MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2ef4ebd10553a48ea05850048a0ba4ab052f98186b487f76a52a3116052f3b0d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuasarRAT


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2ef4ebd10553a48ea05850048a0ba4ab052f98186b487f76a52a3116052f3b0d
SHA3-384 hash: 8288d07fa658974b62ec3019c9cdebc31ca7787db110334d03fd3ff22370b529ed63c3f48c0332b22de6f2c65e2ba17a
SHA1 hash: 584ef67f3490d1f7fff99988758890016d5a4465
MD5 hash: b010aa952980b89a9bc7a325a86108e9
humanhash: nineteen-carpet-magnesium-purple
File name:1.cmd
Download: download sample
Signature QuasarRAT
Create hunting rule
File size:1'651'056 bytes
First seen:2024-10-03 12:15:31 UTC
Last seen:Never
File type:cmd cmd
MIME type:text/plain
ssdeep 24576:4BhLQBV7GDgYd5lMoEyUj/NVw0kXYCMJlE2fyXGbXzg1UOzcUq:4zEoTEzl2WE6rL
Threatray 832 similar samples on MalwareBazaar
TLSH T1D67523C1379F7A990EABCA4EA15FAF1956469FD74A1BE0DF54C3219308E86434E37C20
Magika powershell
Reporter JAMESWT_WT
Tags:cmd QuasarRAT whyareyouherewho-ru

Intelligence

File Origin
# of uploads :
1
# of downloads :
82
Origin country :
IT IT
Vendor Threat Intelligence
Verdict:
Malicious
Score:
93.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66f26e0b5346c7b922ad9285
Tags:
Quasar Gumen
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
cmd lolbin powershell
Link:
https://www.filescan.io/uploads/66fe8b05fd0d7ccfe8489608/reports/3e863cd2-c97b-4516-9730-48e7361379e3/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/2ef4ebd10553a48ea05850048a0ba4ab052f98186b487f76a52a3116052f3b0d
Result
Verdict:
UNKNOWN
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1524946
Signature
Adds a directory exclusion to Windows Defender
AI detected suspicious sample
Hides that the sample has been downloaded from the Internet (zone.identifier)
Installs a global keyboard hook
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Suricata IDS alerts for network traffic
Suspicious command line found
Suspicious powershell command line found
Uses the Telegram API (likely for C&C communication)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1524946 Sample: 1.cmd Startdate: 03/10/2024 Architecture: WINDOWS Score: 100 44 api.telegram.org 2->44 46 checkip.eu-west-1.prod.check-ip.aws.a2z.com 2->46 48 4 other IPs or domains 2->48 64 Suricata IDS alerts for network traffic 2->64 66 Malicious sample detected (through community Yara rule) 2->66 68 Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet 2->68 72 3 other signatures 2->72 9 cmd.exe 1 2->9         started        12 cmd.exe 1 2->12         started        signatures3 70 Uses the Telegram API (likely for C&C communication) 44->70 process4 signatures5 74 Suspicious command line found 9->74 14 powershell.exe 14 30 9->14         started        19 conhost.exe 9->19         started        21 cmd.exe 1 9->21         started        23 conhost.exe 12->23         started        process6 dnsIp7 50 api.telegram.org 149.154.167.220, 443, 49715 TELEGRAMRU United Kingdom 14->50 52 azure-winsecure.com 154.216.20.132, 49712, 7000 SKHT-ASShenzhenKatherineHengTechnologyInformationCo Seychelles 14->52 54 2 other IPs or domains 14->54 42 C:\Users\user\AppData\Roaming\SC.cmd, ASCII 14->42 dropped 56 Suspicious powershell command line found 14->56 58 Adds a directory exclusion to Windows Defender 14->58 60 Hides that the sample has been downloaded from the Internet (zone.identifier) 14->60 62 Installs a global keyboard hook 14->62 25 powershell.exe 23 14->25         started        28 powershell.exe 37 14->28         started        30 powershell.exe 37 14->30         started        32 powershell.exe 27 14->32         started        file8 signatures9 process10 signatures11 76 Loading BitLocker PowerShell Module 25->76 34 conhost.exe 25->34         started        36 WmiPrvSE.exe 25->36         started        38 conhost.exe 28->38         started        40 conhost.exe 30->40         started        process12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2ef4ebd10553a48ea05850048a0ba4ab052f98186b487f76a52a3116052f3b0d/
Threat name:
Win32.Trojan.Znyonm
Create hunting rule
Status:
Malicious
First seen:
2024-09-19 21:56:05 UTC
File Type:
Text (PowerShell)
AV detection:
5 of 24 (20.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=f32oxuifkosi5icykaciuc5evmcs7gaynneh65vffiyrmbjphmgq._file
Verdict:
malicious
Label(s):
quasarrat
Create hunting rule
Similar samples:
01d7838a7a970a4fca588740cf6f8129f4ae01b0d9936eb43a1aff9436b848a2
QuasarRAT
159f657fbcc6e984293395b6c292b57bcdb6ebdc9cd5fd8551452260a99299ed
QuasarRAT
73399ca48340bd7a31da27d573966f23371fe4ea82625ee3b7ce2772386b9e04
QuasarRAT
ced760664a7c5580e324d99d695b119c1f3ec94d1d9c56d1d3882347f0c6eb10
QuasarRAT
error
QuasarRAT
+ 822 additional samples on MalwareBazaar
Result
Malware family:
quasar
Create hunting rule
Score:
  10/10
Tags:
family:quasar botnet:solidity execution spyware trojan
Link:
https://tria.ge/reports/241003-pffrksxfjp/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Looks up external IP address via web service
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Quasar RAT
Quasar payload
Malware Config
C2 Extraction:
azure-winsecure.com:7000
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2ef4ebd10553a48ea05850048a0ba4ab052f98186b487f76a52a3116052f3b0d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments