MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1d0e8150809cb78fb1cf2cad89dc63b884ef4459e93ce4fbb4676ff705bb2679. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

QuasarRAT

Vendor detections: 4

Intelligence 4 IOCs YARA 2 File information Comments

SHA256 hash:	1d0e8150809cb78fb1cf2cad89dc63b884ef4459e93ce4fbb4676ff705bb2679
SHA3-384 hash:	581c6501ec853bc9333d6d914c6aa8b30585092396e1b7c8c01641f0aa1f2cb27aaaf8f15ea9d46979b43d11d80a73b9
SHA1 hash:	cb596ae82ea41df91878c8325691c788ca4b9625
MD5 hash:	6f941f5bfb397c02f2f5ed7c97fe3811
humanhash:	undress-kilo-romeo-oxygen
File name:	1d0e8150809cb78fb1cf2cad89dc63b884ef4459e93ce4fbb4676ff705bb2679
Download:	download sample
Signature	QuasarRAT Create hunting rule
File size:	3'202'048 bytes
First seen:	2020-07-06 06:36:08 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep	98304:bDCh1V+/s2k7AGueZFIC/2s50JhNvOaNDt:bDCTqmknQD5uYab
Threatray	1'649 similar samples on MalwareBazaar
TLSH	AFE53325736A66F7CE9E823269D5284603B094706846FBEC6DC834D69CC77EC52037BB
Reporter	JAMESWT_WT
Tags:	QuasarRAT

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/20841/

Detection(s):

SecuriteInfo.com.MSIL.Kryptik.VFR-1.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Unauthorized injection to a recently created process

Creating a file in the %AppData% subdirectories

Launching a process

Creating a process from a recently created file

Enabling autorun with Startup directory

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/1d0e8150809cb78fb1cf2cad89dc63b884ef4459e93ce4fbb4676ff705bb2679/

Threat name:

ByteCode-MSIL.Trojan.Masson

Status:

Malicious

First seen:

2020-07-01 03:28:00 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

23 of 29 (79.31%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=duhicueats3y7mopfswytxddxcco6rcz5e6oj65um5x7obn3ez4q._file

Verdict:

unknown

QuasarRAT

1bf9db8285719827160844a6a51292c30346c3099a4753c92177cba4e59b2404

QuasarRAT

404d422ffb09a4f24ad333ccdd211d0eb2ea84b650f095baadf3443fb6deb7b1

QuasarRAT

409ed5053ca06b5b2c4890875a0cfe7cd9c507eaa436ce0dba81ccf13eb9a0a4

QuasarRAT

5706101b5ffaf565a5690227f1c273b174eb2dcd3565904984a36be84eca6645

QuasarRAT

5ad061c24c84f2447a904efc6f615937d0764e3c717505b962e11f5320c17599

QuasarRAT

bd87e6517c03baa349072568a55eadd6baab262985b09833b104119c7d47c883

QuasarRAT

be6a3c4a0636cf4d05cdc8a58a42221d4e6358460d8dd7a679aebeeafe254a06

QuasarRAT

c8c3bc6c01dee147be04e3fbaeb5ff72fbee21e676ba04b7326738e692cec9d0

QuasarRAT

ece024ccd4accbc99e106f03c4b4764765b37615e3caa0b021084ac5f689cc3e

QuasarRAT

+ 1'639 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/200706-lq8wn8bwxe/

Behaviour

Suspicious use of SendNotifyMessage

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Program crash

Suspicious use of SetThreadContext

Loads dropped DLL

Executes dropped EXE

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	CAP_HookExKeylogger Create hunting rule
Author:	Brian C. Bell -- @biebsmalwareguy
Reference:	https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar

Rule name:	MAL_QuasarRAT_May19_1 Create hunting rule
Author:	Florian Roth
Description:	Detects QuasarRAT malware
Reference:	https://blog.ensilo.com/uncovering-new-activity-by-apt10

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/20841/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample