MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 01a2c4a3dd82f6e3fc651261af69dc942692b1d0df9ab07136eddcdb78bd367e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuasarRAT


Vendor detections: 9


Intelligence 9 IOCs YARA 12 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 01a2c4a3dd82f6e3fc651261af69dc942692b1d0df9ab07136eddcdb78bd367e
SHA3-384 hash: 8798d4002150860f73778d86df8220eba7f87e8278f3530f11f530dd5090b3b771d56ad44782bf04ddc08d468359fc1f
SHA1 hash: 7e2cf8dfe4d0602c613d9e5a92497a7e7ed0c154
MD5 hash: e181b306c65a5072c6e133dd5c545461
humanhash: missouri-indigo-fruit-fruit
File name:e181b306c65a5072c6e133dd5c545461.exe
Download: download sample
Signature QuasarRAT
Create hunting rule
File size:669'184 bytes
First seen:2020-12-19 06:44:31 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash bc70c4fa605f17c85050b7c7b6d42e44 (15 x njrat, 12 x RedLineStealer, 10 x AgentTesla)
ssdeep 12288:aKzACV6yowXNlK4Q4kAEzZsaAxSFdTrB4WzptEp9lKTc4u:aK0UXNdk3zmKfZ4Wz41Kdu
Threatray 147 similar samples on MalwareBazaar
TLSH 94E49B326EB74421FEFDD6707CE43392062479BE9EE85F9AE904B6C939631C45270236
Reporter abuse_ch
Tags:exe QuasarRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
253
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
e181b306c65a5072c6e133dd5c545461.exe
Verdict:
Malicious activity
Analysis date:
2020-12-19 06:44:38 UTC
Tags:
evasion trojan rat quasar
Link:
https://app.any.run/tasks/06fe982b-5302-4571-b650-1ff2a00492e7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
QuasarRAT
Create hunting rule
Link:
https://www.capesandbox.com/analysis/108517/
Detection(s):
PUA.Win.Tool.Netcat-6917729-0
Create hunting rule

SecuriteInfo.com.MSIL.Kryptik.UGA.6996.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file
Launching a process
Deleting a recently created file
Creating a file in the %AppData% directory
Running batch commands
Launching the default Windows debugger (dwwin.exe)
Using the Windows Management Instrumentation requests
DNS request
Sending an HTTP GET request
Creating a file in the %AppData% subdirectories
Creating a window
Connection attempt
Sending a UDP request
Unauthorized injection to a recently created process
Enabling autorun by creating a file
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Quasar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/566733
Signature
.NET source code references suspicious native API functions
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Drops PE files to the user root directory
Hides that the sample has been downloaded from the Internet (zone.identifier)
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Drops script at startup location
Sigma detected: Suspicious Csc.exe Source File Folder
Uses dynamic DNS services
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Writes to foreign memory regions
Yara detected MSIL_Load_Encrypted_Assembly
Yara detected Quasar RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 332450 Sample: TybBLqkMK8.exe Startdate: 19/12/2020 Architecture: WINDOWS Score: 100 89 Malicious sample detected (through community Yara rule) 2->89 91 Antivirus detection for dropped file 2->91 93 Antivirus / Scanner detection for submitted sample 2->93 95 12 other signatures 2->95 10 TybBLqkMK8.exe 1 4 2->10         started        13 scvhost.exe 2->13         started        16 rundll32.exe 2->16         started        process3 file4 73 C:\Users\user\...\AApSksvCiTJDaMOmma5.exe, PE32 10->73 dropped 75 C:\Users\user\AppData\...\AApSksvCiTJDaMOmm, C++ 10->75 dropped 18 AApSksvCiTJDaMOmma5.exe 19 10->18         started        113 Antivirus detection for dropped file 13->113 115 Multi AV Scanner detection for dropped file 13->115 117 Machine Learning detection for dropped file 13->117 22 WerFault.exe 13->22         started        signatures5 process6 file7 65 C:\Users\user\pmOINXzAFTVL.exe, PE32 18->65 dropped 67 C:\Users\user\AppData\Roaming\scvhost.exe, PE32 18->67 dropped 69 C:\Users\user\AppData\Roaming\...\svchost.url, MS 18->69 dropped 71 3 other malicious files 18->71 dropped 97 Antivirus detection for dropped file 18->97 99 Multi AV Scanner detection for dropped file 18->99 101 Machine Learning detection for dropped file 18->101 103 4 other signatures 18->103 24 RegAsm.exe 15 6 18->24         started        28 pmOINXzAFTVL.exe 18->28         started        30 csc.exe 3 18->30         started        33 2 other processes 18->33 signatures8 process9 dnsIp10 83 donations.ddns.net 82.76.153.229, 4394 RCS-RDS73-75DrStaicoviciRO Romania 24->83 85 matrix1.ddns.net 92.240.245.171, 100 LIGHTSTORM-COMMUNICATIONS-SRO-SK-ASPeeringsSK Slovakia (SLOVAK Republic) 24->85 87 2 other IPs or domains 24->87 107 Hides that the sample has been downloaded from the Internet (zone.identifier) 24->107 109 Installs a global keyboard hook 24->109 35 cmd.exe 24->35         started        38 WerFault.exe 24->38         started        111 Multi AV Scanner detection for dropped file 28->111 40 WerFault.exe 28->40         started        77 C:\Users\user\AppData\Local\...\fzejm1o4.dll, PE32 30->77 dropped 42 conhost.exe 30->42         started        44 cvtres.exe 1 30->44         started        79 C:\Users\user\AppData\Local\...\rul3515a.dll, PE32 33->79 dropped 46 conhost.exe 33->46         started        48 cvtres.exe 1 33->48         started        50 conhost.exe 33->50         started        52 choice.exe 33->52         started        file11 signatures12 process13 signatures14 105 Uses ping.exe to sleep 35->105 54 PING.EXE 35->54         started        57 RegAsm.exe 35->57         started        59 conhost.exe 35->59         started        61 chcp.com 35->61         started        process15 dnsIp16 81 192.168.2.1 unknown unknown 54->81 63 conhost.exe 57->63         started        process17
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/01a2c4a3dd82f6e3fc651261af69dc942692b1d0df9ab07136eddcdb78bd367e/
Threat name:
Win32.Trojan.InjectorGen
Create hunting rule
Status:
Malicious
First seen:
2020-02-14 05:21:32 UTC
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
025432a99764f95f01790ed77271c9f52c44bd6f08763d4ea77b81afbcad6485
QuasarRAT
092223938bed5fec479602f4bf2cb0fd28dd628e8754714047b0b7939cd2e298
QuasarRAT
23ed6ef7aec39fbc37b613e5ad3611a84ba1facc92489ed818dcc72bee129022
QuasarRAT
2d3cf92d298fced13bf5f5d9feaf4b68294365bd89496f1bc064da7a418bda5f
QuasarRAT
45eb700e6848f246fbb010d66d6669083970a9fb54fec74e66f7c1d6ff5ca5e4
QuasarRAT
60d1ea55d2ecbd3f8289c2d11413ad2378551b8c87126d81483d18101bbd8e4a
QuasarRAT
7ce2be23716a01fd869e33ae99de79a9c74da78f19f0fcb930da4de5bce49885
QuasarRAT
b31fb3832c2f366796fcc9165c60c58da5c866973377ab0d43f71586c461b8fb
QuasarRAT
b7823b23e2ef21045e77a01f2f34f86f387a607f4c1d949571c01c1fcdfd7fa1
QuasarRAT
fec56ffb3c5a61bffba235044da127eae17d9772dbd3817b8a5ce8cad0e93cb1
QuasarRAT
+ 137 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  9/10
Tags:
persistence
Link:
https://tria.ge/reports/201219-jrek41btge/
Behaviour
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
JavaScript code in executable
Looks up external IP address via web service
Drops startup file
Loads dropped DLL
Executes dropped EXE
ServiceHost packer
Unpacked files
SH256 hash:
bfbd6119032a27ae10b4cdb2ecba8caadc9b33a7c680de62c133fb7354699b0f
MD5 hash:
e03bdc2a377fc0fe4adcc6045ed332a7
SHA1 hash:
447ceaeb7265d28d856e36132392bd418b85aea9
Link:
https://www.unpac.me/results/e45e1eb0-8236-4d63-ab74-15c3c6725590/
SH256 hash:
67a8ea9f50bde885136add1a1f57c1857c6f9f10690f5b8551d83953dfb4906a
MD5 hash:
10fe32b8af27ad9605a5c52900146aaa
SHA1 hash:
5e21071a0cd2c2ec4baff10d128703cc19639315
Link:
https://www.unpac.me/results/e45e1eb0-8236-4d63-ab74-15c3c6725590/
SH256 hash:
86f9ccadcd73a2b9330be29021cd1d4ef1ea97400ec312b1c7cb547d03afe64c
MD5 hash:
cbb3a9901ad107e5f45abb2b0583461a
SHA1 hash:
660aa98f04c199478fbee64ea3b9df1d1f0bc66a
Link:
https://www.unpac.me/results/e45e1eb0-8236-4d63-ab74-15c3c6725590/
SH256 hash:
5069934f4ba31a0b2ede7a0e77f6062b2e737ae9be3831c6147edfdc802ef34c
MD5 hash:
ec17cc4284f9e1cb4b52fe229a710dbe
SHA1 hash:
96101c000da87db55bdad82c12d0f88a628b2936
Link:
https://www.unpac.me/results/e45e1eb0-8236-4d63-ab74-15c3c6725590/
SH256 hash:
dd069ce6daa1f96b86f08d70d845a1d040a9dcdca9afabf47bd035949153a3a4
MD5 hash:
5d5425d061ff39c311d6732a7bdd4a66
SHA1 hash:
b0b33a0af376a3d3d70fff47c1bc05f9c82646de
Link:
https://www.unpac.me/results/e45e1eb0-8236-4d63-ab74-15c3c6725590/
SH256 hash:
01a2c4a3dd82f6e3fc651261af69dc942692b1d0df9ab07136eddcdb78bd367e
MD5 hash:
e181b306c65a5072c6e133dd5c545461
SHA1 hash:
7e2cf8dfe4d0602c613d9e5a92497a7e7ed0c154
Link:
https://www.unpac.me/results/e45e1eb0-8236-4d63-ab74-15c3c6725590/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/01a2c4a3dd82f6e3fc651261af69dc942692b1d0df9ab07136eddcdb78bd367e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Chrome_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Chrome in files like avemaria
Rule name:CN_disclosed_20180208_KeyLogger_1
Create hunting rule
Author:Florian Roth
Description:Detects malware from disclosed CN malware set
Reference:https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:MALWARE_Win_QuasarRAT
Create hunting rule
Author:ditekshen
Description:QuasarRAT payload
Rule name:MAL_QuasarRAT_May19_1
Create hunting rule
Author:Florian Roth
Description:Detects QuasarRAT malware
Reference:https://blog.ensilo.com/uncovering-new-activity-by-apt10
Rule name:MSILStealer
Create hunting rule
Author:https://github.com/hwvs
Description:Detects strings from C#/VB Stealers and QuasarRat
Reference:https://github.com/quasar/QuasarRAT
Rule name:Quasar
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect QuasarRAT in memory
Rule name:Quasar_RAT_1
Create hunting rule
Author:Florian Roth
Description:Detects Quasar RAT
Reference:https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
Rule name:Quasar_RAT_2
Create hunting rule
Author:Florian Roth
Description:Detects Quasar RAT
Reference:https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
Rule name:Select_from_enumeration
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:Vermin_Keylogger_Jan18_1
Create hunting rule
Author:Florian Roth
Description:Detects Vermin Keylogger
Reference:https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/
Rule name:xRAT_1
Create hunting rule
Author:Florian Roth
Description:Detects Patchwork malware
Reference:https://goo.gl/Pg3P4W

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/108517/

Comments