MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 09c580ea4063cb2f16bce177151628d3e9c04a87ba2c0bcb7e6d1d588b8563ed. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuasarRAT


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 09c580ea4063cb2f16bce177151628d3e9c04a87ba2c0bcb7e6d1d588b8563ed
SHA3-384 hash: e138558ee2d574c28964769de1d4c1f0afbd767806dbf1cddc2f670537559944da1635d4e0f122f4361a09020ef1c902
SHA1 hash: b5c056e5cc14b88d5115a47a86b8df43c6b6eed1
MD5 hash: 81e1869c9f3495afba6c21bf71a10292
humanhash: idaho-shade-potato-summer
File name:09C580EA4063CB2F16BCE177151628D3E9C04A87BA2C0.exe
Download: download sample
Signature QuasarRAT
Create hunting rule
File size:6'915'993 bytes
First seen:2023-02-06 18:05:41 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 1e92fd54d65284238a0e3b74b2715062 (21 x Empyrean, 4 x Gh0stRAT, 4 x Telemiris)
ssdeep 196608:XqMIY4MLN9onJ5hrZEK3e9tGPqK6wTbPfFwc5CVsf5:gup9c5hlEK/PN6w3XCVm
Threatray 3'677 similar samples on MalwareBazaar
TLSH T10C663349233068E6FFBA813944D2D625E3F2B0120B11D6DF0B6847A64FA7BD16E7B711
TrID 48.7% (.EXE) Win64 Executable (generic) (10523/12/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
Reporter abuse_ch
Tags:exe QuasarRAT RAT


Avatar
abuse_ch
QuasarRAT C2:
91.209.226.129:4477

Intelligence

File Origin
# of uploads :
1
# of downloads :
241
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
quasar
Create hunting rule
ID:
1
File name:
09C580EA4063CB2F16BCE177151628D3E9C04A87BA2C0.exe
Verdict:
Malicious activity
Analysis date:
2023-02-06 18:08:20 UTC
Tags:
trojan rat quasar asyncrat
Link:
https://app.any.run/tasks/96f093a1-aee8-4697-97bd-0a50d38237a5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
QuasarStealer
Create hunting rule
Link:
https://www.capesandbox.com/analysis/361009/
Detection(s):
SecuriteInfo.com.Mal.Generic-S.5621.7552.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/65871/overview
Behaviour
MalwareBazaar
MeasuringTime
CheckCmdLine
EvasionQueryPerformanceCounter
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
coinminer greyware overlay packed
Link:
https://www.filescan.io/uploads/63e1418c89bd67c10fdccee9/reports/1b96fe85-ca76-4f96-bb42-be697ff70469/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/09c580ea4063cb2f16bce177151628d3e9c04a87ba2c0bcb7e6d1d588b8563ed
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9e131aac-16a5-46cb-9389-1ff76d20e1c3
Result
Threat name:
Quasar
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/1166937
Signature
C2 URLs / IPs found in malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Generic Downloader
Yara detected Quasar RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/09c580ea4063cb2f16bce177151628d3e9c04a87ba2c0bcb7e6d1d588b8563ed/
Threat name:
Win64.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2022-12-25 22:21:30 UTC
File Type:
PE+ (Exe)
Extracted files:
379
AV detection:
8 of 39 (20.51%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=bhcyb2sampfs6fv44f3rkfri2pu4asuhxiwaxs36nuovrc4fmpwq._file
Verdict:
malicious
Similar samples:
0d275600019499df54ffc79e785d448bbb73d19bcc34f015f4b2272bdc6f9fa3
QuasarRAT
20632d113408af16371070219ed4e9f260a3cc23db39fcddce2580ebf6669b5f
QuasarRAT
386c57582b7d542de1d6164de34cfea4706fc6418a14c69eb246feca2711003e
QuasarRAT
6d7eeaa37fd773e4f6f7100e831fa40ffae132f64f0dd059efc85aa52d0be7c3
QuasarRAT
842573dbd650df89baf277cd8659a9c532c67d657f830e98f38c2df305f3991d
QuasarRAT
9598b077e43d52e3a506e23a96eaca924aa406f5374afa5139283646c448dfc3
QuasarRAT
ad7e91af55a1e48ca702b1d8d4127a830688dd026df1c485a3e6c2bdd72ac336
QuasarRAT
e66137ab3b86abeb0dec368bbca035163b110bfcc452ee706149a6e0a948578a
QuasarRAT
+ 3'667 additional samples on MalwareBazaar
Result
Malware family:
quasar
Create hunting rule
Score:
  10/10
Tags:
family:quasar botnet:office04 pyinstaller spyware trojan
Link:
https://tria.ge/reports/230206-wpqrgafb93/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Looks up external IP address via web service
Loads dropped DLL
Quasar RAT
Quasar payload
Malware Config
C2 Extraction:
91.209.226.129:4477
Unpacked files
SH256 hash:
09c580ea4063cb2f16bce177151628d3e9c04a87ba2c0bcb7e6d1d588b8563ed
MD5 hash:
81e1869c9f3495afba6c21bf71a10292
SHA1 hash:
b5c056e5cc14b88d5115a47a86b8df43c6b6eed1
Link:
https://www.unpac.me/results/a4a01eff-b117-4c8c-98b9-438aee9f6f46/
Malware family:
QuasarRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/09c580ea4063/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.66
Link:
https://yomi.yoroi.company/submissions/09c580ea4063cb2f16bce177151628d3e9c04a87ba2c0bcb7e6d1d588b8563ed

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:PyInstaller
Create hunting rule
Author:@bartblaze
Description:Identifies executable converted using PyInstaller.
Rule name:upxHook
Create hunting rule
Author:@r3dbU7z
Description:Detect artifacts from 'upxHook' - modification of UPX packer
Reference:https://bazaar.abuse.ch/sample/6352be8aa5d8063673aa428c3807228c40505004320232a23d99ebd9ef48478a/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/361009/

Comments