MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 49ad02ecd997150873813d2b6cf825d1eaa9e1cb85aa92e0bd894d8c1decc280. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

QuasarRAT

Vendor detections: 3

Intelligence 3 IOCs YARA 2 File information Comments

SHA256 hash:	49ad02ecd997150873813d2b6cf825d1eaa9e1cb85aa92e0bd894d8c1decc280
SHA3-384 hash:	569ea94334547a1dd8383709b5512b052ac2cdff1f2e36e7850acecabf8f145bf114e0c13a78894d5f3b7fcbff131387
SHA1 hash:	3b04e2898008a76024976bc54e1015c9bfcbe5a0
MD5 hash:	e4499c35fd27951349987045d8412ef7
humanhash:	happy-mars-don-fish
File name:	49ad02ecd997150873813d2b6cf825d1eaa9e1cb85aa92e0bd894d8c1decc280
Download:	download sample
Signature	QuasarRAT Create hunting rule
File size:	809'472 bytes
First seen:	2020-03-23 18:48:48 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	80b94494f3086d0fbee1e192c23f9456 (1 x QuasarRAT, 1 x CoinMiner.XMRig)
ssdeep	12288:1Wq2YjOIAo73vEgVE++dHUh4xD/B7evQfJzSAPJrztJh48gmoqqRdUS4:43YjOcM5++dDxD/8vaVPJ1jL9oqKyX
Threatray	1'646 similar samples on MalwareBazaar
TLSH	A1057D26F3D04837D2B32A3D8D5F93649826BE523D3876862BE81D4C9F3D64139262D7
Reporter	Marco_Ramilli
Tags:	exe QuasarRAT

Intelligence

File Origin

# of uploads :

# of downloads :

101

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

PUA.Win.Adware.Slugin-6803969-0

PUA.Win.Adware.Slugin-6840354-0

SecuriteInfo.com.Trojan.DownLoader33.1761.15723.25928.UNOFFICIAL

Gathering data

Threat name:

Win32.Trojan.Injector

Status:

Malicious

First seen:

2020-02-15 20:38:49 UTC

AV detection:

26 of 31 (83.87%)

Threat level:

5/5

Verdict:

malicious

Label(s):

hawkeyekeylogger

QuasarRAT

52d60767d2ff5516a17a6a2a429dd47fd2dafa69a778e1da6129c7f1dd3eeae4

QuasarRAT

57d8c785d274b5dad9441ec2211c49ef5fd5abef5ebb5275f9dd6b8e8ecfff21

QuasarRAT

6ee3c6dd670f97667963ed1b84510f3a53dac6fbdcf755e2f94f7808f29c290f

QuasarRAT

7c15dd07b223275e68dd8034583f12a73fc19f2d42abede56ed8d0dfdc92edc6

QuasarRAT

8aa89b4f65d2ffa52d5f3899589a8f748841d44d9b0d57f48731ca0f07004f1e

QuasarRAT

a3cae0aae6bb5a0d6b4710e161925a315fd3ef4a5bfef88eea9fee94b35874d4

QuasarRAT

a9abad7f4aace35de5651f437a83f47787606345d04ea63426db6a7a9b02ba5e

QuasarRAT

b3afdbf1c149216584a25199682ffd2882fdd23b08c6ebbb3078ad1ab05d35ac

QuasarRAT

c203192bf329f099fddebfc57a7a258b974550e0b51a81115c9980aff02fe6c1

QuasarRAT

+ 1'636 additional samples on MalwareBazaar

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MSILStealer Create hunting rule
Author:	https://github.com/hwvs
Description:	Detects strings from C#/VB Stealers and QuasarRat
Reference:	https://github.com/quasar/QuasarRAT

Rule name:	Quasar_RAT_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Quasar RAT
Reference:	https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

QuasarRAT

exe 49ad02ecd997150873813d2b6cf825d1eaa9e1cb85aa92e0bd894d8c1decc280

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/315084/

Delivery method

Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_NX	Missing Non-Executable Memory Protection	critical
CHECK_PIE	Missing Position-Independent Executable (PIE) Protection	high

Reviews

ID	Capabilities	Evidence
COM_BASE_API	Can Download & Execute components	ole32.dll::CoCreateInstance
SHELL_API	Manipulates System Shell	shell32.dll::ShellExecuteExA shell32.dll::ShellExecuteA shell32.dll::SHGetFileInfoA
WIN32_PROCESS_API	Can Create Process and Threads	kernel32.dll::CloseHandle kernel32.dll::CreateThread
WIN_BASE_API	Uses Win Base API	kernel32.dll::LoadLibraryExA kernel32.dll::LoadLibraryA kernel32.dll::GetSystemInfo kernel32.dll::GetStartupInfoA kernel32.dll::GetDiskFreeSpaceA kernel32.dll::GetCommandLineA
WIN_BASE_IO_API	Can Create Files	kernel32.dll::CreateFileA kernel32.dll::FindFirstFileA kernel32.dll::GetTempPathA version.dll::GetFileVersionInfoSizeA version.dll::GetFileVersionInfoA
WIN_REG_API	Can Manipulate Windows Registry	advapi32.dll::RegOpenKeyExA advapi32.dll::RegQueryInfoKeyA advapi32.dll::RegQueryValueExA
WIN_USER_API	Performs GUI Actions	user32.dll::ActivateKeyboardLayout user32.dll::CreateMenu user32.dll::FindWindowA user32.dll::PeekMessageA user32.dll::CreateWindowExA

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample