MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2df82d12b3e4627ffb2f7c0e6c8371f23c4beabb935f93b2c88389953fc07027. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

QuasarRAT

Vendor detections: 5

Intelligence 5 IOCs YARA 7 File information Comments

SHA256 hash:	2df82d12b3e4627ffb2f7c0e6c8371f23c4beabb935f93b2c88389953fc07027
SHA3-384 hash:	f3c60d1a8856c685682f0843a2dc7ee73a2c284093924166b17c2856da0d83976ca275ec3a2d47466ea672e5a10a6baf
SHA1 hash:	f9cd11db0ea6cdf1eff853f5ff8dced9685dcd3d
MD5 hash:	823aa3cf675413975a3e850aa4c4f644
humanhash:	nuts-skylark-snake-zulu
File name:	2df82d12b3e4627ffb2f7c0e6c8371f23c4beabb935f93b2c88389953fc07027
Download:	download sample
Signature	QuasarRAT Create hunting rule
File size:	357'376 bytes
First seen:	2020-06-10 07:52:15 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'452 x Formbook, 12'201 x SnakeKeylogger)
ssdeep	6144:BKhJ10FpSizcN9QbFOL19XBKugzfkyNIOhvbC+h6UMvqEX6FE0G:BK3V1nKugjxSqAJX6G0G
Threatray	90 similar samples on MalwareBazaar
TLSH	7F747D596BE8C62BE3BF07B7F531C2058776E44AB51EF78B565D80B82C227428D402DB
Reporter	JAMESWT_WT
Tags:	QuasarRAT

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

Win.Malware.Generic-6623004-0

Gathering data

Threat name:

ByteCode-MSIL.Backdoor.QuasarRAT

Status:

Malicious

First seen:

2020-06-07 19:12:00 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

28 of 31 (90.32%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=fx4c2evt4rrh76zppqhgza3r6i6ex2v3snpzhmwiqoezkp6aoatq._file

Verdict:

malicious

QuasarRAT

1f6a8fd32a14dd74a23ad8e588d3543120b254290283d6092693d564ea0fc265

QuasarRAT

25a419f3b2963cf24fda8824b538b67dc73fd2e4d32e73cd5bfdf935c61769dd

QuasarRAT

26cb425375a7613736c367866d0b79b8b7d8845437ec88e87bc83146445f892e

QuasarRAT

40ac8e128b78d30d49accda865a6ca90a23cf7b7e5f31042c7df55a9fe1b5af4

QuasarRAT

b29a1b48648aacf2fe60861692bd0991cf226956ea986b687972667496e1d7d7

QuasarRAT

b3d36e86a478b5223968e34ca51bff54002eb9b1a01ef26d8b657d49dd4dd831

QuasarRAT

d6031bb15fd16cac9b514985035e18f08f0beaaa0542a66274467cb66e76a8fd

QuasarRAT

e2d6b8bc603260f1a7564a044523d230c31c8d873deabb579cae90b88f1b92b9

QuasarRAT

e99398f753e61710eaea626dc778a19fc47a34f103b5ff1daaa0d7ad7f6432c4

QuasarRAT

+ 80 additional samples on MalwareBazaar

Result

Malware family:

quasar

Score:

10/10

Tags:

family:quasar spyware trojan

Link:

https://tria.ge/reports/201109-qdrpkyyxwe/

Behaviour

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Looks up external IP address via web service

Loads dropped DLL

Executes dropped EXE

Quasar RAT

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	CN_disclosed_20180208_KeyLogger_1 Create hunting rule
Author:	Florian Roth
Description:	Detects malware from disclosed CN malware set
Reference:	https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details

Rule name:	MAL_QuasarRAT_May19_1 Create hunting rule
Author:	Florian Roth
Description:	Detects QuasarRAT malware
Reference:	https://blog.ensilo.com/uncovering-new-activity-by-apt10

Rule name:	MSILStealer Create hunting rule
Author:	https://github.com/hwvs
Description:	Detects strings from C#/VB Stealers and QuasarRat
Reference:	https://github.com/quasar/QuasarRAT

Rule name:	Quasar_RAT_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Quasar RAT
Reference:	https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf

Rule name:	Quasar_RAT_2 Create hunting rule
Author:	Florian Roth
Description:	Detects Quasar RAT
Reference:	https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf

Rule name:	Vermin_Keylogger_Jan18_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Vermin Keylogger
Reference:	https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/

Rule name:	xRAT_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Patchwork malware
Reference:	https://goo.gl/Pg3P4W

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample