MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ff6b8599327f09bf46bec16e6535b82f27a804f4877799772e843a85f3f1b573. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuasarRAT


Vendor detections: 14


Intelligence 14 IOCs YARA 11 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ff6b8599327f09bf46bec16e6535b82f27a804f4877799772e843a85f3f1b573
SHA3-384 hash: 27deee29aaefb1f69828557c4b47828d0ddccb0fc45af382f2113beea96bfb98b0597d7f4869451f63c0229b3481d543
SHA1 hash: 656d0b2defa3d121edabb350ed5dd76786ccaa7b
MD5 hash: ba6959e4f8e51de58e02564a1e6bc405
humanhash: kitten-mockingbird-idaho-speaker
File name:download_2.exe
Download: download sample
Signature QuasarRAT
Create hunting rule
File size:3'450'880 bytes
First seen:2024-10-03 12:07:53 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'609 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 98304:N/bPjiDiHuRMIsF729LnYPKV3Vlr5VG7I76:Nrj5oMLFGzYPKRVF7b7
Threatray 821 similar samples on MalwareBazaar
TLSH T188F523392AFB412EF3779F768FD5B23DDA6EF6632A0A615D018043CA0652D04DE46732
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter JAMESWT_WT
Tags:azure-winsecure-com exe OnimaiRAT QuasarRAT whyareyouherewho-ru

Intelligence

File Origin
# of uploads :
1
# of downloads :
412
Origin country :
IT IT
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
download_2.exe
Verdict:
Malicious activity
Analysis date:
2024-10-03 12:10:23 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/54902e24-ec45-48e0-8cc7-21d112661037

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66fe8a860fdf88870979dade
Tags:
Powershell Vmdetect Emotet Gumen
Result
Verdict:
Malware
Maliciousness:

Behaviour
Using the Windows Management Instrumentation requests
Сreating synchronization primitives
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Searching for the window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm anti-vm cmd exploit explorer lolbin packed
Link:
https://www.filescan.io/uploads/66fe8927ac7403f5179131ed/reports/7fcd4adc-94d9-4389-ac82-fc97abdbbf1d/overview
Verdict:
Malicious
Labled as:
Ransom.FreeMe.Generic
Link:
https://www.hybrid-analysis.com/sample/ff6b8599327f09bf46bec16e6535b82f27a804f4877799772e843a85f3f1b573
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a1d1eb1b-4c55-44f8-86cd-7b97fb10d7f9
Result
Threat name:
Quasar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1524940
Signature
.NET source code contains a sample name check
.NET source code contains potential unpacker
.NET source code contains process injector
.NET source code contains very large strings
.NET source code references suspicious native API functions
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Creates an autostart registry key pointing to binary in C:\Windows
Creates autostart registry keys with suspicious names
Creates autostart registry keys with suspicious values (likely registry only malware)
Drops executables to the windows directory (C:\Windows) and starts them
Found suspicious powershell code related to unpacking or dynamic code loading
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: Potential WinAPI Calls Via CommandLine
Suricata IDS alerts for network traffic
Suspicious command line found
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Yara detected Generic Downloader
Yara detected Quasar RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1524940 Sample: download_2.exe Startdate: 03/10/2024 Architecture: WINDOWS Score: 100 71 azure-winsecure.com 2->71 73 ipwho.is 2->73 93 Suricata IDS alerts for network traffic 2->93 95 Malicious sample detected (through community Yara rule) 2->95 97 Antivirus / Scanner detection for submitted sample 2->97 99 17 other signatures 2->99 11 download_2.exe 6 2->11         started        15 powershell.exe 2->15         started        signatures3 process4 file5 65 C:\Windows\$rbx-onimai2\$rbx-CO2.bat, PE32 11->65 dropped 67 C:\Windows\...\$rbx-CO2.bat:Zone.Identifier, ASCII 11->67 dropped 69 C:\Users\user\AppData\...\download_2.exe.log, CSV 11->69 dropped 101 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 11->101 103 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 11->103 105 Suspicious command line found 11->105 17 cmd.exe 1 11->17         started        20 conhost.exe 11->20         started        22 WerFault.exe 22 16 11->22         started        107 Writes to foreign memory regions 15->107 109 Modifies the context of a thread in another process (thread injection) 15->109 111 Injects a PE file into a foreign processes 15->111 25 dllhost.exe 15->25         started        27 conhost.exe 15->27         started        signatures6 process7 file8 81 Suspicious powershell command line found 17->81 29 powershell.exe 31 17->29         started        32 conhost.exe 17->32         started        34 cmd.exe 1 17->34         started        83 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 20->83 63 C:\ProgramData\Microsoft\...\Report.wer, Unicode 22->63 dropped 85 Injects code into the Windows Explorer (explorer.exe) 25->85 87 Contains functionality to inject code into remote processes 25->87 89 Writes to foreign memory regions 25->89 91 3 other signatures 25->91 36 lsass.exe 25->36 injected 38 winlogon.exe 25->38 injected 40 svchost.exe 25->40 injected 42 24 other processes 25->42 signatures9 process10 signatures11 113 Drops executables to the windows directory (C:\Windows) and starts them 29->113 115 Found suspicious powershell code related to unpacking or dynamic code loading 29->115 44 $rbx-CO2.bat 17 6 29->44         started        117 Writes to foreign memory regions 36->117 process12 dnsIp13 75 azure-winsecure.com 154.216.20.132, 49721, 6969 SKHT-ASShenzhenKatherineHengTechnologyInformationCo Seychelles 44->75 77 ipwho.is 147.135.36.89, 443, 49722 OVHFR United States 44->77 119 Antivirus detection for dropped file 44->119 121 Multi AV Scanner detection for dropped file 44->121 123 Machine Learning detection for dropped file 44->123 125 11 other signatures 44->125 48 powershell.exe 44->48         started        51 schtasks.exe 44->51         started        53 conhost.exe 44->53         started        55 2 other processes 44->55 signatures14 process15 signatures16 79 Injects a PE file into a foreign processes 48->79 57 conhost.exe 48->57         started        59 powershell.exe 48->59         started        61 conhost.exe 51->61         started        process17
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/ff6b8599327f09bf46bec16e6535b82f27a804f4877799772e843a85f3f1b573
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ff6b8599327f09bf46bec16e6535b82f27a804f4877799772e843a85f3f1b573/
Threat name:
ByteCode-MSIL.Trojan.Heracles
Create hunting rule
Status:
Malicious
First seen:
2024-10-02 17:09:38 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
27 of 38 (71.05%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=75vylgjsp4e36rv6yfxgknnyf4t2qbhuq53zs5zoqq5il47rwvzq._file
Verdict:
malicious
Label(s):
r77
Create hunting rule
quasarrat
Create hunting rule
metasploit
Create hunting rule
r77_stager
Create hunting rule
Similar samples:
01d7838a7a970a4fca588740cf6f8129f4ae01b0d9936eb43a1aff9436b848a2
QuasarRAT
07412fb8708bdbd23115743c4856981eb03873b755d0fbd4ec7745a642dff25c
QuasarRAT
64f51e7b139ab5cf5829321a7ea0e7cc8aad04f1ec1d872345ee029e679dd2af
QuasarRAT
73399ca48340bd7a31da27d573966f23371fe4ea82625ee3b7ce2772386b9e04
QuasarRAT
b108344a4bdd297bc875c4da54162c753b1b104abb1e5383b2ed348fea2a0eea
QuasarRAT
error
QuasarRAT
+ 811 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/241003-pawkva1dmc/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/dc9808fa-e136-479e-86d8-7108bfe29f7b
Unpacked files
SH256 hash:
ff6b8599327f09bf46bec16e6535b82f27a804f4877799772e843a85f3f1b573
MD5 hash:
ba6959e4f8e51de58e02564a1e6bc405
SHA1 hash:
656d0b2defa3d121edabb350ed5dd76786ccaa7b
Link:
https://www.unpac.me/results/88c17884-0c59-4bf2-8eee-f2fed5af22b6/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ff6b8599327f09bf46bec16e6535b82f27a804f4877799772e843a85f3f1b573

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Thread
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL
Create hunting rule
Author:ditekSHen
Description:Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments