MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 29790388ca244a8fd3bb2448a59e45fba4dc715fec7a0bf09a7f6d4df79ef9a9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuasarRAT


Vendor detections: 4


Intelligence 4 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 29790388ca244a8fd3bb2448a59e45fba4dc715fec7a0bf09a7f6d4df79ef9a9
SHA3-384 hash: 5f47a1ca6cb4b6ddeb1949d8824afa17392343fc3195493d448bf77fca4576d24d073cc20bae8a45fec216348af4d4ad
SHA1 hash: a1856bb94c397591cbfdc4c6f2fe6c4c7ca0e87a
MD5 hash: f5548703090af5eeed046c1f957ee626
humanhash: virginia-maine-eight-yankee
File name:update.exe
Download: download sample
Signature QuasarRAT
Create hunting rule
File size:1'583'104 bytes
First seen:2020-04-03 16:27:26 UTC
Last seen:2020-04-03 20:31:33 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash bf5a4aa99e5b160f8521cadd6bfe73b8 (423 x RedLineStealer, 31 x AgentTesla, 12 x DCRat)
ssdeep 24576:3k70TrcoGQIkNfhEZxGJ0AQlutC9CgXpb7kTlpteQZ+j4OJzZJik:3kQTAQI8qZxVAqut6pXpPmbtePj9bJik
Threatray 195 similar samples on MalwareBazaar
TLSH D375232132C2C672C4B6257880F5C7B85A7770BA4367C6EBF19A6B661D303E1573B2C6
Reporter cocaman
Tags:exe QuasarRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
94
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Gen.Variant.Razy.624632.19078.25440.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-04-03 11:53:57 UTC
File Type:
PE (Exe)
AV detection:
26 of 31 (83.87%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ff4qhcgkerfi7u53ereklhsf7osny4k75r5ax4e2p5wu35467guq._file
Verdict:
malicious
Similar samples:
09862d16ba8e513ce4cc3c98d2fc0c86247a7d42394209b3eb590ef6ddf80494
QuasarRAT
1b13660c52adcccc1cef45f137a3373f5615500a609c61a9872e5ed4336e629a
QuasarRAT
1e2773c36054c3392f3e220d4c22cce63f31750c2ee6707198e4d15648f11897
QuasarRAT
245deb1693e39d6340bcd2e8c9d8f5e78e4906e359172b150a066eb1678987f5
QuasarRAT
3a5943219f8400531a411b909b666337ba4f232d19e003a0128e0d699106f04f
QuasarRAT
3c90e174ff5097d991e0b99001a4e64e0c9e312df0ec03cee51380148974920e
QuasarRAT
6b85fd7249ceaf4a88f71ad1becb27b9c9a17b1c1bd2cb75f25cdc7b1318785a
QuasarRAT
79c2240abb05bcad2847f6fe50ae69f6a3cbdeea82bdc659e75f85eb59f442f9
QuasarRAT
8b1cbfd7ebbd072782a2748d614c53c2084159ef8ccc8f11247c539923ff44a9
QuasarRAT
9b629ce7607ee755d467e058cf51187d2ca5c095d5dc5708826f9c47b06c3c07
QuasarRAT
+ 185 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

QuasarRAT

Word file doc 8a7b041f69625be377710ee7290cb01122a026b8f7772ee1d0cfaa8c93551808

QuasarRAT

Executable exe 29790388ca244a8fd3bb2448a59e45fba4dc715fec7a0bf09a7f6d4df79ef9a9

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 8a7b041f69625be377710ee7290cb01122a026b8f7772ee1d0cfaa8c93551808
  
URLhaus
https://urlhaus.abuse.ch/url/334527/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::GetStartupInfoA
KERNEL32.dll::GetCommandLineA
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleA
KERNEL32.dll::WriteConsoleW
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleCP
KERNEL32.dll::GetConsoleMode
KERNEL32.dll::GetConsoleOutputCP
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateFileA

Comments