MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2149d167c87cf15f48aa1852adcf96c9a62287a26496ff33892ecc67500d3be2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

QuasarRAT

Vendor detections: 4

Intelligence 4 IOCs YARA 8 File information Comments

SHA256 hash:	2149d167c87cf15f48aa1852adcf96c9a62287a26496ff33892ecc67500d3be2
SHA3-384 hash:	9f5659d859d7f6921f6663d888286d4b03177e7edf61a9e79f06341bea64ef8efdc363f26fabedf7f68d2cd706d9f0df
SHA1 hash:	f5b7e7e2fc67d36742d030284c476f2714ee95d9
MD5 hash:	075242d9c59e4f9c33f2fe956f54737a
humanhash:	shade-muppet-november-mexico
File name:	SecuriteInfo.com.BehavesLike.Win32.Generic.jc.21657
Download:	download sample
Signature	QuasarRAT Create hunting rule
File size:	622'592 bytes
First seen:	2020-04-14 10:01:42 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:7awKK9y5Q1NI/AZts9hg6Ay8atY6H6DhuJfhv8w+:7a+NI/Ab6Ay8atY3mhv8w
Threatray	387 similar samples on MalwareBazaar
TLSH	3CD4BE567BCAEE44F9A20A7A5C6DE311169DFC8008D5FB2F74A9736CEC703A854E02D4
Reporter	SecuriteInfoCom
Tags:	QuasarRAT

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.BehavesLike.Win32.Generic.jc.21657.UNOFFICIAL

Gathering data

Threat name:

ByteCode-MSIL.Trojan.Kryptik

Status:

Malicious

First seen:

2020-04-14 08:13:45 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

25 of 31 (80.65%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=efe5cz6iptyv6sfkdbjk3t4wzgtcfb5cmslp6m4jf3ggouanhpra._file

Verdict:

malicious

Label(s):

agenttesla

QuasarRAT

23b916e5bb30f814e9819cf3499fe56820380b827b20f595022eabbd47267374

QuasarRAT

55bca504c5ff798d6c5d4431eff4dda8df6ebfca0db4d86b0f1bf770ff550a0f

QuasarRAT

6ea011e6a1836355936582525e455b151057c89b7f1780ab52c6f5c4cb19ddad

QuasarRAT

8247e9152d0b43ffa80b4c82843bb0903043841c8b9c855ff312461f6443faf4

QuasarRAT

8e395f386862d95d1a2837a56ffac8ec6a8dacd3e61fac1912f1960ada8c5abd

QuasarRAT

9b915d2e5f70b859d8c2eafc94bd593d3e53255444a5b4b651dfb9c2523d83d7

QuasarRAT

c2c89da1518a4950cedec3129aa86fce21ccec502586e44a7f3b3757b44a1e1c

QuasarRAT

eed41a2c1215d2ca0ef2022172504a565b7a968e6263e173fceb6f1b1747d795

QuasarRAT

f2a6395f3ae63cfeb7a50854bd0de43748013309a7871f3c114711fa0867c8ce

QuasarRAT

+ 377 additional samples on MalwareBazaar

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	CN_disclosed_20180208_KeyLogger_1 Create hunting rule
Author:	Florian Roth
Description:	Detects malware from disclosed CN malware set
Reference:	https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details

Rule name:	MAL_QuasarRAT_May19_1 Create hunting rule
Author:	Florian Roth
Description:	Detects QuasarRAT malware
Reference:	https://blog.ensilo.com/uncovering-new-activity-by-apt10

Rule name:	MSILStealer Create hunting rule
Author:	https://github.com/hwvs
Description:	Detects strings from C#/VB Stealers and QuasarRat
Reference:	https://github.com/quasar/QuasarRAT

Rule name:	Quasar Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect QuasarRAT in memory

Rule name:	Quasar_RAT_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Quasar RAT
Reference:	https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf

Rule name:	Quasar_RAT_2 Create hunting rule
Author:	Florian Roth
Description:	Detects Quasar RAT
Reference:	https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf

Rule name:	Vermin_Keylogger_Jan18_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Vermin Keylogger
Reference:	https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/

Rule name:	xRAT_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Patchwork malware
Reference:	https://goo.gl/Pg3P4W

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

QuasarRAT

exe 2149d167c87cf15f48aa1852adcf96c9a62287a26496ff33892ecc67500d3be2

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/340016/

Delivery method

Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample