MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 18425dae9f0a49097d0abdd28ec465bfe2f4161b7849fb28494b8058a18ebcfc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuasarRAT


Vendor detections: 14


Intelligence 14 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 18425dae9f0a49097d0abdd28ec465bfe2f4161b7849fb28494b8058a18ebcfc
SHA3-384 hash: 9f07c09d91865dedd4e0c74e4bd6016368b93872243d71911ec9edc8b37ce825558fa9d5759bfef60bbab276c1051a8b
SHA1 hash: e372df2088dfa0695608a0ecf9b98c133abcf8f6
MD5 hash: 0c0dc0cf41e3c993ae5a22803275949a
humanhash: london-mexico-wolfram-quebec
File name:SPOOFER.bin
Download: download sample
Signature QuasarRAT
Create hunting rule
File size:13'285'448 bytes
First seen:2023-12-28 18:54:46 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'741 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 49152:fIjotieByewT9gG21ntArAfjm6miv/t61TRORHEuEu1kGNkLde+tMtl1vVsTNwaC:fIq
Threatray 286 similar samples on MalwareBazaar
TLSH T1A6D633015F292DEBCE28533A20EB6E093EB01E848448B9FE53D1A5F6D67EB41751BD34
TrID 66.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.5% (.EXE) Win64 Executable (generic) (10523/12/4)
5.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon e2d2d0e4c4ec7898 (1 x QuasarRAT)
Reporter JaffaCakes118
Tags:exe QuasarRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
416
Origin country :
GB GB
Vendor Threat Intelligence
Detection(s):
Win.Malware.Msilperseus-6838278-0
Create hunting rule

Win.Trojan.Agent-1109363
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a process with a hidden window
Creating a file in the %AppData% directory
Creating a file in the %AppData% subdirectories
Loading a suspicious library
Creating a file in the Windows subdirectories
Creating a file in the Program Files subdirectories
Using the Windows Management Instrumentation requests
DNS request
Sending a custom TCP request
Setting a keyboard event handler
Running batch commands
Deleting a system file
Searching for the window
Сreating synchronization primitives
Creating a window
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Unauthorized injection to a recently created process
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Verdict:
No Threat
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm masquerade obfuscated overlay packed packed smartassembly smart_assembly
Link:
https://www.filescan.io/uploads/658dc488b4e856b7282b5ad4/reports/4496f7fe-2d77-4ad5-afb1-b9884f2fc23e/overview
Verdict:
Malicious
Labled as:
MSILPerseus.Generic
Link:
https://www.hybrid-analysis.com/sample/18425dae9f0a49097d0abdd28ec465bfe2f4161b7849fb28494b8058a18ebcfc
Result
Verdict:
MALICIOUS
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a9f587ee-89f9-43e2-991b-9b14abb58ab9
Result
Threat name:
DCRat, Quasar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1367780
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to modify clipboard data
Creates processes via WMI
Detected unpacking (changes PE section rights)
Drops PE files with benign system names
Encrypted powershell cmdline option found
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has nameless sections
Potential dropper URLs found in powershell memory
Sample is not signed and drops a device driver
Snort IDS alert for network traffic
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected DCRat
Yara detected Generic Downloader
Yara detected Quasar RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1367780 Sample: SPOOFER.bin.exe Startdate: 28/12/2023 Architecture: WINDOWS Score: 100 114 brofisthej.ddns.net 2->114 116 ipwho.is 2->116 122 Snort IDS alert for network traffic 2->122 124 Multi AV Scanner detection for domain / URL 2->124 126 Found malware configuration 2->126 130 14 other signatures 2->130 11 SPOOFER.bin.exe 6 2->11         started        15 SPOOFER.bin.exe 2->15         started        17 svchost.exe 1 1 2->17         started        20 18 other processes 2->20 signatures3 128 Uses dynamic DNS services 114->128 process4 dnsIp5 90 C:\Users\user\AppData\Local\...\svchost.exe, PE32 11->90 dropped 92 C:\Users\user\AppData\Local\...\SPOOFER.exe, PE32 11->92 dropped 146 Drops PE files with benign system names 11->146 22 SPOOFER.exe 4 11->22         started        26 svchost.exe 5 11->26         started        148 Multi AV Scanner detection for dropped file 15->148 150 Machine Learning detection for dropped file 15->150 112 127.0.0.1 unknown unknown 17->112 file6 signatures7 process8 file9 82 C:\Users\user\...\sp_hyperRuntimedhcpSvc.exe, PE32 22->82 dropped 84 C:\Users\user\AppData\...\conhost_sft.exe, PE32+ 22->84 dropped 86 C:\Users\user\AppData\Roaming\HpsrSpoof.exe, PE32+ 22->86 dropped 132 Multi AV Scanner detection for dropped file 22->132 134 Detected unpacking (changes PE section rights) 22->134 136 Machine Learning detection for dropped file 22->136 140 2 other signatures 22->140 28 HpsrSpoof.exe 12 22->28         started        32 sp_hyperRuntimedhcpSvc.exe 22->32         started        34 conhost_sft.exe 22->34         started        36 powershell.exe 24 22->36         started        88 C:\Users\user\AppData\Roaming\...\Client.exe, PE32 26->88 dropped 138 Hides that the sample has been downloaded from the Internet (zone.identifier) 26->138 38 Client.exe 26->38         started        signatures10 process11 dnsIp12 94 C:\ProgramData\Microsoft\...\Volumeid64.exe, PE32+ 28->94 dropped 96 C:\ProgramData\Microsoft\...\DevManView.exe, PE32+ 28->96 dropped 98 C:\ProgramData\Microsoft\...\AMIDEWINx64.exe, PE32+ 28->98 dropped 108 2 other files (none is malicious) 28->108 dropped 152 Multi AV Scanner detection for dropped file 28->152 154 Sample is not signed and drops a device driver 28->154 41 cmd.exe 28->41         started        43 cmd.exe 28->43         started        55 2 other processes 28->55 100 C:\Windows\INF\...\MoUsoCoreWorker.exe, PE32 32->100 dropped 102 C:\Users\user\Desktop\udZEGZYa.log, PE32 32->102 dropped 104 C:\Users\user\Desktop\tpVwUMcc.log, PE32 32->104 dropped 110 10 other malicious files 32->110 dropped 156 Adds a directory exclusion to Windows Defender 32->156 158 Creates processes via WMI 32->158 45 powershell.exe 32->45         started        47 powershell.exe 32->47         started        57 4 other processes 32->57 106 C:\ProgramData\VC_redist.x64.exe, PE32+ 34->106 dropped 49 powershell.exe 34->49         started        51 Conhost.exe 34->51         started        160 Potential dropper URLs found in powershell memory 36->160 53 conhost.exe 36->53         started        118 brofisthej.ddns.net 2.70.186.204, 4822, 49734 HI3GSE Sweden 38->118 120 ipwho.is 108.181.98.179, 443, 49736 ASN852CA Canada 38->120 162 Hides that the sample has been downloaded from the Internet (zone.identifier) 38->162 164 Installs a global keyboard hook 38->164 file13 signatures14 process15 process16 59 DevManView.exe 41->59         started        62 DevManView.exe 41->62         started        72 7 other processes 41->72 74 2 other processes 43->74 64 conhost.exe 45->64         started        66 conhost.exe 47->66         started        68 conhost.exe 49->68         started        70 AMIDEWINx64.exe 55->70         started        76 2 other processes 57->76 signatures17 142 Contains functionality to modify clipboard data 59->142 144 Checks if the current machine is a virtual machine (disk enumeration) 59->144 78 Conhost.exe 62->78         started        80 Conhost.exe 72->80         started        process18
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/18425dae9f0a49097d0abdd28ec465bfe2f4161b7849fb28494b8058a18ebcfc
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/18425dae9f0a49097d0abdd28ec465bfe2f4161b7849fb28494b8058a18ebcfc/
Threat name:
ByteCode-MSIL.Trojan.Perseus
Create hunting rule
Status:
Malicious
First seen:
2023-12-28 18:55:16 UTC
File Type:
PE (.Net Exe)
Extracted files:
13
AV detection:
22 of 23 (95.65%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dbbf3lu7bjeqs7ikxxji5rdfx7rpifq3pbe7wkcjjoafrimoxt6a._file
Verdict:
malicious
Similar samples:
3301b53caeb2482dda0672a4f99b1032a76cb3393407a39017a4bc8e3069fd75
QuasarRAT
729a02e6f1c36790f32148d59756f84d4378815d6f9b9860629fa1f6627ff027
QuasarRAT
bfe9444551e5017c82d53140c11c08c41fe9fd821cedbb959f388f2ca7946563
QuasarRAT
c7550dc220b264239f7250607d6af8a0123107be4c377a3c94e5f8e63984b17d
QuasarRAT
dad38069fb5b4df1e583b548a0ade9959885b15b95e3e2c7a916423ab6fe75f7
QuasarRAT
df9104032c91e415db6acc7e364edd70cd1a2b436beb738af5286770c374a683
QuasarRAT
+ 276 additional samples on MalwareBazaar
Result
Malware family:
quasar
Create hunting rule
Score:
  10/10
Tags:
family:quasar botnet:office04 evasion persistence spyware trojan
Link:
https://tria.ge/reports/231228-xkr96sdea7/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Launches sc.exe
Suspicious use of NtSetInformationThreadHideFromDebugger
Enumerates connected drives
Legitimate hosting services abused for malware hosting/C2
Maps connected drives based on registry
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Creates new service(s)
Stops running service(s)
Nirsoft
Quasar RAT
Quasar payload
Malware Config
C2 Extraction:
brofisthej.ddns.net:4822
Unpacked files
SH256 hash:
2b93377ea087225820a9f8e4f331005a0c600d557242366f06e0c1eae003d669
MD5 hash:
d8bf2a0481c0a17a634d066a711c12e9
SHA1 hash:
7cc01a58831ed109f85b64fe4920278cedf3e38d
Link:
https://www.unpac.me/results/fc74aa8e-83b2-4129-ba75-c476829cc891/
SH256 hash:
7c95d3b38114e7e4126cb63aadaf80085ed5461ab0868d2365dd6a18c946ea3a
MD5 hash:
e9ce850db4350471a62cc24acb83e859
SHA1 hash:
55cdf06c2ce88bbd94acde82f3fea0d368e7ddc6
Link:
https://www.unpac.me/results/fc74aa8e-83b2-4129-ba75-c476829cc891/
SH256 hash:
9536b587fa1b06be4579cfb144cdb5d0ee43e265647a4d1e02205e0c845ed9d1
MD5 hash:
1421378b1fa1b2bec518c7b05c137359
SHA1 hash:
f9434edd2d2519865f650ad4983722b84b006310
Detections:
QuasarRAT
Create hunting rule
malware_windows_xrat_quasarrat
Create hunting rule
win_quasarrat_j2
Create hunting rule
MALWARE_Win_QuasarStealer
Create hunting rule
cn_utf8_windows_terminal
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
MAL_QuasarRAT_May19_1
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_GENInfoStealer
Create hunting rule
Link:
https://www.unpac.me/results/fc74aa8e-83b2-4129-ba75-c476829cc891/
SH256 hash:
18425dae9f0a49097d0abdd28ec465bfe2f4161b7849fb28494b8058a18ebcfc
MD5 hash:
0c0dc0cf41e3c993ae5a22803275949a
SHA1 hash:
e372df2088dfa0695608a0ecf9b98c133abcf8f6
Detections:
INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Link:
https://www.unpac.me/results/fc74aa8e-83b2-4129-ba75-c476829cc891/
Malware family:
QuasarRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/18425dae9f0a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/18425dae9f0a49097d0abdd28ec465bfe2f4161b7849fb28494b8058a18ebcfc

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

QuasarRAT

Executable exe 18425dae9f0a49097d0abdd28ec465bfe2f4161b7849fb28494b8058a18ebcfc

(this sample)

  
Delivery method
Distributed via web download

Comments