MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fda0f21717df25d8af793a43e59842da0e60fe1993e4f3a903aa9e568da141b1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuasarRAT


Vendor detections: 8


Intelligence 8 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fda0f21717df25d8af793a43e59842da0e60fe1993e4f3a903aa9e568da141b1
SHA3-384 hash: 4c4c096d6bec7a5a08e69737316cb7b947f479211eaf3dedd5e869e19217d9d17e503b50af44ef6b246a7dd88173be6b
SHA1 hash: 8f3acd8a898d40acd07b5c8a21f3f342bd4741a3
MD5 hash: 9f447528b0e34b30d3ded989680a54e4
humanhash: mississippi-florida-one-rugby
File name:DRAFT-COPY-0997BILLLADINg999787.exe
Download: download sample
Signature QuasarRAT
Create hunting rule
File size:549'376 bytes
First seen:2020-10-07 04:46:33 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep 12288:8lXubVkFnGHUyyr/rFuHCZk/nF5fO7xbP+WUKWYf7:8GN0yy9UfSrFUKW47
Threatray 257 similar samples on MalwareBazaar
TLSH 0CC4AE521228D7AFCB9C463EF838CC360296A24E3554E5F68F30FC9F772571190A58B6
Reporter abuse_ch
Tags:exe QuasarRAT RAT


Avatar
abuse_ch
Malspam distributing QuasarRAT:

HELO: mail.h-email.net
Sending IP: 5.206.224.208
From: MAERSK <log@perrymaintenance.com>
Subject: URGENT TELEX RELEASE - RE Shipment Bill of lading 20170000112
Attachment: DRAFT-COPY-0997BILLLADINg999787.rar (contains "DRAFT-COPY-0997BILLLADINg999787.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
98
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Result
Verdict:
Malware
Maliciousness:

Behaviour
Using the Windows Management Instrumentation requests
Creating a file
DNS request
Sending an HTTP GET request
Creating a window
Launching a process
Running batch commands
Creating a process with a hidden window
Creating a file in the %AppData% subdirectories
Creating a file in the %temp% directory
Creating a process from a recently created file
Unauthorized injection to a recently created process
Enabling autorun by creating a file
Result
Threat name:
MassLogger RAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/483598
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Costura Assembly Loader
Yara detected MassLogger RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 294247 Sample: DRAFT-COPY-0997BILLLADINg99... Startdate: 07/10/2020 Architecture: WINDOWS Score: 100 68 Malicious sample detected (through community Yara rule) 2->68 70 Yara detected MassLogger RAT 2->70 72 .NET source code contains method to dynamically call methods (often used by packers) 2->72 74 9 other signatures 2->74 9 DRAFT-COPY-0997BILLLADINg999787.exe 1 2->9         started        13 apdate.exe 1 2->13         started        process3 file4 50 DRAFT-COPY-0997BILLLADINg999787.exe.log, ASCII 9->50 dropped 76 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 9->76 15 DRAFT-COPY-0997BILLLADINg999787.exe 15 7 9->15         started        20 DRAFT-COPY-0997BILLLADINg999787.exe 9->20         started        22 DRAFT-COPY-0997BILLLADINg999787.exe 9->22         started        78 Multi AV Scanner detection for dropped file 13->78 80 Machine Learning detection for dropped file 13->80 82 Injects a PE file into a foreign processes 13->82 24 apdate.exe 13->24         started        signatures5 process6 dnsIp7 58 elb097307-934924932.us-east-1.elb.amazonaws.com 174.129.214.20, 49744, 49746, 80 AMAZON-AESUS United States 15->58 60 192.168.2.1 unknown unknown 15->60 62 2 other IPs or domains 15->62 48 C:\Users\user\AppData\Roaming\...\apdate.exe, PE32 15->48 dropped 66 Adds a directory exclusion to Windows Defender 15->66 26 cmd.exe 1 15->26         started        28 cmd.exe 1 15->28         started        30 powershell.exe 24 15->30         started        file8 signatures9 process10 process11 32 apdate.exe 26->32         started        35 conhost.exe 26->35         started        37 timeout.exe 1 26->37         started        39 conhost.exe 28->39         started        41 schtasks.exe 1 28->41         started        43 conhost.exe 30->43         started        signatures12 64 Injects a PE file into a foreign processes 32->64 45 apdate.exe 32->45         started        process13 dnsIp14 52 nagano-19599.herokussl.com 45->52 54 elb097307-934924932.us-east-1.elb.amazonaws.com 45->54 56 api.ipify.org 45->56
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fda0f21717df25d8af793a43e59842da0e60fe1993e4f3a903aa9e568da141b1/
Threat name:
ByteCode-MSIL.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2020-10-07 03:33:19 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=7wqpefyx34s5rl3zhjb6lgcc3ihgb7qzspsphkidvkpfndnbigyq._file
Verdict:
malicious
Label(s):
masslogger
Create hunting rule
Similar samples:
01053beaa477c1cbf38cd7914244da9e75a22f59568056048fefde017503226e
QuasarRAT
2bd548e22cf519ee21eb5492713555537bbc71c899d2421e8a40d4e81f6b3f65
QuasarRAT
669c338b6022e64b567ca5975b33f2ca26ec77e3b85d3dcb5b8d2002417333d9
QuasarRAT
7f65935cd55b5a0978bf0a70690462a08d83657a97ddbe6aba871a5496d5f9c5
QuasarRAT
9bf180bb7b3cc0fcc6d01b68e2aa82d2f853e081ec71e34942d875324a2415b4
QuasarRAT
ab7cc003aa4d6807236dcd8983804a44a460a462c0e6d4ef70b3030f8ab6b366
QuasarRAT
c7f039cff52a5c1de59fb782259f3fd2054946e9fca03d364f61c7977128dcca
QuasarRAT
dc0087097e433036c00aaf8751d4cd9dc3e309fdba09c2ee1415a4060aa1cced
QuasarRAT
ed42640da83dda3bf2ed08c414bfd256a82c9a8ef1894a59e3c421b254c59d4d
QuasarRAT
f925d649aee4b92c974778fd87576229f44972c23df41df5aacdd9dc55fd2c45
QuasarRAT
+ 247 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
spyware
Link:
https://tria.ge/reports/201007-1t3hvntxrs/
Behaviour
Creates scheduled task(s)
Delays execution with timeout.exe
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Unpacked files
SH256 hash:
b5f3cb6bf1a81a2d726a2eb203b632c4a6998efaee2ec14257a4d199998b3fde
MD5 hash:
30fe95e2c6d480e721d65a44179bd15f
SHA1 hash:
dd5580b7ebcd79cd0e47a999d60bb4c5163b3442
Detections:
win_masslogger_w0
Create hunting rule
Link:
https://www.unpac.me/results/c9782c19-de52-47c3-b1aa-2787126b1d08/
SH256 hash:
165b6353a27653c087637f372f70713e4e0af658e87f03ba0703d8b975525243
MD5 hash:
112730ad698bcb62cfb8c64c4862640a
SHA1 hash:
6b42b1f3f372785c40b4f80c35d6aa2e0d012429
Link:
https://www.unpac.me/results/c9782c19-de52-47c3-b1aa-2787126b1d08/
SH256 hash:
d19c113d772493774937f904c4ef42642670752e06c2e5b95601b6603ea0f4f1
MD5 hash:
530c0a1f9c4148921a9286273c4ca6cf
SHA1 hash:
a85b32a9605c7af9c534e5e30d4d31d288cccac6
Link:
https://www.unpac.me/results/c9782c19-de52-47c3-b1aa-2787126b1d08/
SH256 hash:
fda0f21717df25d8af793a43e59842da0e60fe1993e4f3a903aa9e568da141b1
MD5 hash:
9f447528b0e34b30d3ded989680a54e4
SHA1 hash:
8f3acd8a898d40acd07b5c8a21f3f342bd4741a3
Link:
https://www.unpac.me/results/c9782c19-de52-47c3-b1aa-2787126b1d08/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fda0f21717df25d8af793a43e59842da0e60fe1993e4f3a903aa9e568da141b1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:masslogger_gcch
Create hunting rule
Author:govcert_ch
Rule name:Quasar_RAT_1
Create hunting rule
Author:Florian Roth
Description:Detects Quasar RAT
Reference:https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
Rule name:win_masslogger_w0
Create hunting rule
Author:govcert_ch

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

QuasarRAT

rar 3726d9fc66566f6cfcf11ce2b6ec70fb4bcbcfb94e09b8d4ef6fd42bb563f898

QuasarRAT

Executable exe fda0f21717df25d8af793a43e59842da0e60fe1993e4f3a903aa9e568da141b1

(this sample)

  
Dropped by
MD5 0e796db9c3f444ce4d84da8b11f81cce
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/68734/
  
Dropped by
SHA256 3726d9fc66566f6cfcf11ce2b6ec70fb4bcbcfb94e09b8d4ef6fd42bb563f898

Comments