MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 01d7838a7a970a4fca588740cf6f8129f4ae01b0d9936eb43a1aff9436b848a2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

QuasarRAT

Vendor detections: 17

Intelligence 17 IOCs 1 YARA 4 File information Comments

SHA256 hash:	01d7838a7a970a4fca588740cf6f8129f4ae01b0d9936eb43a1aff9436b848a2
SHA3-384 hash:	3bf39a0d350e45dd54f77dafb62f793e4c6bea4e95bcad9d9ff94d15244992b2800aa89ccf035c41226cc17f31c3ca0b
SHA1 hash:	4a14138403945ca46d0389b8ff0870e0a7668394
MD5 hash:	0dd4e8e7d52d991a91fe92b18985aa8a
humanhash:	lemon-high-lithium-dakota
File name:	0dd4e8e7d52d991a91fe92b18985aa8a.exe
Download:	download sample
Signature	QuasarRAT Create hunting rule
File size:	3'409'920 bytes
First seen:	2024-06-26 06:15:24 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	42ef7cad2b1a6f46abc46e399d603634 (1 x QuasarRAT)
ssdeep	49152:86AB10yeNg09VzFykrQemyrj6fyAX4935tbgGUVQvAYKO2did9iN88P5skcP:3Y0yeNgOzF/QOrj1AoYiGOyiMT
Threatray	697 similar samples on MalwareBazaar
TLSH	T102F5330676F08437C6332C3322B8ED252DBAFE226D859C6B7A8A1734DD7239795159CC
TrID	32.2% (.EXE) Win64 Executable (generic) (10523/12/4) 20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 15.4% (.EXE) Win16 NE executable (generic) (5038/12/1) 13.7% (.EXE) Win32 Executable (generic) (4504/4/1) 6.2% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	71e88a8adac46932 (1 x QuasarRAT)
Reporter	abuse_ch
Tags:	Donut DonutInjector donutloader exe QuasarRAT RAT Shellcode

abuse_ch

QuasarRAT C2:
117.18.7.76:3782

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
117.18.7.76:3782	https://threatfox.abuse.ch/ioc/1288949/

Intelligence

File Origin

# of uploads :

# of downloads :

391

Origin country :

Vendor Threat Intelligence

Malware family:

quasar

ID:

File name:

01d7838a7a970a4fca588740cf6f8129f4ae01b0d9936eb43a1aff9436b848a2.exe

Verdict:

Malicious activity

Analysis date:

2024-06-26 06:16:38 UTC

Tags:

rat quasar remote asyncrat evasion

Link:

https://app.any.run/tasks/251af59a-35a8-4ed2-b18a-5b7e99aa1c30

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

Win.Packed.Rozena-10029918-0

Verdict:

Malicious

Score:

90.2%

Link:

https://cyber-fortress.com/docs/result/index.php?id=667bb27a7ca575ea1996d171win7simulatehigh_evasion

Tags:

Stealth Malware

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a window

Verdict:

Malicious

Labled as:

ShellCode.Donut.Marte.4.Generic

Link:

https://www.hybrid-analysis.com/sample/01d7838a7a970a4fca588740cf6f8129f4ae01b0d9936eb43a1aff9436b848a2

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Quasar RAT

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/dad84649-74d2-4885-a062-f0bbfd4f6bf8

Result

Threat name:

Quasar

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1462830

Signature

AI detected suspicious sample

Antivirus / Scanner detection for submitted sample

C2 URLs / IPs found in malware configuration

Found malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Installs a global keyboard hook

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Yara detected Generic Downloader

Yara detected Quasar RAT

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/01d7838a7a970a4fca588740cf6f8129f4ae01b0d9936eb43a1aff9436b848a2

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/01d7838a7a970a4fca588740cf6f8129f4ae01b0d9936eb43a1aff9436b848a2/

Threat name:

Win32.Exploit.DonutMarte

Status:

Malicious

First seen:

2024-06-21 12:56:20 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

21 of 24 (87.50%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=ahlyhct2s4fe7ssyq5am634bfh2k4anq3gjw5nb2dl7zinvyjcra._file

Verdict:

malicious

QuasarRAT

3ad07a1878c8b77f9fc0143d8f88c240d8d0b986d015d4c0cd881ad9c0d572e1

QuasarRAT

4e6e48275b1f3412edc045e1a81d509ddcfe360c06bdd4483fcd5b4fc77b7ef3

QuasarRAT

5abb3690139201632ca77d335dc003268eaf58f2fa0736fb187d843e597a2c9b

QuasarRAT

a451e748bc1e4c05bdaa722b35a5f6dd1a78765ac8967187a61b846f819c8bf6

QuasarRAT

b70b64872a21f338463d0e6b1f2a45bb186ad711317164192b64e54a19baef85

QuasarRAT

ced760664a7c5580e324d99d695b119c1f3ec94d1d9c56d1d3882347f0c6eb10

QuasarRAT

+ 687 additional samples on MalwareBazaar

Result

Malware family:

quasar

Score:

10/10

Tags:

family:quasar botnet:office01 spyware trojan

Link:

https://tria.ge/reports/240626-g1gwdasdlp/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Quasar RAT

Quasar payload

Malware Config

C2 Extraction:

117.18.7.76:3782

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/2b9f7802-f1ac-4edf-8aaa-44124319e5f4

Unpacked files

SH256 hash:

babdefc67c4cf722edc36cb0f5d299c665efd52058fe110608fe1b1dcc5cf9b0

MD5 hash:

3790a8f18e3c16675263362d58175a21

SHA1 hash:

7ff6be74ceb7d25a3b9ac524e7521dce894ea08f

Detections:

QuasarRAT

malware_windows_xrat_quasarrat

win_quasarrat_j2

MALWARE_Win_QuasarStealer

cn_utf8_windows_terminal

INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA

MAL_QuasarRAT_May19_1

INDICATOR_SUSPICIOUS_Binary_References_Browsers

INDICATOR_SUSPICIOUS_GENInfoStealer

Link:

https://www.unpac.me/results/831b448a-5f99-45a3-9eb5-d9958aef517e/

SH256 hash:

01d7838a7a970a4fca588740cf6f8129f4ae01b0d9936eb43a1aff9436b848a2

MD5 hash:

0dd4e8e7d52d991a91fe92b18985aa8a

SHA1 hash:

4a14138403945ca46d0389b8ff0870e0a7668394

Link:

https://www.unpac.me/results/831b448a-5f99-45a3-9eb5-d9958aef517e/

Malware family:

QuasarRAT

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/01d7838a7a97/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

iSpy Keylogger

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/01d7838a7a970a4fca588740cf6f8129f4ae01b0d9936eb43a1aff9436b848a2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	maldoc_getEIP_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	meth_get_eip Create hunting rule
Author:	Willi Ballenthin

Rule name:	Windows_Trojan_Donutloader_f40e3759 Create hunting rule
Author:	Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high

Reviews

ID	Capabilities	Evidence
WIN32_PROCESS_API	Can Create Process and Threads	KERNEL32.dll::CloseHandle
WIN_BASE_API	Uses Win Base API	KERNEL32.dll::TerminateProcess KERNEL32.dll::LoadLibraryA KERNEL32.dll::LoadLibraryExW KERNEL32.dll::GetStartupInfoW KERNEL32.dll::GetCommandLineA KERNEL32.dll::GetCommandLineW
WIN_BASE_EXEC_API	Can Execute other programs	KERNEL32.dll::WriteConsoleW KERNEL32.dll::SetStdHandle KERNEL32.dll::GetConsoleWindow KERNEL32.dll::GetConsoleMode KERNEL32.dll::GetConsoleOutputCP
WIN_BASE_IO_API	Can Create Files	KERNEL32.dll::CreateFileW

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample