkzsccnkf6f2p5ynxiyv6tq7jbtuxgia._file
Verdict:
malicious
Similar samples:
00e3eebe4bbea52843a8d335bdf5e4b5d6c8de8079f8d86a345cceb2375ccb25
QuasarRAT
0ef4667fb2bd5b2184048913181bd7b03bf63d0e7959214b879efa4d6b75ad5d
QuasarRAT
45c52cfdae75fd116eb42f68ba5e090483f0a4c8b196dab55edb51f1b93b3fd2
QuasarRAT
5e4bbf19a6e055cc6c2c98ef38288f3465c30e25542b735fbfca921fdb8b95f9
QuasarRAT
9f4d88e9eeae7ffc241646d0233acb29bedbc9bc0c124b949567a894f8af6f54
QuasarRAT
bf45d7d41cf421da9cf70d0616d2e2ed599829a190fbfc6b6fd1170cecc5657a
QuasarRAT
c9ea8cf5882a780b2f1a6dc11b191ee058eaaa63f33f749c5d9c3932e9db1cbb
QuasarRAT
+ 2'589 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
n/a
Link:
https://tria.ge/reports/221114-zd5b9shh4s/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Loads dropped DLL
Executes dropped EXE
Suspicious use of NtCreateUserProcessOtherParentProcess
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f9265a0554ffd7971bacbd4335ab32109aa2f8ba7f70dba315f4e1f48674b990

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/333929/

Comments