MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 22fdaddfc72a9e1bdfca54d70170db8a82c176fd633fa3a76125961e975369f4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuasarRAT


Vendor detections: 13


Intelligence 13 IOCs YARA 12 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 22fdaddfc72a9e1bdfca54d70170db8a82c176fd633fa3a76125961e975369f4
SHA3-384 hash: c70e26cd61d5ac829aacfaaee4d12801d6d083b2bb4a6160400f726a39c604b2b5ebec2aad29f812982c2c12d29bc847
SHA1 hash: e28ed3d923a9889ffc24f74cdad607a1a1005b59
MD5 hash: be39493dac5e473ba50f9b004003eba7
humanhash: sierra-queen-mockingbird-muppet
File name:be39493dac5e473ba50f9b004003eba7
Download: download sample
Signature QuasarRAT
Create hunting rule
File size:354'816 bytes
First seen:2021-08-28 05:04:18 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'854 x AgentTesla, 19'783 x Formbook, 12'304 x SnakeKeylogger)
ssdeep 6144:gvNHXf500MUS+YH3V3obR5PMTj9xQ7Hc8e:Gd50lVXRoOTj9xQ7Hq
Threatray 208 similar samples on MalwareBazaar
TLSH T1F8748D1377A8E97BD1FD177AE47206050BB0D64BBA16E38F5A5C45B92E133868D803B3
Reporter zbetcheckin
Tags:32 exe QuasarRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
201
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
be39493dac5e473ba50f9b004003eba7
Verdict:
Malicious activity
Analysis date:
2021-08-28 05:07:01 UTC
Tags:
rat quasar evasion trojan
Link:
https://app.any.run/tasks/b2fb5791-0e5b-4163-9c6b-44fa371cbce8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
QuasarRAT
Create hunting rule
Link:
https://www.capesandbox.com/analysis/182999/
Detection(s):
Win.Packed.Passwordstealera-9792228-0
Create hunting rule

Win.Packed.Generic-9829635-0
Create hunting rule

Win.Trojan.Generic-9829636-0
Create hunting rule

Win.Packed.Generic-9830106-0
Create hunting rule

Win.Trojan.Generic-6295765-0
Create hunting rule

Win.Malware.Generic-6623004-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Using the Windows Management Instrumentation requests
DNS request
Connection attempt
Sending an HTTP GET request
Creating a window
Sending a custom TCP request
Sending a UDP request
Malware family:
Quasar RAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0cacb69b-23f5-4ac2-91c4-ac1bfd5153bb
Result
Threat name:
Quasar
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/840649
Signature
.NET source code references suspicious native API functions
Antivirus / Scanner detection for submitted sample
C2 URLs / IPs found in malware configuration
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Yara detected Quasar RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
quasar
Create hunting rule
Link:
https://mwdb.cert.pl/sample/22fdaddfc72a9e1bdfca54d70170db8a82c176fd633fa3a76125961e975369f4/
Threat name:
ByteCode-MSIL.Trojan.Quasar
Create hunting rule
Status:
Malicious
First seen:
2021-08-26 23:45:00 UTC
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=el623x6hfkpbxx6kktlqc4g3rkbmc5x5mm72hj3bewlb5f2tnh2a._file
Verdict:
malicious
Similar samples:
44ea4b14ee643709c87800d407e19e45d9f6a1f3bea15c00de3afcfba2614e8a
QuasarRAT
4c6c1c0d7925af6c2891164d67743204132fcc8ea3cda471c005f446ea1cfda1
QuasarRAT
51ad568171d6a835bc1edd45cfe1fee659085dfc4522ac3d93c1458688d44bd5
QuasarRAT
5f5021b3286e9d1b8e9fa9d53319773f0be1c7603efddd040124be7c60424edc
QuasarRAT
810bbf258484b94bf2e51c7fba2f8a19f6aaf1137c982d2d6a97e600159c16fa
QuasarRAT
904a518a8c867a1fd79e963fcdd317aa9f5a76eb6964b027cb0566d4a87102d7
QuasarRAT
9cdcc531878d3a23d2da833a058efa100b91d212e4d5780cb21d5d36db0cbd01
QuasarRAT
b71d6728f8709dc2b8b6a57bbd0ea7d27e78a0ea16af5eff61b2d11f983e0129
QuasarRAT
b7f09be3bf95632ac3219b3d402a419e9bc40a54a3fc6ac1c57c183798e525fe
QuasarRAT
ee1b2c9bdba344c7fe2dc2bec7544a038ad64dbed6add636ecdd426079296c28
QuasarRAT
+ 198 additional samples on MalwareBazaar
Result
Malware family:
quasar
Create hunting rule
Score:
  10/10
Tags:
family:quasar botnet:nx3
Link:
https://tria.ge/reports/210828-g73wlhe9rn/
Behaviour
Suspicious use of AdjustPrivilegeToken
Looks up external IP address via web service
Malware Config
C2 Extraction:
androidapk.ovh:95
Unpacked files
SH256 hash:
22fdaddfc72a9e1bdfca54d70170db8a82c176fd633fa3a76125961e975369f4
MD5 hash:
be39493dac5e473ba50f9b004003eba7
SHA1 hash:
e28ed3d923a9889ffc24f74cdad607a1a1005b59
Link:
https://www.unpac.me/results/df8240c5-de51-4f2e-a8bf-063b30166563/
Malware family:
QuasarRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/22fdaddfc72a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/22fdaddfc72a9e1bdfca54d70170db8a82c176fd633fa3a76125961e975369f4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CN_disclosed_20180208_KeyLogger_1
Create hunting rule
Author:Florian Roth
Description:Detects malware from disclosed CN malware set
Reference:https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details
Rule name:INDICATOR_SUSPICIOUS_GENInfoStealer
Create hunting rule
Author:ditekSHen
Description:Detects executables containing common artifcats observed in infostealers
Rule name:MALWARE_Win_QuasarRAT
Create hunting rule
Author:ditekSHen
Description:QuasarRAT payload
Rule name:MAL_QuasarRAT_May19_1
Create hunting rule
Author:Florian Roth
Description:Detects QuasarRAT malware
Reference:https://blog.ensilo.com/uncovering-new-activity-by-apt10
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Quasar
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect QuasarRAT in memory
Rule name:Quasar_RAT_1
Create hunting rule
Author:Florian Roth
Description:Detects Quasar RAT
Reference:https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
Rule name:Quasar_RAT_2
Create hunting rule
Author:Florian Roth
Description:Detects Quasar RAT
Reference:https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Vermin_Keylogger_Jan18_1
Create hunting rule
Author:Florian Roth
Description:Detects Vermin Keylogger
Reference:https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/
Rule name:xRAT_1
Create hunting rule
Author:Florian Roth
Description:Detects Patchwork malware
Reference:https://goo.gl/Pg3P4W

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

QuasarRAT

Executable exe 22fdaddfc72a9e1bdfca54d70170db8a82c176fd633fa3a76125961e975369f4

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/182999/
  
URLhaus
https://urlhaus.abuse.ch/url/1571485/

Comments


Avatar
zbet commented on 2021-08-28 05:04:20 UTC

url : hxxp://androidapk.ovh/q.exe