MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 26045ebcab6264e4894fcb4e8a88b258af23efd3f09474cde657d8f6a223bf71. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuasarRAT


Vendor detections: 14


Intelligence 14 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 26045ebcab6264e4894fcb4e8a88b258af23efd3f09474cde657d8f6a223bf71
SHA3-384 hash: d0f06a700a86652796e65903b2463c086bf399e2092a0c72eb2c6f211a9bc3d8cad7eedd37040554b0ed283e6562a8f1
SHA1 hash: 0939fe573f1f3fbfc759fff71f24b0c8876eee84
MD5 hash: 7ba1d3fc485b8e23c11a390950dc9a7b
humanhash: michigan-papa-july-spaghetti
File name:Pago.exe
Download: download sample
Signature QuasarRAT
Create hunting rule
File size:1'349'615 bytes
First seen:2022-07-11 10:49:08 UTC
Last seen:2022-07-12 09:38:40 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 24576:dhvJVJdMa9H1wElCkipEwnSHaZW1Cx0S5I1fmcBYwOOACLvJJ+iD9p:t3d3CkiS2W00Sy1/a19CDTp
Threatray 2'265 similar samples on MalwareBazaar
TLSH T19B552201BDC258B1E2B11E35592566209A7DBC201F34CFDFA3D05A6DEE311D1EB32BA6
TrID 91.0% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
3.6% (.EXE) Win64 Executable (generic) (10523/12/4)
1.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.5% (.EXE) Win32 Executable (generic) (4505/5/1)
0.6% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon eccc8c94d4d8e8b4 (2 x QuasarRAT)
Reporter lowmal3
Tags:exe QuasarRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
235
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
quasar
Create hunting rule
ID:
1
File name:
Pago.exe
Verdict:
Malicious activity
Analysis date:
2022-07-11 19:19:55 UTC
Tags:
evasion trojan quasar
Link:
https://app.any.run/tasks/9ddd51cc-09cd-4b23-9024-8b5a3abf7ef5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/286177/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.37098799.28291.25939.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %AppData% directory
Running batch commands
Creating a process from a recently created file
Creating a file
Sending a custom TCP request
Using the Windows Management Instrumentation requests
DNS request
Sending an HTTP GET request
Creating a file in the %AppData% subdirectories
Launching a process
Launching the default Windows debugger (dwwin.exe)
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun by creating a file
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/25032/overview
Behaviour
MalwareBazaar
MeasuringTime
EvasionQueryPerformanceCounter
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
80%
Tags:
greyware overlay packed scar setupapi.dll shdocvw.dll shell32.dll
Link:
https://www.filescan.io/uploads/62cc005fb380a35161761acd/reports/682cf5a8-f971-4177-9e28-f943908122a4/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/95dd5b35-4ead-4904-a318-14f42336a94b
Result
Threat name:
Quasar
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1028452
Signature
.NET source code references suspicious native API functions
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
Yara detected Quasar RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 660947 Sample: Pago.exe Startdate: 11/07/2022 Architecture: WINDOWS Score: 100 108 zickfreddickople.freedynamicdns.net 2->108 110 ip-api.com 2->110 126 Snort IDS alert for network traffic 2->126 128 Malicious sample detected (through community Yara rule) 2->128 130 Antivirus detection for URL or domain 2->130 132 7 other signatures 2->132 15 Pago.exe 4 9 2->15         started        18 server1.exe 2->18         started        21 server1.exe 2->21         started        23 server1.exe 2->23         started        signatures3 process4 file5 102 C:\Users\user\AppData\...\server1.sfx.exe, PE32 15->102 dropped 25 cmd.exe 1 15->25         started        122 Injects a PE file into a foreign processes 18->122 28 server1.exe 18->28         started        31 server1.exe 21->31         started        33 server1.exe 23->33         started        signatures6 process7 dnsIp8 148 Uses ping.exe to sleep 25->148 150 Uses ping.exe to check the status of other devices and networks 25->150 35 server1.sfx.exe 7 25->35         started        39 conhost.exe 25->39         started        116 ip-api.com 28->116 152 Hides that the sample has been downloaded from the Internet (zone.identifier) 28->152 41 cmd.exe 28->41         started        118 ip-api.com 31->118 43 cmd.exe 31->43         started        signatures9 process10 file11 100 C:\Users\user\AppData\Roaming\server1.exe, PE32 35->100 dropped 134 Multi AV Scanner detection for dropped file 35->134 45 server1.exe 1 35->45         started        136 Uses ping.exe to sleep 41->136 48 conhost.exe 41->48         started        50 chcp.com 41->50         started        52 PING.EXE 41->52         started        54 server1.exe 41->54         started        56 conhost.exe 43->56         started        58 chcp.com 43->58         started        60 PING.EXE 43->60         started        62 server1.exe 43->62         started        signatures12 process13 signatures14 156 Multi AV Scanner detection for dropped file 45->156 158 May check the online IP address of the machine 45->158 160 Machine Learning detection for dropped file 45->160 162 2 other signatures 45->162 64 server1.exe 16 4 45->64         started        process15 dnsIp16 104 ip-api.com 208.95.112.1, 49748, 49759, 49760 TUT-ASUS United States 64->104 106 192.168.2.1 unknown unknown 64->106 98 C:\Users\user\AppData\Roaming\...\scdn.exe, PE32 64->98 dropped 124 Hides that the sample has been downloaded from the Internet (zone.identifier) 64->124 69 scdn.exe 1 64->69         started        72 schtasks.exe 1 64->72         started        file17 signatures18 process19 signatures20 138 Multi AV Scanner detection for dropped file 69->138 140 May check the online IP address of the machine 69->140 142 Machine Learning detection for dropped file 69->142 144 Injects a PE file into a foreign processes 69->144 74 scdn.exe 69->74         started        78 conhost.exe 72->78         started        process21 dnsIp22 112 zickfreddickople.freedynamicdns.net 74->112 114 ip-api.com 74->114 154 Hides that the sample has been downloaded from the Internet (zone.identifier) 74->154 80 cmd.exe 74->80         started        83 schtasks.exe 74->83         started        signatures23 process24 signatures25 120 Uses ping.exe to sleep 80->120 85 scdn.exe 80->85         started        88 conhost.exe 80->88         started        90 chcp.com 80->90         started        92 PING.EXE 80->92         started        94 conhost.exe 83->94         started        process26 signatures27 146 Injects a PE file into a foreign processes 85->146 96 scdn.exe 85->96         started        process28
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/26045ebcab6264e4894fcb4e8a88b258af23efd3f09474cde657d8f6a223bf71/
Threat name:
Win32.Trojan.Quasar
Create hunting rule
Status:
Malicious
First seen:
2022-07-06 11:54:20 UTC
File Type:
PE (Exe)
Extracted files:
19
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=eycf5pflmjsojckpznhivcfslcxsh36t6ckhjtpgk7mpnirdx5yq._file
Verdict:
malicious
Similar samples:
07a775e0ce0b693e7fe1b7b0175b2951f52bef2ae0ca2d150efc0f40079c735a
QuasarRAT
0a3719034534630aa13dfff817954b553ced8877c06110351b09a0591994e321
QuasarRAT
33ad97412d0ea51dd14c970ea67a92b237b28de04add5ecc3f64f9696fb3ed1c
QuasarRAT
421cde677434a520708c647a5709ee40ac8ac0a13e8a7c68ad4997c7f1e040b1
QuasarRAT
65de7f369ef7a90554d6bdda6905bfea516a75e08515d52399e5d7a5653a7a53
QuasarRAT
87b49f5381e9870bfda19fe73f05fbead0fa012553ed7a4ca03e69228bd0618c
QuasarRAT
91a63868ca56bae97b954c0ece75ed4f66e18bf2c258a9ed5712e376bae7220c
QuasarRAT
f316c880b72b4d6344056800c3c578981bb973b7315538699d500a72f757c496
QuasarRAT
+ 2'255 additional samples on MalwareBazaar
Result
Malware family:
quasar
Create hunting rule
Score:
  10/10
Tags:
family:quasar botnet:woop spyware suricata trojan
Link:
https://tria.ge/reports/220711-mw9cqaagb3/
Behaviour
Creates scheduled task(s)
Modifies registry class
Runs ping.exe
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Looks up external IP address via web service
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Quasar RAT
Quasar payload
suricata: ET MALWARE Common RAT Connectivity Check Observed
Malware Config
C2 Extraction:
zickfreddickople.freedynamicdns.net:64592
ickfredkople.ignorelist.com:64592
dnuocc.com:64592
Unpacked files
SH256 hash:
5a5b236139773dfc23764e586613279a8c3544acd0381e8930ec99dc9b4767f0
MD5 hash:
90bdf378472c1e8b4ab25dee659890f7
SHA1 hash:
7118add9c81c42cfc10a2496af284e89d45d97d8
Link:
https://www.unpac.me/results/9173caee-b95a-42c1-a42f-ac599e29c630/
SH256 hash:
531d55bcac57e03975e87abbe48d61a949857ac8f1a15d681e79f8d6107846dd
MD5 hash:
07a0a3651fc0d59e9ce851f8129216b8
SHA1 hash:
57fbd768755bebf94db5d679b2d8633d7c662bba
Link:
https://www.unpac.me/results/9173caee-b95a-42c1-a42f-ac599e29c630/
SH256 hash:
7131a27ae9855e5eb43c680f2c5a1f2158988d28b9e1e084b66b7c28564a25d8
MD5 hash:
1feeaebd5b66fef9b622a0e13442d86c
SHA1 hash:
14bf0c43df59139d496bb96c31d4a3a5459d8001
Link:
https://www.unpac.me/results/9173caee-b95a-42c1-a42f-ac599e29c630/
SH256 hash:
26045ebcab6264e4894fcb4e8a88b258af23efd3f09474cde657d8f6a223bf71
MD5 hash:
7ba1d3fc485b8e23c11a390950dc9a7b
SHA1 hash:
0939fe573f1f3fbfc759fff71f24b0c8876eee84
Link:
https://www.unpac.me/results/9173caee-b95a-42c1-a42f-ac599e29c630/
Malware family:
xRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/26045ebcab62/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/26045ebcab6264e4894fcb4e8a88b258af23efd3f09474cde657d8f6a223bf71

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:suspicious_sfx_files_simple_rule
Create hunting rule
Author:Razvan.A.B
Description:Detects suspicious files containing sfx
Rule name:suspicious_sfx_files_size_rule
Create hunting rule
Author:Razvan.A.B
Description:Detects suspicious files containing sfx

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

QuasarRAT

Executable exe 26045ebcab6264e4894fcb4e8a88b258af23efd3f09474cde657d8f6a223bf71

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/286177/

Comments