MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 18271c11925b94e6310672889885575ab4786e36a4c404e478accf3cb24172be. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

QuasarRAT

Vendor detections: 4

Intelligence 4 IOCs YARA 6 File information Comments

SHA256 hash:	18271c11925b94e6310672889885575ab4786e36a4c404e478accf3cb24172be
SHA3-384 hash:	158fde67fa3408ee3f635114e1d40e55f922c9bde092f426d8eae6794e23cedbab43a9e0c14d06a0b659fd5651eed8fa
SHA1 hash:	4703ce5221b64568680a99486984f3a1323ba12e
MD5 hash:	249014fafb4ebd48fabc0b693b9c6843
humanhash:	michigan-texas-berlin-blue
File name:	18271c11925b94e6310672889885575ab4786e36a4c404e478accf3cb24172be
Download:	download sample
Signature	QuasarRAT Create hunting rule
File size:	536'064 bytes
First seen:	2020-06-10 07:43:28 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	6144:hdvooMdukctgiQhqddZV651KrK2G0cja4fHu9Aqycda7e0M3JzJ9233uxkxCo:Too4cdQ1KpG0SfHgycoU+3e6H
Threatray	14 similar samples on MalwareBazaar
TLSH	89B42A40AFE4CA16E1BE27B6D4B207684BF8F587F256E78F198054B81C5230A6D117BF
Reporter	JAMESWT_WT
Tags:	QuasarRAT

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

Win.Tool.Quasar-6791498-0

Win.Packed.Downeks-6898097-0

Gathering data

Threat name:

ByteCode-MSIL.Trojan.Quasar

Status:

Malicious

First seen:

2020-06-04 23:02:45 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

27 of 31 (87.10%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=datryemslokommigokejrbkxlk2hq3rwutcajzdyvthtzmsbok7a._file

Verdict:

suspicious

QuasarRAT

1d0e8150809cb78fb1cf2cad89dc63b884ef4459e93ce4fbb4676ff705bb2679

QuasarRAT

3a83d1211c8a9235a72f0dcea5c36ec53a99ed83340e35097e7f41773bc8fb3f

QuasarRAT

585e4146923404bbe11c2cf5a423e2650a5d133541e9baeacb64a4d675f6484d

QuasarRAT

5ba0344c196d2605e844a2b15cff5c93412d58e9ca5c8446c468fa768604242d

QuasarRAT

5fd83f2a0ab55a807929ded55e138b988f873280876ae15fde0332732b38e2da

QuasarRAT

7080b4b381aa5445667f682c0b6d8a7651dfbf8c07383f9796ffd8558e506338

QuasarRAT

9760105f3177384c19086dee036cdc67916d744f4a1e7064ecfd906e252dba69

QuasarRAT

ac4d3acc896cc3fd6e4ba14547572dfc0447f47f2c29c28a170db4b0169c6e2f

QuasarRAT

d3922882bfee49abb72584b9d5918f3787221fa40b7f552c98d7bc0e55833234

QuasarRAT

+ 4 additional samples on MalwareBazaar

Result

Malware family:

quasar

Score:

10/10

Tags:

family:asyncrat family:quasar rat spyware trojan

Link:

https://tria.ge/reports/201109-gqmhcvjq86/

Behaviour

Suspicious use of AdjustPrivilegeToken

Looks up external IP address via web service

Quasar RAT

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	CAP_HookExKeylogger Create hunting rule
Author:	Brian C. Bell -- @biebsmalwareguy
Reference:	https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar

Rule name:	CN_disclosed_20180208_KeyLogger_1 Create hunting rule
Author:	Florian Roth
Description:	Detects malware from disclosed CN malware set
Reference:	https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details

Rule name:	MAL_QuasarRAT_May19_1 Create hunting rule
Author:	Florian Roth
Description:	Detects QuasarRAT malware
Reference:	https://blog.ensilo.com/uncovering-new-activity-by-apt10

Rule name:	MSILStealer Create hunting rule
Author:	https://github.com/hwvs
Description:	Detects strings from C#/VB Stealers and QuasarRat
Reference:	https://github.com/quasar/QuasarRAT

Rule name:	Quasar_RAT_2 Create hunting rule
Author:	Florian Roth
Description:	Detects Quasar RAT
Reference:	https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf

Rule name:	Vermin_Keylogger_Jan18_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Vermin Keylogger
Reference:	https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample