MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 22bc08e20863b17e90450407d165aabb2f629fd3e92f58b9edee1b2093290413. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuasarRAT


Vendor detections: 9


Intelligence 9 IOCs YARA 11 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 22bc08e20863b17e90450407d165aabb2f629fd3e92f58b9edee1b2093290413
SHA3-384 hash: 4ac7bae0acd4e26f645fcecb6f92cd6c8bf752a8dbb7d10cb6da2071f2e948c4ed102f8537ca5141018a4792be52b778
SHA1 hash: a540ac29563ddeb948a36e2d18822f568f466b44
MD5 hash: 742d07180cb13ef49af926500163da5d
humanhash: spaghetti-kitten-chicken-muppet
File name:742d07180cb13ef49af926500163da5d
Download: download sample
Signature QuasarRAT
Create hunting rule
File size:300'544 bytes
First seen:2021-07-23 00:58:28 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 3072:Ro7lYJHuSHgB24gY+KUXCGGIGPOXLEoV8wpBG+/F0WUkQ5A725OVd+XBbq/Z+enL:+7lRw4W04V8CBG+bU87Zgbq/4e4
Threatray 14 similar samples on MalwareBazaar
TLSH T11C544C1467FC8A1EE6EE177CC4B445018FB9E966A82EF78E5DC060BD1C52B89CC81763
Reporter zbetcheckin
Tags:32 exe QuasarRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
116
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
742d07180cb13ef49af926500163da5d
Verdict:
Malicious activity
Analysis date:
2021-07-23 00:59:21 UTC
Tags:
evasion
Link:
https://app.any.run/tasks/8fd7f828-cd23-455a-8ce6-24d91ad407b1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
xRAT
Create hunting rule
Link:
https://www.capesandbox.com/analysis/173464/
Detection(s):
Win.Packed.Downeks-9804522-0
Create hunting rule

Win.Packed.Generic-9830106-0
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Quasar RAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/dfd26de6-3d67-424f-b091-857e1ecf57fe
Result
Threat name:
Quasar
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/820480
Signature
Antivirus / Scanner detection for submitted sample
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Yara detected Quasar RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/22bc08e20863b17e90450407d165aabb2f629fd3e92f58b9edee1b2093290413/
Threat name:
ByteCode-MSIL.Trojan.Xlceint
Create hunting rule
Status:
Malicious
First seen:
2021-07-12 03:39:24 UTC
AV detection:
27 of 28 (96.43%)
Threat level:
  5/5
Verdict:
suspicious
Similar samples:
0a86370c2e094aa16cf56acf57bcc15294e2a66a8c12c1c52794b1ce965cf31e
QuasarRAT
16a8b0ec8a49078760b6b849ee1175dbc7256cbc12fe43ad87e626e50d01dde4
QuasarRAT
245deb1693e39d6340bcd2e8c9d8f5e78e4906e359172b150a066eb1678987f5
QuasarRAT
29790388ca244a8fd3bb2448a59e45fba4dc715fec7a0bf09a7f6d4df79ef9a9
QuasarRAT
79c2240abb05bcad2847f6fe50ae69f6a3cbdeea82bdc659e75f85eb59f442f9
QuasarRAT
7ba2419d74a5a9c7ef362bf40d0e1563bd02fd16fada16c8da39cf178c6306be
QuasarRAT
9b629ce7607ee755d467e058cf51187d2ca5c095d5dc5708826f9c47b06c3c07
QuasarRAT
a3f98ee0a78f039e0a9ea52dba13c713dc46f749512bd7d108cc9c05f57fc93d
QuasarRAT
a80d95225bc4a9c606336a1dede6ab0e4298be745bc7000312e84b0fad5f5461
QuasarRAT
f568505e20f76187cb566ebe132a5af855b8c5c83c1f33497696798c81d90f50
QuasarRAT
+ 4 additional samples on MalwareBazaar
Result
Malware family:
quasar
Create hunting rule
Score:
  10/10
Tags:
family:quasar spyware trojan
Link:
https://tria.ge/reports/210723-vk61328rmj/
Behaviour
Modifies system certificate store
Suspicious use of AdjustPrivilegeToken
Looks up external IP address via web service
Quasar RAT
Unpacked files
SH256 hash:
22bc08e20863b17e90450407d165aabb2f629fd3e92f58b9edee1b2093290413
MD5 hash:
742d07180cb13ef49af926500163da5d
SHA1 hash:
a540ac29563ddeb948a36e2d18822f568f466b44
Link:
https://www.unpac.me/results/2a57d1eb-d669-461c-9613-08c09fa0dd7c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.60
Link:
https://yomi.yoroi.company/submissions/22bc08e20863b17e90450407d165aabb2f629fd3e92f58b9edee1b2093290413

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_QuasarRAT
Create hunting rule
Author:ditekSHen
Description:QuasarRAT payload
Rule name:pe_imphash
Create hunting rule
Rule name:Quasar
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect QuasarRAT in memory
Rule name:Quasar_RAT_1
Create hunting rule
Author:Florian Roth
Description:Detects Quasar RAT
Reference:https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
Rule name:Quasar_RAT_2
Create hunting rule
Author:Florian Roth
Description:Detects Quasar RAT
Reference:https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
Rule name:Quasar_RAT_Jan18_1
Create hunting rule
Author:Florian Roth
Description:Detects Quasar RAT
Reference:https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/
Rule name:RAT_Imminent
Create hunting rule
Author:Kevin Breen <kevin@techanarchy.net>
Description:Detects Imminent RAT
Reference:http://malwareconfig.com/stats/Imminent
Rule name:RAT_xRAT
Create hunting rule
Author:Kevin Breen <kevin@techanarchy.net>
Description:Detects xRAT
Reference:http://malwareconfig.com/stats/xRat
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Vermin_Keylogger_Jan18_1
Create hunting rule
Author:Florian Roth
Description:Detects Vermin Keylogger
Reference:https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/
Rule name:xRAT_1
Create hunting rule
Author:Florian Roth
Description:Detects Patchwork malware
Reference:https://goo.gl/Pg3P4W

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

QuasarRAT

Executable exe 22bc08e20863b17e90450407d165aabb2f629fd3e92f58b9edee1b2093290413

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1474764/
Cape
Cape
https://www.capesandbox.com/analysis/173464/

Comments


Avatar
zbet commented on 2021-07-23 00:58:29 UTC

url : hxxp://toobalhost.publicvm.com/new/Runtime%20Broker.exe