MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 092223938bed5fec479602f4bf2cb0fd28dd628e8754714047b0b7939cd2e298. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuasarRAT


Vendor detections: 8


Intelligence 8 IOCs YARA 11 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 092223938bed5fec479602f4bf2cb0fd28dd628e8754714047b0b7939cd2e298
SHA3-384 hash: d18b166d6d1601dde5e56d3ab0364a96e714851fbf7600bbcc9de05b2c28a834e63300712e35511a1d9ba3ac27908d6f
SHA1 hash: a359796eacef161e75ce3f5094e1dd2bff37389c
MD5 hash: 26f266e31e7fcd9e39673ccb5a0c89ee
humanhash: foxtrot-wolfram-xray-uniform
File name:26f266e31e7fcd9e39673ccb5a0c89ee.exe
Download: download sample
Signature QuasarRAT
Create hunting rule
File size:4'907'008 bytes
First seen:2020-12-01 08:42:48 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 5479775c1d012f10601477c1237fe7d4 (6 x QuasarRAT, 2 x BitRAT, 1 x RevCodeRAT)
ssdeep 98304:gvPd3jpfky7ROHB9iHZIt4SfQuEtol8XQiYub+N:gpfky1Oh/4gQhtPYso
Threatray 34 similar samples on MalwareBazaar
TLSH DF36236FA2B04837C13319798C0BDB9F9D25BE532B2868822BE51D4C7F3D6917A35187
Reporter abuse_ch
Tags:exe QuasarRAT RAT


Avatar
abuse_ch
QuasarRAT payload URL:
http://medicalcorp.ro/royal2/helper/gd/zt/jbrowserQ.exe

QuasarRAT C2:
185.157.161.109:1973

Intelligence

File Origin
# of uploads :
1
# of downloads :
152
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/106178/
Detection(s):
SecuriteInfo.com.BackDoor.Quasar.124.18597.2139.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Launching a process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Quasar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/551938
Signature
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Antivirus detection for URL or domain
Connects to many ports of the same IP (likely port scanning)
Contains functionality to detect sleep reduction / modifications
Contains functionality to hide a thread from the debugger
Contains functionality to inject code into remote processes
Creates files in alternative data streams (ADS)
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Drops VBS files to the startup folder
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queues an APC in another process (thread injection)
Sigma detected: Drops script at startup location
Writes to foreign memory regions
Yara detected Quasar RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 325074 Sample: OQUToJt233.exe Startdate: 01/12/2020 Architecture: WINDOWS Score: 100 78 Malicious sample detected (through community Yara rule) 2->78 80 Antivirus detection for URL or domain 2->80 82 Multi AV Scanner detection for submitted file 2->82 84 7 other signatures 2->84 12 OQUToJt233.exe 2->12         started        15 wscript.exe 1 2->15         started        17 wscript.exe 2->17         started        process3 signatures4 112 Writes to foreign memory regions 12->112 114 Allocates memory in foreign processes 12->114 116 Queues an APC in another process (thread injection) 12->116 19 notepad.exe 5 12->19         started        23 ernm.exe 15->23         started        25 emqkp.exe 17->25         started        process5 file6 52 C:\Users\user\AppData\Roaming\rtgb\ernm.exe, PE32 19->52 dropped 54 C:\Users\user\...\ernm.exe:Zone.Identifier, ASCII 19->54 dropped 56 C:\Users\user\AppData\Roaming\...\klop.vbs, ASCII 19->56 dropped 86 Creates files in alternative data streams (ADS) 19->86 88 Drops VBS files to the startup folder 19->88 27 ernm.exe 19->27         started        90 Maps a DLL or memory area into another process 23->90 30 ernm.exe 23->30         started        32 emqkp.exe 25->32         started        signatures7 process8 signatures9 102 Multi AV Scanner detection for dropped file 27->102 104 Detected unpacking (changes PE section rights) 27->104 106 Detected unpacking (overwrites its own PE header) 27->106 110 4 other signatures 27->110 34 ernm.exe 1 19 27->34         started        108 Hides threads from debuggers 30->108 process10 dnsIp11 70 yz.videomarket.eu 185.157.161.109, 1972, 1973, 49711 OBE-EUROPEObenetworkEuropeSE Sweden 34->70 72 medicalcorp.ro 176.126.200.6, 49731, 80 GTSCEGTSCentralEuropeAntelGermanyCZ Romania 34->72 58 C:\Users\user\...\PA5Lhuco8ai1uj3e.exe, PE32 34->58 dropped 60 C:\Users\user\AppData\...\jbrowserQ[1].exe, PE32 34->60 dropped 92 Hides threads from debuggers 34->92 39 PA5Lhuco8ai1uj3e.exe 34->39         started        file12 signatures13 process14 signatures15 94 Machine Learning detection for dropped file 39->94 96 Writes to foreign memory regions 39->96 98 Allocates memory in foreign processes 39->98 100 Contains functionality to detect sleep reduction / modifications 39->100 42 notepad.exe 4 39->42         started        process16 file17 62 C:\Users\user\AppData\Roaming\...\emqkp.exe, PE32 42->62 dropped 64 C:\Users\user\AppData\Roaming\...\cviqw.vbs, ASCII 42->64 dropped 45 emqkp.exe 42->45         started        process18 signatures19 118 Detected unpacking (changes PE section rights) 45->118 120 Detected unpacking (creates a PE file in dynamic memory) 45->120 122 Detected unpacking (overwrites its own PE header) 45->122 124 4 other signatures 45->124 48 emqkp.exe 15 4 45->48         started        process20 dnsIp21 66 yz.videomarket.eu 48->66 68 ip-api.com 208.95.112.1, 49733, 80 TUT-ASUS United States 48->68 74 Hides that the sample has been downloaded from the Internet (zone.identifier) 48->74 76 Installs a global keyboard hook 48->76 signatures22
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/092223938bed5fec479602f4bf2cb0fd28dd628e8754714047b0b7939cd2e298/
Threat name:
Win32.Backdoor.Androm
Create hunting rule
Status:
Malicious
First seen:
2020-11-30 15:40:48 UTC
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=berche4l5vp6yr4wal2l6lfq7uun2yuoq5khcqchwc3zhhgs4kma._file
Verdict:
malicious
Similar samples:
04c27b0ff1c12b58c1520db0ffc14e7ced2f5adae24e08a3ff66fcc1723676cf
QuasarRAT
0cf6c64800271784234f89dd95925d58075254e5756946de94f447b6defee4fc
QuasarRAT
40512789548e02bb2db55e51975a733d342279a76c7ecdf78b9e238329591200
QuasarRAT
723e6b54cd996205412396bbfba18171a8e4e7297dd2492b35ec198e122849cb
QuasarRAT
78fc1b0ad5b1bf8392a5e1a6dde5dab2fbee2f2fbb833c3c4ba85ace7e9c35e5
QuasarRAT
83db3e008537b9da1f048cf2a36931238afcdabf35ecbeedecd808ea6bee3bf3
QuasarRAT
b7823b23e2ef21045e77a01f2f34f86f387a607f4c1d949571c01c1fcdfd7fa1
QuasarRAT
c074b02a7c31f653ce16773fe3d97884a5d4cefed346918b79db7f060661f9f0
QuasarRAT
cd857ee1ccdff34a0cd65732a18bc3a99d53e388423dcff0a73ca0307dcb1f7a
QuasarRAT
ef67b30b7ae1fd2b27a17f1e0172954912c78c541f7cb162ff003a9b42f128c4
QuasarRAT
+ 24 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/201201-pxx9dbq2aa/
Behaviour
NTFS ADS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Drops startup file
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
092223938bed5fec479602f4bf2cb0fd28dd628e8754714047b0b7939cd2e298
MD5 hash:
26f266e31e7fcd9e39673ccb5a0c89ee
SHA1 hash:
a359796eacef161e75ce3f5094e1dd2bff37389c
Link:
https://www.unpac.me/results/b507245d-e89c-4451-83db-c11b6bce4396/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Gamarue
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/092223938bed5fec479602f4bf2cb0fd28dd628e8754714047b0b7939cd2e298

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Chrome_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Chrome in files like avemaria
Rule name:CN_disclosed_20180208_KeyLogger_1
Create hunting rule
Author:Florian Roth
Description:Detects malware from disclosed CN malware set
Reference:https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:MAL_QuasarRAT_May19_1
Create hunting rule
Author:Florian Roth
Description:Detects QuasarRAT malware
Reference:https://blog.ensilo.com/uncovering-new-activity-by-apt10
Rule name:MSILStealer
Create hunting rule
Author:https://github.com/hwvs
Description:Detects strings from C#/VB Stealers and QuasarRat
Reference:https://github.com/quasar/QuasarRAT
Rule name:Quasar
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect QuasarRAT in memory
Rule name:Quasar_RAT_1
Create hunting rule
Author:Florian Roth
Description:Detects Quasar RAT
Reference:https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
Rule name:Quasar_RAT_2
Create hunting rule
Author:Florian Roth
Description:Detects Quasar RAT
Reference:https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
Rule name:Select_from_enumeration
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:Vermin_Keylogger_Jan18_1
Create hunting rule
Author:Florian Roth
Description:Detects Vermin Keylogger
Reference:https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/
Rule name:xRAT_1
Create hunting rule
Author:Florian Roth
Description:Detects Patchwork malware
Reference:https://goo.gl/Pg3P4W

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

QuasarRAT

Executable exe 092223938bed5fec479602f4bf2cb0fd28dd628e8754714047b0b7939cd2e298

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/869725/
  
URLhaus
https://urlhaus.abuse.ch/url/869726/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/106178/

Comments