MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 287dcabb3e75f1731c4c0079b0791b94bab23a4801e82090fe7f74b1b151e19e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuasarRAT


Vendor detections: 14


Intelligence 14 IOCs 1 YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 287dcabb3e75f1731c4c0079b0791b94bab23a4801e82090fe7f74b1b151e19e
SHA3-384 hash: 6f6fae19cd831da27d0405ead5d1d49886348fd28f65024d731826bb213caaa17baa16e59f463f5496669ab3ed03c83f
SHA1 hash: 5fe040a1515ca0d11214cb04ce6415699c92f92b
MD5 hash: 39112f9e8ad26ed22a7c5a5c55b596d4
humanhash: victor-kansas-cat-tennessee
File name:287DCABB3E75F1731C4C0079B0791B94BAB23A4801E82.exe
Download: download sample
Signature QuasarRAT
Create hunting rule
File size:3'021'312 bytes
First seen:2022-05-24 19:48:14 UTC
Last seen:2022-05-24 20:46:40 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'610 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 49152:BCpcMHTouzL2zJyOw2efm/0dKJMBSBEQmbqDGVu5lyhPcEQ4G68/9ySZwu:BHMHBL2l9w2efm8dKuQm2iu5lyhPcj4r
Threatray 64 similar samples on MalwareBazaar
TLSH T1E4E5229D752171EFC86BC876CA681CA0EB916177431FD203A06712DC9E4E99BCF1A0F6
TrID 69.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.9% (.EXE) Win64 Executable (generic) (10523/12/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.2% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 646c6c6c6c6c7c78 (1 x QuasarRAT)
Reporter abuse_ch
Tags:exe QuasarRAT RAT


Avatar
abuse_ch
QuasarRAT C2:
182.186.84.121:6904

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
182.186.84.121:6904 https://threatfox.abuse.ch/ioc/630927/

Intelligence

File Origin
# of uploads :
2
# of downloads :
342
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
quasar
Create hunting rule
ID:
1
File name:
287DCABB3E75F1731C4C0079B0791B94BAB23A4801E82.exe
Verdict:
Malicious activity
Analysis date:
2022-05-24 19:51:27 UTC
Tags:
trojan rat quasar asyncrat
Link:
https://app.any.run/tasks/920b6dea-47a6-4ae4-a893-c2a58356757c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
QuasarStealer
Create hunting rule
Link:
https://www.capesandbox.com/analysis/274279/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Сreating synchronization primitives
Creating a process from a recently created file
Creating a window
Launching a process
Searching for synchronization primitives
Launching a service
Sending a custom TCP request
Creating a file
Changing a file
Delayed writing of the file
Creating a file in the %AppData% subdirectories
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/628d36b7afb61a3866636769/reports/54e8c462-4390-46a6-9a18-8f9ebec71b5a/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d08c2d98-ce2d-4998-a5fb-1f6aacd784b6
Result
Threat name:
Quasar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1001019
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code references suspicious native API functions
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Hides that the sample has been downloaded from the Internet (zone.identifier)
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
Yara detected Quasar RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 633513 Sample: 287DCABB3E75F1731C4C0079B07... Startdate: 24/05/2022 Architecture: WINDOWS Score: 100 48 Snort IDS alert for network traffic 2->48 50 Malicious sample detected (through community Yara rule) 2->50 52 Antivirus / Scanner detection for submitted sample 2->52 54 7 other signatures 2->54 9 287DCABB3E75F1731C4C0079B0791B94BAB23A4801E82.exe 4 2->9         started        12 wlanaxt.exe 2->12         started        process3 file4 42 C:\Users\user\AppData\Local\...\wlanaxt.exe, PE32 9->42 dropped 44 287DCABB3E75F1731C...B23A4801E82.exe.log, ASCII 9->44 dropped 14 wlanaxt.exe 1 9->14         started        17 wlanaxt.exe 2 12->17         started        19 wlanaxt.exe 12->19         started        process5 signatures6 64 Antivirus detection for dropped file 14->64 66 Multi AV Scanner detection for dropped file 14->66 68 Machine Learning detection for dropped file 14->68 70 Uses schtasks.exe or at.exe to add and modify task schedules 14->70 21 wlanaxt.exe 4 14->21         started        72 Hides that the sample has been downloaded from the Internet (zone.identifier) 17->72 process7 file8 40 C:\Users\user\AppData\Roaming\...\igfxTry.exe, PE32 21->40 dropped 56 Hides that the sample has been downloaded from the Internet (zone.identifier) 21->56 25 igfxTry.exe 1 21->25         started        28 schtasks.exe 1 21->28         started        signatures9 process10 signatures11 58 Antivirus detection for dropped file 25->58 60 Multi AV Scanner detection for dropped file 25->60 62 Machine Learning detection for dropped file 25->62 30 igfxTry.exe 2 25->30         started        34 igfxTry.exe 25->34         started        36 igfxTry.exe 25->36         started        38 conhost.exe 28->38         started        process12 dnsIp13 46 techandro.duckdns.org 182.186.84.121, 49768, 6904 PKTELECOM-AS-PKPakistanTelecomCompanyLimitedPK Pakistan 30->46 74 Hides that the sample has been downloaded from the Internet (zone.identifier) 30->74 76 Installs a global keyboard hook 30->76 signatures14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/287dcabb3e75f1731c4c0079b0791b94bab23a4801e82090fe7f74b1b151e19e/
Threat name:
ByteCode-MSIL.Backdoor.Crysan
Create hunting rule
Status:
Malicious
First seen:
2021-08-20 13:02:51 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
16 of 26 (61.54%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=fb64voz6oxyxghcmab43a6i3ss5leosiahucbeh6p52ldmkr4gpa._file
Verdict:
malicious
Similar samples:
05f1ffa1ec36931cc7eea37bec05882e59b185e237b4832fc0abe393dd5e0519
QuasarRAT
0b84e664c8b592aa0220d52841629b2accb41f1f624720331000ab5f2f0ed628
QuasarRAT
15718441b4ccf5eca76c2663a694d7387137eca50ac8ed9f3df909117ed3f922
QuasarRAT
84f65ea0570ad0cb113671be14dfa4a7d0f04ebfa773d4f53103e401c39511d1
QuasarRAT
b9a1c2a5ed66d7d8acf7c41a44fd0534cecf86a8e673e389a4e5b01c79d29c36
QuasarRAT
+ 54 additional samples on MalwareBazaar
Result
Malware family:
quasar
Create hunting rule
Score:
  10/10
Tags:
family:quasar botnet:office04 spyware trojan
Link:
https://tria.ge/reports/220524-yjm5habacp/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Quasar Payload
Quasar RAT
Malware Config
C2 Extraction:
techandro.duckdns.org:6904
Unpacked files
SH256 hash:
3fe966e21625f83eccdcc49762305a16e6c488397b4e08a98e1be48d93c3a571
MD5 hash:
884c22791622cbd6edc8ad0dfcea87f2
SHA1 hash:
8b2b539c86f49597a05a289fda4ac27b2fd1c177
Link:
https://www.unpac.me/results/f5cfe80c-04d5-4995-9024-dfcb99d0117d/
Parent samples :
fb50faa852bc2917ace3552b02c754c91872d0892e247f51a1e48336e598d6ef
6f97024532dc240921683a3769cb317aefc60bf89c8916b01e80a804675f7487
8e36d4f98a882487bedbedf73cbb010f793c7bb529d133a58673a14850198f9f
SH256 hash:
adb7657e2a744c5a0e5f6b329afe37c51ca7a28cb3ab4e9617575768979ac3ad
MD5 hash:
57c9ab261f233182a8835619f912cc56
SHA1 hash:
3bb54955c8e24dd7fa97c67663e0194a3dffb841
Link:
https://www.unpac.me/results/f5cfe80c-04d5-4995-9024-dfcb99d0117d/
SH256 hash:
c8bfb8264d0abea4be849f23a1bc61cc394ac729efe739d3b8cd4aeb19b09990
MD5 hash:
2e053443da9ca43172ed8f29e79fbd2f
SHA1 hash:
7817b0d21ffe2fe2d966280b80fa43e4f53874f1
Link:
https://www.unpac.me/results/f5cfe80c-04d5-4995-9024-dfcb99d0117d/
SH256 hash:
c74eb5700b137baab95c0d4c2afec72b13e75ab6d64a84c06ca77b0e7a2e48e9
MD5 hash:
44d0bcf177717603843a3a4f22cbed7f
SHA1 hash:
3aeb5c84dc25e71feb39682a35891e0eeb085e01
Link:
https://www.unpac.me/results/f5cfe80c-04d5-4995-9024-dfcb99d0117d/
SH256 hash:
287dcabb3e75f1731c4c0079b0791b94bab23a4801e82090fe7f74b1b151e19e
MD5 hash:
39112f9e8ad26ed22a7c5a5c55b596d4
SHA1 hash:
5fe040a1515ca0d11214cb04ce6415699c92f92b
Link:
https://www.unpac.me/results/f5cfe80c-04d5-4995-9024-dfcb99d0117d/
Malware family:
QuasarRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/287dcabb3e75/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Quasar
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/287dcabb3e75f1731c4c0079b0791b94bab23a4801e82090fe7f74b1b151e19e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/274279/

Comments