MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1a048808e7db60ac3ffe45b0e22e96bd254dabc1af2b216951dc2d41ab0ea52c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuasarRAT


Vendor detections: 6


Intelligence 6 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1a048808e7db60ac3ffe45b0e22e96bd254dabc1af2b216951dc2d41ab0ea52c
SHA3-384 hash: eb8f487d7657d7bc7ca2c5e75dfe76f611795adf367d47021c3b0f753f0fbecd6f31a2d009a3db2380045b7e02a1750f
SHA1 hash: 72b6927da6cd1738e4d7a324ca05c8d7d9473cd4
MD5 hash: f9c209ab7bb863117962cbd5f0a7d00b
humanhash: jupiter-stairway-solar-sodium
File name:Quote.iso
Download: download sample
Signature QuasarRAT
Create hunting rule
File size:2'752'512 bytes
First seen:2022-04-14 10:40:42 UTC
Last seen:Never
File type: iso
MIME type:application/x-iso9660-image
ssdeep 49152:CPF4zrRx0nhx9KGCLJGbpJZsw9QCmagg2kK:CPC/vmhxcLLJ6p3swGKggm
TLSH T1A6D5DF427244E986D0175EF3186FC6615678AD9E8020C64E3B97BE2B95F3B03346BB4F
TrID 99.6% (.NULL) null bytes (2048000/1)
0.2% (.ATN) Photoshop Action (5007/6/1)
0.0% (.BIN/MACBIN) MacBinary 1 (1033/5)
0.0% (.ABR) Adobe PhotoShop Brush (1002/3)
0.0% (.SMT) Memo File Apollo Database Engine (88/84)
Reporter proxylife
Tags:AgentTesla iso QuasarRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
205
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Foxhole.Iso_fs1801.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.PWS.Stealer.23680.UNOFFICIAL
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control.exe greyware obfuscated packed remote.exe replace.exe
Link:
https://www.filescan.io/uploads/6257fa60ffe27d5119cd28b7/reports/15b35f75-7efa-4359-9467-36b0bfc66ce4/overview
Result
Verdict:
MALICIOUS
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1a048808e7db60ac3ffe45b0e22e96bd254dabc1af2b216951dc2d41ab0ea52c/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-04-11 15:11:01 UTC
File Type:
Binary (Archive)
Extracted files:
58
AV detection:
16 of 42 (38.10%)
Threat level:
  5/5
Result
Malware family:
quasar
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla family:quasar botnet:office04 collection keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/220414-mq39hsbadn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
AgentTesla Payload
AgentTesla
Malware Config
C2 Extraction:
https://api.telegram.org/bot5127674234:AAHGscjRk7JCDDCItFO4GPZfan-K7Hc89Z8/sendDocument
216.250.250.94:4788
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1a048808e7db60ac3ffe45b0e22e96bd254dabc1af2b216951dc2d41ab0ea52c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments