MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 28637cdb78354b4275c9ab7c7383e18d7735d195937861cab26092fc80ab7797. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

QuasarRAT

Vendor detections: 16

Intelligence 16 IOCs YARA 39 File information Comments

SHA256 hash:	28637cdb78354b4275c9ab7c7383e18d7735d195937861cab26092fc80ab7797
SHA3-384 hash:	ab809cfeec908ef9df350d63fd609ed7ed48bacc334ea1835a5ddc71a19208bc8052e6ca2a5a2586f991c4182a75c00e
SHA1 hash:	5f2a8af77b9d12bc4aafcf1392f9ab60fe98329d
MD5 hash:	415fc115f79e0e468d23c2f18bf9c579
humanhash:	oscar-winter-fish-lemon
File name:	Ton618 (2).exe
Download:	download sample
Signature	QuasarRAT Create hunting rule
File size:	6'966'784 bytes
First seen:	2024-10-03 12:39:01 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	98304:FBVSI53AB5nRMpsQtbF1Z08CaecT1bAICTO:Fb0jRMhzlwICT
Threatray	827 similar samples on MalwareBazaar
TLSH	T104666C246BFC5E2BD06EC3B1C5F24027B2F0E4AE73629B1B55C5A7691A13702598327F
TrID	31.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 24.5% (.CPL) Windows Control Panel Item (generic) (57583/11/19) 18.3% (.EXE) InstallShield setup (43053/19/16) 7.0% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 4.4% (.EXE) Win64 Executable (generic) (10523/12/4)
Magika	pebin
Reporter	JAMESWT_WT
Tags:	exe OnimaiHarmony QuasarRAT

Intelligence

File Origin

# of uploads :

# of downloads :

351

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Ton618 (2).exe

Verdict:

No threats detected

Analysis date:

2024-10-03 12:43:23 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/e77af998-dd1f-4440-8642-61c4632bb731

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

Win.Trojan.MSShellcode-6

Win.Malware.Bulz-9933026-0

Win.Packed.Lazy-10019085-0

Win.Packed.Lazy-10019086-0

Win.Packed.Downeks-6898097-0

Verdict:

Malicious

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=66fe94c30fdf88870979f46d

Tags:

Powershell Metasploit Emotet Quasar

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Using the Windows Management Instrumentation requests

Сreating synchronization primitives

Creating a window

Launching a process

Creating a process with a hidden window

Connection attempt

Setting a keyboard event handler

Creating a file in the Windows subdirectories

Deleting a recently created file

Searching for synchronization primitives

Unauthorized injection to a recently created process

Creating a file in the system32 subdirectories

Forced system process termination

Setting browser functions hooks

Forced shutdown of a system process

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Unauthorized injection to a system process

Enabling autorun by creating a file

Using obfuscated Powershell scripts

Unauthorized injection to a browser process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

agenttesla anti-vm anti-vm certreq cmd control crypto evasive expand explorer greyware infostealer keylogger lolbin packed packed quasarrat rat remote schtasks stealer stealer stealerium

Link:

https://www.filescan.io/uploads/66fe906b161fc470c717bd86/reports/fe6b3455-454d-411f-a142-1dc1cd0fc875/overview

Verdict:

Malicious

Labled as:

Dump:Generic.ShellCode.Metasploit.Marte.2

Link:

https://www.hybrid-analysis.com/sample/28637cdb78354b4275c9ab7c7383e18d7735d195937861cab26092fc80ab7797

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Metasploit Framework

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/1af8c397-57cf-40be-8c10-e45c3d4251eb

Result

Threat name:

Quasar

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1524966

Signature

.NET source code contains potential unpacker

.NET source code contains process injector

.NET source code references suspicious native API functions

AI detected suspicious sample

Contains functionality to compare user and computer (likely to detect sandboxes)

Contains functionality to inject code into remote processes

Creates a thread in another existing process (thread injection)

Creates an autostart registry key pointing to binary in C:\Windows

Creates autostart registry keys with suspicious values (likely registry only malware)

Found direct / indirect Syscall (likely to bypass EDR)

Found suspicious powershell code related to unpacking or dynamic code loading

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Injects code into the Windows Explorer (explorer.exe)

Installs a global keyboard hook

Installs new ROOT certificates

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Modifies the context of a thread in another process (thread injection)

Multi AV Scanner detection for submitted file

Obfuscated command line found

Queries sensitive service information (via WMI, MSSMBios_RawSMBiosTables, often done to detect sandboxes)

Queries temperature or sensor information (via WMI often done to detect virtual machines)

Sigma detected: Potential PowerShell Command Line Obfuscation

Sigma detected: Potential WinAPI Calls Via CommandLine

Suspicious powershell command line found

Uses schtasks.exe or at.exe to add and modify task schedules

Writes to foreign memory regions

Yara detected Costura Assembly Loader

Yara detected Generic Downloader

Yara detected Quasar RAT

Behaviour

Behavior Graph:

Download SVG

Score:

95%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/28637cdb78354b4275c9ab7c7383e18d7735d195937861cab26092fc80ab7797

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/28637cdb78354b4275c9ab7c7383e18d7735d195937861cab26092fc80ab7797/

Threat name:

ByteCode-MSIL.Exploit.MetasploitMarte

Status:

Malicious

First seen:

2024-09-25 14:37:26 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

25 of 38 (65.79%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=fbrxzw3ygvfue5ojvn6hha7brv3tlumvsn4gdsvsmcjpzaflo6lq._file

Verdict:

malicious

Label(s):

metasploit

quasarrat

r77

r77_stager

QuasarRAT

5b28e872a0b3d9d1d93c147def90a926399ac90a43718b24d104b04dfe589fd2

QuasarRAT

7a83a44720d94be24a8e7745d6871d65afda849c4008ab72511dd5ac38c7378c

QuasarRAT

8676871f8bbd1cb90e314eaa8f8a16c598289e8cea9ffca4050d9cb5a85edc2a

QuasarRAT

b108344a4bdd297bc875c4da54162c753b1b104abb1e5383b2ed348fea2a0eea

QuasarRAT

e96f8f61e3af77c429ae6af54c128f7b8420a45a0a63bdfcacd682773b8e5fc1

QuasarRAT

error

QuasarRAT

ff6b8599327f09bf46bec16e6535b82f27a804f4877799772e843a85f3f1b573

QuasarRAT

+ 817 additional samples on MalwareBazaar

Result

Malware family:

quasar

Score:

10/10

Tags:

family:quasar bootkit defense_evasion discovery evasion execution persistence spyware trojan

Link:

https://tria.ge/reports/241003-pvnezaxgnp/

Behaviour

Checks SCSI registry key(s)

Checks processor information in registry

Enumerates system info in registry

Modifies data under HKEY_USERS

Runs ping.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Enumerates physical storage devices

System Location Discovery: System Language Discovery

System Network Configuration Discovery: Internet Connection Discovery

Drops file in Windows directory

Drops file in System32 directory

Suspicious use of SetThreadContext

Adds Run key to start application

Command and Scripting Interpreter: PowerShell

Enumerates connected drives

Writes to the Master Boot Record (MBR)

Checks BIOS information in registry

Checks computer location settings

Indicator Removal: Clear Windows Event Logs

Sets service image path in registry

Modifies security service

Quasar RAT

Quasar payload

Suspicious use of NtCreateUserProcessOtherParentProcess

Verdict:

Malicious

Tags:

red_team_tool metasploit cobalt_strike backdoor rshell rootkit rat quasar_rat

YARA:

Stairwell_CobaltStrike_Stager_API_Hashing Windows_Trojan_Metasploit_7bc0f998 Windows_Trojan_Metasploit_c9773203 mal_metasploit_shellcode_windows_powershell_tcp Windows_Rootkit_R77_ee853c9f malware_windows_quasarrat MAL_QuasarRAT_May19_1

Link:

https://app.threat.zone/submission/b21d7f1a-04a1-4df1-87e6-d195a167c994

Unpacked files

SH256 hash:

d1280b9dc5f11ef6571bd762dd0348fcd4afe180484ded20f8e54e6b797da5a9

MD5 hash:

c37b784a964f60ab7106c7cab1a37546

SHA1 hash:

70156a6c308be27a366dd9bce9c4ed80f94ef99c

Link:

https://www.unpac.me/results/0c2c57bf-a3dc-4c98-8831-01ff690c0cf6/

SH256 hash:

393808948c14aa2770baecfdc5cc474a9f4b9fbbbfc64dc0382e01799d498e79

MD5 hash:

2f09fc3a09e4493ba156642b77c4752d

SHA1 hash:

62f13218322d2818ede69ee4905accfa632b30db

Link:

https://www.unpac.me/results/0c2c57bf-a3dc-4c98-8831-01ff690c0cf6/

SH256 hash:

86c53ff10caf6526f116a979f99ed9ef20140cc4eea66ac9c2661c90c35b203c

MD5 hash:

4c221409b394ab84dd006073cfbb884a

SHA1 hash:

00a33cba84c3e8a0bc7135472b6d438f1a31cb95

Link:

https://www.unpac.me/results/0c2c57bf-a3dc-4c98-8831-01ff690c0cf6/

SH256 hash:

28637cdb78354b4275c9ab7c7383e18d7735d195937861cab26092fc80ab7797

MD5 hash:

415fc115f79e0e468d23c2f18bf9c579

SHA1 hash:

5f2a8af77b9d12bc4aafcf1392f9ab60fe98329d

Detections:

QuasarRAT

malware_windows_xrat_quasarrat

cn_utf8_windows_terminal

MAL_QuasarRAT_May19_1

Link:

https://www.unpac.me/results/0c2c57bf-a3dc-4c98-8831-01ff690c0cf6/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/28637cdb78354b4275c9ab7c7383e18d7735d195937861cab26092fc80ab7797

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BLOWFISH_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for Blowfish constants

Rule name:	DebuggerCheck__QueryInfo Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	detect_powershell Create hunting rule
Author:	daniyyell
Description:	Detects suspicious PowerShell activity related to malware execution

Rule name:	Detect_PowerShell_Obfuscation Create hunting rule
Author:	daniyyell
Description:	Detects obfuscated PowerShell commands commonly used in malicious scripts.

Rule name:	INDICATOR_EXE_Packed_Fody Create hunting rule
Author:	ditekSHen
Description:	Detects executables manipulated with Fody

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA Create hunting rule
Author:	ditekSHen
Description:	Detects Windows executables referencing non-Windows User-Agents

Rule name:	INDICATOR_SUSPICIOUS_GENInfoStealer Create hunting rule
Author:	ditekSHen
Description:	Detects executables containing common artifacts observed in infostealers

Rule name:	mal_metasploit_shellcode_windows_powershell_tcp Create hunting rule
Author:	Maxime THIEBAUT (@0xThiebaut)
Description:	Detects Metasploit import-hashes from the windows/powershell_bind_tcp and windows/powershell_reverse_tcp payloads
Reference:	https://blog.nviso.eu/2021/09/02/anatomy-and-disruption-of-metasploit-shellcode/

Rule name:	MAL_QuasarRAT_May19_1 Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects QuasarRAT malware
Reference:	https://blog.ensilo.com/uncovering-new-activity-by-apt10

Rule name:	MAL_QuasarRAT_May19_1 Create hunting rule
Description:	Detects QuasarRAT malware

Rule name:	MAL_QuasarRAT_May19_1_RID2E1E Create hunting rule
Author:	Florian Roth
Description:	Detects QuasarRAT malware
Reference:	https://blog.ensilo.com/uncovering-new-activity-by-apt10

Rule name:	MD5_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for MD5 constants

Rule name:	meth_peb_parsing Create hunting rule
Author:	Willi Ballenthin

Rule name:	Multifamily_RAT_Detection Create hunting rule
Author:	Lucas Acha (http://www.lukeacha.com)
Description:	Generic Detection for multiple RAT families, PUPs, Packers and suspicious executables

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETDLLMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	RANSOMWARE Create hunting rule
Author:	ToroGuitar

Rule name:	RC6_Constants Create hunting rule
Author:	chort (@chort0)
Description:	Look for RC6 magic constants in binary
Reference:	https://twitter.com/mikko/status/417620511397400576

Rule name:	RIPEMD160_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for RIPEMD-160 constants

Rule name:	SEH__vectored Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	SHA1_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA1 constants

Rule name:	SHA512_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA384/SHA512 constants

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	ThreadControl__Context Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	Windows_Rootkit_R77_ee853c9f Create hunting rule
Author:	Elastic Security
Reference:	https://www.elastic.co/security-labs/elastic-security-labs-steps-through-the-r77-rootkit

Rule name:	Windows_Trojan_Metasploit_7bc0f998 Create hunting rule
Description:	Identifies the API address lookup function leverage by metasploit shellcode

Rule name:	Windows_Trojan_Metasploit_7bc0f998 Create hunting rule
Author:	Elastic Security
Description:	Identifies the API address lookup function leverage by metasploit shellcode

Rule name:	Windows_Trojan_Metasploit_c9773203 Create hunting rule
Description:	Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families.
Reference:	https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm

Rule name:	Windows_Trojan_Metasploit_c9773203 Create hunting rule
Author:	Elastic Security
Description:	Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families.
Reference:	https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample