MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1e857555be92a0e4bfa8c0e5dc5b7b91a08e6daea0036e3bf23d3d3de79e495f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

QuasarRAT

Vendor detections: 10

Intelligence 10 IOCs YARA 6 File information Comments

SHA256 hash:	1e857555be92a0e4bfa8c0e5dc5b7b91a08e6daea0036e3bf23d3d3de79e495f
SHA3-384 hash:	2daedae58d46c4418ea47ff3e7211453952f9fb6d249276d1830db5007370c7f0408f61ebebf4f4d9fce68d662393bdf
SHA1 hash:	66685b623a76db33ebd58559ced84cd52c55e6d8
MD5 hash:	02131e8f0df6fe1c45e971f505f80f6f
humanhash:	stairway-hotel-bulldog-nuts
File name:	1e857555be92a0e4bfa8c0e5dc5b7b91a08e6daea0036e3bf23d3d3de79e495f
Download:	download sample
Signature	QuasarRAT Create hunting rule
File size:	1'150'976 bytes
First seen:	2021-08-30 06:24:22 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	32c5de998b5f069b26c94c8143b13c06 (7 x DCRat, 6 x AsyncRAT, 3 x QuasarRAT)
ssdeep	24576:eo9rH2nXcEFxUcDGCLaLqdOrsblHNuoJqhxqd8fMd2/At:eoKbVDGMaQxxHNu6qhxqUMdW4
Threatray	5'138 similar samples on MalwareBazaar
TLSH	T1503512C4DE281276E17719B0A02368CCE9B50DE02F7CC4BB43F6479A7E72239A576587
Reporter	JAMESWT_WT
Tags:	exe QuasarRAT

Intelligence

File Origin

# of uploads :

# of downloads :

110

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

1e857555be92a0e4bfa8c0e5dc5b7b91a08e6daea0036e3bf23d3d3de79e495f

Verdict:

Malicious activity

Analysis date:

2021-08-30 06:35:49 UTC

Tags:

evasion trojan

Link:

https://app.any.run/tasks/fe70a34f-ce2f-42a0-a15d-26ff1901be13

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

QuasarRAT

Link:

https://www.capesandbox.com/analysis/183556/

Detection(s):

Win.Malware.Noobyprotect-6622929-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for analyzing tools

Searching for the window

Using the Windows Management Instrumentation requests

DNS request

Connection attempt

Sending an HTTP GET request

Creating a file in the Program Files subdirectories

Launching a process

Enabling the 'hidden' option for recently created files

Creating a process from a recently created file

Creating a file

Sending a UDP request

Setting a keyboard event handler

Creating a file in the %AppData% subdirectories

Creating a window

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Enabling autorun by creating a file

Malware family:

Quasar RAT

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/9f05b70e-a6a3-47c9-aa54-593ba456834f

Result

Threat name:

Quasar

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/842034

Signature

.NET source code references suspicious native API functions

C2 URLs / IPs found in malware configuration

Found malware configuration

Hides threads from debuggers

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

PE file has a writeable .text section

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Yara detected Quasar RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/1e857555be92a0e4bfa8c0e5dc5b7b91a08e6daea0036e3bf23d3d3de79e495f/

Threat name:

Win32.Trojan.Black

Status:

Malicious

First seen:

2021-08-23 09:53:03 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

32 of 46 (69.57%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=d2cxkvn6skqojp5iyds5yw33sgqi43nouabw4o7shu6t3z46jfpq._file

Verdict:

unknown

QuasarRAT

5d682001504dc58701765ca9721e4b4b9eb5b5e73469731fe787d15217cd7435

QuasarRAT

6c827d61cbe6d4b9c2851c1c234353265188e805cc27ebe195b9133e1f8fcc80

QuasarRAT

7b483b575f88d063ec7d84405be25d5d29579133e9951e5f7b5e2b0d9632472f

QuasarRAT

ae0a99c5cc44699f19c5967df89e034876b214da707275a33bcf7298697ac184

QuasarRAT

b2f8c095e6542fb5f7f87a96d085c689855ab449a29668e7873bf4afd7e597d2

QuasarRAT

e6313d65c6dfa85c2aa1f5cfefc0b71ec47d6b9f6f4ef5351fd86b9f6fbbd935

QuasarRAT

e7cc1a50c3ab054c7c102301d32b802813f0651154f585ac315d0778a81501c8

QuasarRAT

+ 5'128 additional samples on MalwareBazaar

Result

Malware family:

quasar

Score:

10/10

Tags:

family:quasar spyware trojan

Link:

https://tria.ge/reports/210830-nfj9lzsg36/

Behaviour

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Drops file in Program Files directory

Suspicious use of NtSetInformationThreadHideFromDebugger

Looks up external IP address via web service

Loads dropped DLL

Executes dropped EXE

Quasar RAT

Unpacked files

SH256 hash:

1e857555be92a0e4bfa8c0e5dc5b7b91a08e6daea0036e3bf23d3d3de79e495f

MD5 hash:

02131e8f0df6fe1c45e971f505f80f6f

SHA1 hash:

66685b623a76db33ebd58559ced84cd52c55e6d8

Link:

https://www.unpac.me/results/1c04ba0c-5010-47b3-beb1-dd5d029a4e1b/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

iSpy Keylogger

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/1e857555be92a0e4bfa8c0e5dc5b7b91a08e6daea0036e3bf23d3d3de79e495f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_GENInfoStealer Create hunting rule
Author:	ditekSHen
Description:	Detects executables containing common artifcats observed in infostealers

Rule name:	MALWARE_Win_QuasarRAT Create hunting rule
Author:	ditekSHen
Description:	QuasarRAT payload

Rule name:	MAL_QuasarRAT_May19_1 Create hunting rule
Author:	Florian Roth
Description:	Detects QuasarRAT malware
Reference:	https://blog.ensilo.com/uncovering-new-activity-by-apt10

Rule name:	Quasar Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect QuasarRAT in memory

Rule name:	Quasar_RAT_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Quasar RAT
Reference:	https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf

Rule name:	Quasar_RAT_2 Create hunting rule
Author:	Florian Roth
Description:	Detects Quasar RAT
Reference:	https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/183556/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample