MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f1c0e198445a81a738ad7509079b63752b0bc934cd66ce39bc95cb50224ca0d3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

QuasarRAT

Vendor detections: 4

Intelligence 4 IOCs YARA 7 File information Comments

SHA256 hash:	f1c0e198445a81a738ad7509079b63752b0bc934cd66ce39bc95cb50224ca0d3
SHA3-384 hash:	59692046d2c154cfc80c8d46604a23d7f32d4f17e1bbe057604a58ab2aeb26136810b5a16b858cd33288953dd83d8d0e
SHA1 hash:	260abfe9d00a45ebc763c03a8e050ea58bdbc81f
MD5 hash:	9cc8045fa9822f87a738d869bb63267d
humanhash:	kentucky-india-maine-pip
File name:	f1c0e198445a81a738ad7509079b63752b0bc934cd66ce39bc95cb50224ca0d3
Download:	download sample
Signature	QuasarRAT Create hunting rule
File size:	8'189'731 bytes
First seen:	2020-06-17 08:45:56 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	3eaa732d4dae53340f9646bdd85dac41 (11 x NetSupport, 6 x RedLineStealer, 4 x ISRStealer)
ssdeep	196608:ACA1OpmZmy7gqkWfk4PMl/rhM61QQsI/MdMUGhyNwllG:ACA1Z7gqkWfkAMlmQsI+VGFlG
Threatray	52 similar samples on MalwareBazaar
TLSH	CF86330611E85132C1D72AF199FAD770AA3E7C3676348D1B6FC10B3E1A638618F91B67
Reporter	JAMESWT_WT

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/19199/

Detection(s):

PUA.Win.Ransomware.Protected-6611653-0

SecuriteInfo.com.Gen.Variant.Ursu.309660.UNOFFICIAL

Gathering data

Threat name:

Win32.Trojan.Generic

Status:

Suspicious

First seen:

2016-11-27 01:04:00 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

21 of 31 (67.74%)

Threat level:

5/5

Verdict:

malicious

QuasarRAT

27dbff4b16fa15497def710d494b48ad90c3a498c354cee50fc0e35081dcfbb7

QuasarRAT

2d40a6c3d1200616055b55031daa8a6b010b3c99219f6b6da87bcd2b2f27d6c2

QuasarRAT

44c7ef261a066790a4ce332afc634fb5f89f3273c0c908ec02ab666088b27757

QuasarRAT

5ade1071b7d6a1abe0b851d953fe1571f7372bce3d48f0adedfbbecd02c512c6

QuasarRAT

6005ff1373b7a3600ad4b5700b4d9b6c13827015a97fea1b030189655bd8e986

QuasarRAT

6057a10b27aebb92f7d961ce23929dc41579f6da1dcbf28572d8c5f0ffac488b

QuasarRAT

73acff9ea3647f699cd645b09e652ca498eea7c5cee9f3cb573afda67a0ceeb2

QuasarRAT

ebfcc36e36933bf6454937c260a1370cd3ece3b67d7abbf66ec9eb4d2892dd79

QuasarRAT

fd869766f1f735b4c1479ec1300fd63f4a203142e4ed0e6ac18f05d1cdba3ac8

QuasarRAT

+ 42 additional samples on MalwareBazaar

Result

Malware family:

quasar

Score:

10/10

Tags:

trojan spyware family:quasar evasion

Link:

https://tria.ge/reports/200624-y7cja4bkne/

Behaviour

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

Suspicious use of NtSetInformationThreadHideFromDebugger

Looks up external IP address via web service

Loads dropped DLL

Checks BIOS information in registry

Identifies Wine through registry keys

Executes dropped EXE

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Quasar RAT

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	CN_disclosed_20180208_KeyLogger_1 Create hunting rule
Author:	Florian Roth
Description:	Detects malware from disclosed CN malware set
Reference:	https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details

Rule name:	MAL_QuasarRAT_May19_1 Create hunting rule
Author:	Florian Roth
Description:	Detects QuasarRAT malware
Reference:	https://blog.ensilo.com/uncovering-new-activity-by-apt10

Rule name:	MSILStealer Create hunting rule
Author:	https://github.com/hwvs
Description:	Detects strings from C#/VB Stealers and QuasarRat
Reference:	https://github.com/quasar/QuasarRAT

Rule name:	Quasar_RAT_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Quasar RAT
Reference:	https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf

Rule name:	Quasar_RAT_2 Create hunting rule
Author:	Florian Roth
Description:	Detects Quasar RAT
Reference:	https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf

Rule name:	Vermin_Keylogger_Jan18_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Vermin Keylogger
Reference:	https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/

Rule name:	xRAT_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Patchwork malware
Reference:	https://goo.gl/Pg3P4W

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/19199/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample