MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1a653abe4b7712e10fd1b60ab8a3d6a5dd4819a6102c02cca5f0664127035486. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuasarRAT


Vendor detections: 13


Intelligence 13 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1a653abe4b7712e10fd1b60ab8a3d6a5dd4819a6102c02cca5f0664127035486
SHA3-384 hash: b5ec56f002e96877234763e6709793d34b48cb8b1421a92cf8d2543fd03745da1f9b84844133f9b9ca46053efac61bf1
SHA1 hash: ca4a2f664a96b5868dfb2880ae75c5e7e02a3876
MD5 hash: 87006e4003c9e387b10d9635c2884389
humanhash: don-artist-table-mars
File name:Etritqm.bin
Download: download sample
Signature QuasarRAT
Create hunting rule
File size:798'208 bytes
First seen:2022-06-26 18:23:31 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:Od9r4th40lZFBfeMC/HwWijpljwJlOEUs98w90/16h51UVFV6MTiilMGrPQI:g9rUZDfeM2Q7jTMbOEDt0y51Uni6b
Threatray 1'642 similar samples on MalwareBazaar
TLSH T10205004FE201F949EDE35031D96CB78477246E204996AD77A8F8BB2589B110BBCF03B5
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon c420c4cca2c4f071 (1 x QuasarRAT, 1 x AsyncRAT)
Reporter KdssSupport
Tags:exe QuasarRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
256
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
quasar
Create hunting rule
ID:
1
File name:
Etritqm.exe
Verdict:
Malicious activity
Analysis date:
2022-06-26 18:02:56 UTC
Tags:
quasar
Link:
https://app.any.run/tasks/70f6bfe8-17c3-4a1b-a0a7-db5beed0e9b3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
QuasarStealer
Create hunting rule
Link:
https://www.capesandbox.com/analysis/283355/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Sending a custom TCP request
Creating a file in the %AppData% subdirectories
Creating a file
Creating a file in the Windows subdirectories
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/62b8a4831fcdba4e1a5c522d/reports/72313cdd-1ecd-4908-9b06-d3cd4b6a7f19/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/edeeaba8-3ea4-4644-bd05-6a39267fa9bc
Result
Threat name:
Quasar
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1020015
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Drops executables to the windows directory (C:\Windows) and starts them
Encrypted powershell cmdline option found
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Costura Assembly Loader
Yara detected Generic Downloader
Yara detected Quasar RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 652512 Sample: Etritqm.bin Startdate: 26/06/2022 Architecture: WINDOWS Score: 100 70 Malicious sample detected (through community Yara rule) 2->70 72 Antivirus / Scanner detection for submitted sample 2->72 74 Yara detected Quasar RAT 2->74 76 6 other signatures 2->76 8 Etritqm.exe 1 7 2->8         started        12 Eozjlitty.exe 4 2->12         started        14 Eozjlitty.exe 3 2->14         started        16 InstallUtil.exe 3 2->16         started        process3 file4 64 C:\Users\user\AppData\...ozjlitty.exe, PE32 8->64 dropped 66 C:\Users\...ozjlitty.exe:Zone.Identifier, ASCII 8->66 dropped 68 C:\Users\user\AppData\...tritqm.exe.log, ASCII 8->68 dropped 84 Encrypted powershell cmdline option found 8->84 18 InstallUtil.exe 5 8->18         started        22 InstallUtil.exe 8->22         started        24 powershell.exe 15 8->24         started        86 Antivirus detection for dropped file 12->86 88 Machine Learning detection for dropped file 12->88 26 InstallUtil.exe 12->26         started        28 powershell.exe 12->28         started        30 InstallUtil.exe 14->30         started        32 powershell.exe 14->32         started        34 conhost.exe 16->34         started        signatures5 process6 file7 62 C:\Windows\SysWOW64\winsysgen\winsysgen.exe, PE32 18->62 dropped 36 winsysgen.exe 4 18->36         started        38 schtasks.exe 1 18->38         started        78 Uses schtasks.exe or at.exe to add and modify task schedules 22->78 40 conhost.exe 24->40         started        80 Drops executables to the windows directory (C:\Windows) and starts them 26->80 82 Hides that the sample has been downloaded from the Internet (zone.identifier) 26->82 42 schtasks.exe 26->42         started        44 winsysgen.exe 26->44         started        46 conhost.exe 28->46         started        48 schtasks.exe 30->48         started        50 conhost.exe 32->50         started        signatures8 process9 process10 52 conhost.exe 36->52         started        54 conhost.exe 38->54         started        56 conhost.exe 42->56         started        58 conhost.exe 44->58         started        60 conhost.exe 48->60         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1a653abe4b7712e10fd1b60ab8a3d6a5dd4819a6102c02cca5f0664127035486/
Threat name:
ByteCode-MSIL.Backdoor.Crysan
Create hunting rule
Status:
Malicious
First seen:
2022-06-26 18:24:10 UTC
File Type:
PE (.Net Exe)
Extracted files:
13
AV detection:
18 of 26 (69.23%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=djstvpslo4jocd6rwyflri6wuxouqgngcawaftff6btecjydksda._file
Verdict:
malicious
Similar samples:
3659778cc75ed1428fe16a288b28095311ffdc650a1202482376b4f3c04b75f3
QuasarRAT
585e4146923404bbe11c2cf5a423e2650a5d133541e9baeacb64a4d675f6484d
QuasarRAT
66aa3076bab656dc495c3a7cd2f8cfef86ffe2082d209fabe8c64905b8c76cb9
QuasarRAT
71b507a5d2ef28b951d65ba5a737c75e6e0ecdda454e7c70a40bd37b083ce9bd
QuasarRAT
7d6cfc5cfb6243152ee28b41a00650c3c95cc3615a5407c6ec094632926b99e2
QuasarRAT
8be3c7231a1d547531c3e669d380fd00b5b3e773da201b34bed04810062329c0
QuasarRAT
a792be03af23fe52b708d22df6cadeb3374bb5500416a862eee57ea56db20fd5
QuasarRAT
d3a5310046716a79439b26f59b1cd70e4220fbb3d4161c8cd57806be2b56be43
QuasarRAT
ea04e1c9f1de856c0a0023309410a758b26bdff39e4afbfe329a9b6a805cf23e
QuasarRAT
+ 1'632 additional samples on MalwareBazaar
Result
Malware family:
quasar
Create hunting rule
Score:
  10/10
Tags:
family:quasar botnet:main_sys persistence spyware trojan
Link:
https://tria.ge/reports/220626-w112ksdhc7/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Quasar Payload
Quasar RAT
Malware Config
C2 Extraction:
0.0.0.0:4782
147.135.106.246:4782
Unpacked files
SH256 hash:
9f01d9f2ed07e630ec078efa5d760762c3c8ad3b06e9e8a9062a37d63d57b026
MD5 hash:
9fbb8cec55b2115c00c0ba386c37ce62
SHA1 hash:
e2378a1c22c35e40fd1c3e19066de4e33b50f24a
Link:
https://www.unpac.me/results/00008029-b78c-42d3-bb4e-bc61e185c447/
SH256 hash:
2406660112c19fbb440db9c53ba43f236f27e758ae727994ea8e64dfa5c367db
MD5 hash:
5810d37088c4401ecef42bddea95bc42
SHA1 hash:
89bce6697cf23f224461f7e9437eebfacc021d77
Link:
https://www.unpac.me/results/00008029-b78c-42d3-bb4e-bc61e185c447/
SH256 hash:
5da453c109f49347904e67085a451406034c5e7655b94365ab4a558797834f20
MD5 hash:
c96aa69d08fb9842f423cbebaf91bd77
SHA1 hash:
7abb9797c247592c14fa32cd938d6b4880840703
Link:
https://www.unpac.me/results/00008029-b78c-42d3-bb4e-bc61e185c447/
SH256 hash:
1a653abe4b7712e10fd1b60ab8a3d6a5dd4819a6102c02cca5f0664127035486
MD5 hash:
87006e4003c9e387b10d9635c2884389
SHA1 hash:
ca4a2f664a96b5868dfb2880ae75c5e7e02a3876
Link:
https://www.unpac.me/results/00008029-b78c-42d3-bb4e-bc61e185c447/
Malware family:
xRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/1a653abe4b77/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1a653abe4b7712e10fd1b60ab8a3d6a5dd4819a6102c02cca5f0664127035486

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
Author:ditekSHen
Description:Detects Windows executables referencing non-Windows User-Agents
Rule name:INDICATOR_SUSPICIOUS_GENInfoStealer
Create hunting rule
Author:ditekSHen
Description:Detects executables containing common artifcats observed in infostealers
Rule name:MALWARE_Win_QuasarStealer
Create hunting rule
Author:ditekshen
Description:Detects Quasar infostealer
Rule name:MAL_Lokibot_Stealer
Create hunting rule
Description:Detects Lokibot Stealer Variants
Rule name:MAL_QuasarRAT_May19_1
Create hunting rule
Author:Florian Roth
Description:Detects QuasarRAT malware
Reference:https://blog.ensilo.com/uncovering-new-activity-by-apt10
Rule name:MAL_QuasarRAT_May19_1_RID2E1E
Create hunting rule
Author:Florian Roth
Description:Detects QuasarRAT malware
Reference:https://blog.ensilo.com/uncovering-new-activity-by-apt10
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/283355/

Comments