MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2261f624e99b92e00913fd0fc189ae96bb115b3ae5b393e0170066f032b12af1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuasarRAT


Vendor detections: 6


Intelligence 6 IOCs YARA 10 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2261f624e99b92e00913fd0fc189ae96bb115b3ae5b393e0170066f032b12af1
SHA3-384 hash: fab782999dfc6d8f84c29081d7e7751cadd03252c780da16711f382bc1b36ef6c309c062511b9ffb1cc4e4bfc6b8859e
SHA1 hash: d18da5d905ddc8977a63019df1aa32032c94a946
MD5 hash: 48578ca46a647e621583b8b3da2bbbc4
humanhash: monkey-neptune-video-tango
File name:Anast_Client-built_new.exe
Download: download sample
Signature QuasarRAT
Create hunting rule
File size:1'234'225 bytes
First seen:2020-09-16 12:10:11 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash a1a66d588dcf1394354ebf6ec400c223 (49 x RedLineStealer, 7 x CryptBot, 4 x AZORult)
ssdeep 24576:X53uhF8ZcjXB476PaZMr5U3aDAWaPUPTRNTwX6KR8+:X5+hFxPaZSCOtNkq8
Threatray 18 similar samples on MalwareBazaar
TLSH D245235132CA80F6C8E32A302910AB2B7D7AF6705B20C5CBA74426176D565F75B3F3A7
Reporter JAMESWT_WT
Tags:QuasarRAT

Code Signing Certificate

Organisation:Softland SRL
Issuer:DigiCert EV Code Signing CA
Algorithm:sha256WithRSAEncryption
Valid from:Dec 10 00:00:00 2018 GMT
Valid to:Dec 14 12:00:00 2021 GMT
Serial number: 040CC2255DB4E48DA1B4F242F5EDFA73
Intelligence: 2 malware samples on MalwareBazaar are signed with this code signing certificate
MalwareBazaar Blocklist:This certificate is on the MalwareBazaar code signing certificate blocklist (CSCB)
Thumbprint Algorithm:SHA256
Thumbprint: 1270A79829806834146EF50A8036CFCC1067E0822E400F81073413A60AA9ED54
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
98
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/62020/
Detection(s):
PUA.Win.Trojan.Generic-6629274-0
Create hunting rule

PUA.Win.Trojan.Generic-6843329-0
Create hunting rule

PUA.Win.Dropper.Driverpack-6931197-0
Create hunting rule

PUA.Win.Downloader.Driverpack-6998194-0
Create hunting rule

PUA.Win.File.Generic-7135455-0
Create hunting rule

PUA.Win.Adware.Generic-7505646-0
Create hunting rule

PUA.Win.File.Generic-7557964-0
Create hunting rule

SecuriteInfo.com.Artemis8A5D1E11C3D3.26302.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Creating a file in the %temp% subdirectories
Running batch commands
Creating a process with a hidden window
Launching cmd.exe command interpreter
Launching a process
DNS request
Delayed writing of the file
Creating a process from a recently created file
Creating a file in the %AppData% subdirectories
Deleting a recently created file
Enabling the 'hidden' option for recently created files
Searching for the window
Unauthorized injection to a recently created process
Enabling autorun by creating a file
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.spyw.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/467775
Signature
Antivirus / Scanner detection for submitted sample
Contains functionality to register a low level keyboard hook
Drops PE files with a suspicious file extension
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Sigma detected: Suspicious Certutil Command
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 286305 Sample: Anast_Client-built_new.exe Startdate: 16/09/2020 Architecture: WINDOWS Score: 84 53 Antivirus / Scanner detection for submitted sample 2->53 55 Multi AV Scanner detection for submitted file 2->55 57 Sigma detected: Drops script at startup location 2->57 59 3 other signatures 2->59 9 Anast_Client-built_new.exe 7 2->9         started        process3 signatures4 63 Contains functionality to register a low level keyboard hook 9->63 12 cmd.exe 1 9->12         started        14 cmd.exe 1 9->14         started        process5 signatures6 17 cmd.exe 2 12->17         started        21 conhost.exe 12->21         started        67 Drops PE files with a suspicious file extension 14->67 23 conhost.exe 14->23         started        process7 file8 39 C:\Users\user\AppData\Local\...\csrss.com, PE32 17->39 dropped 61 Uses ping.exe to sleep 17->61 25 csrss.com 17->25         started        28 PING.EXE 1 17->28         started        31 PING.EXE 1 17->31         started        33 certutil.exe 2 17->33         started        signatures9 process10 dnsIp11 65 Drops PE files with a suspicious file extension 25->65 35 csrss.com 6 25->35         started        47 127.0.0.1 unknown unknown 28->47 49 192.168.2.1 unknown unknown 28->49 51 SrHBN.SqZJ 31->51 signatures12 process13 dnsIp14 45 ssR.ssR 35->45 41 C:\Users\user\AppData\Roaming\aes\aes.com, PE32 35->41 dropped 43 C:\Users\user\AppData\Roaming\...\aes.url, MS 35->43 dropped file15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2261f624e99b92e00913fd0fc189ae96bb115b3ae5b393e0170066f032b12af1/
Threat name:
Win32.Trojan.CryptInject
Create hunting rule
Status:
Malicious
First seen:
2020-09-14 07:29:19 UTC
File Type:
PE (Exe)
Extracted files:
7
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ejq7mjhjtojoacit7uh4dcnos25rcwz24wzzhyaxabtpamvrflyq._file
Verdict:
suspicious
Similar samples:
05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7
QuasarRAT
1630f3fabf80e99d1990176b5736835496bdbd74610d1e43eefd7088e2529a6e
QuasarRAT
1c421e6eea0c7d28016da05e2be26a099f94bb355e05ed1088c2098c024760b1
QuasarRAT
1db0242b6f7de2919880e833801ce2b48bbf83c136235a537b17211e1193d611
QuasarRAT
29c0c875bd961391938a48794be49c006a1ee8c31e25a1fd5f0891f5dcd46e6c
QuasarRAT
70a71789d47c49a03c3547aec8ec74aa76c43811aacb2dd43dd455590c11a2cc
QuasarRAT
77867995d1e8388230c9f71fee5e835b346bfcfef3fde418c6a773eea11b4afd
QuasarRAT
94dc4632159764895ff15118dacc7c5b4c3f84722b4ae5c89b9b120adeec92bf
QuasarRAT
cb04bfdeb1a12eaab0a0442ecdf62ce49d2c1daa5b4345412cf3462b9ab26803
QuasarRAT
e832fe2b9251b58442d1c9e380ae5f5d338af57a43329f79786e333c15507ec4
QuasarRAT
+ 8 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/200916-qymd3n8ey2/
Behaviour
Runs ping.exe
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Drops startup file
Executes dropped EXE
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Barys
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2261f624e99b92e00913fd0fc189ae96bb115b3ae5b393e0170066f032b12af1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:CN_disclosed_20180208_KeyLogger_1
Create hunting rule
Author:Florian Roth
Description:Detects malware from disclosed CN malware set
Reference:https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details
Rule name:MAL_QuasarRAT_May19_1
Create hunting rule
Author:Florian Roth
Description:Detects QuasarRAT malware
Reference:https://blog.ensilo.com/uncovering-new-activity-by-apt10
Rule name:MSILStealer
Create hunting rule
Author:https://github.com/hwvs
Description:Detects strings from C#/VB Stealers and QuasarRat
Reference:https://github.com/quasar/QuasarRAT
Rule name:Quasar
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect QuasarRAT in memory
Rule name:Quasar_RAT_1
Create hunting rule
Author:Florian Roth
Description:Detects Quasar RAT
Reference:https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
Rule name:Quasar_RAT_2
Create hunting rule
Author:Florian Roth
Description:Detects Quasar RAT
Reference:https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
Rule name:Vermin_Keylogger_Jan18_1
Create hunting rule
Author:Florian Roth
Description:Detects Vermin Keylogger
Reference:https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/
Rule name:win_blackshades_w0
Create hunting rule
Author:Jean-Philippe Teissier / @Jipe_
Rule name:xRAT_1
Create hunting rule
Author:Florian Roth
Description:Detects Patchwork malware
Reference:https://goo.gl/Pg3P4W

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/62020/

Comments