MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 32298d53ff378e1f1597076d02226c84755b84a84fd40f6261cd1e4cbd723384. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuasarRAT


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 32298d53ff378e1f1597076d02226c84755b84a84fd40f6261cd1e4cbd723384
SHA3-384 hash: 7a316c5ef045d460026b71ac49bb093f51063919a4d7380d4d49e2f40aa67b2eeb3eaaf78d34ad277bfbe8a599b72559
SHA1 hash: 2402a53277181acd1e7988daf7667ccd95ebbbc3
MD5 hash: 9f269ba2988704d0b895016b337f2875
humanhash: nineteen-cardinal-white-massachusetts
File name:ORDER-PO29394934.exe
Download: download sample
Signature QuasarRAT
Create hunting rule
File size:1'063'000 bytes
First seen:2020-10-11 16:40:19 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'748 x AgentTesla, 19'642 x Formbook, 12'245 x SnakeKeylogger)
ssdeep 12288:5SHqxxB2P5MWJuRVuabA1DElr0iazzbOzQvTzCniSQlfEkLeKW9mN/z902ldP3bX:5DKu+5BzBZ5W9mNC2lz9
Threatray 343 similar samples on MalwareBazaar
TLSH 9035D37EADE40937D6778673C5F61282EB16BA823606ED0F22D713410E1376B6C8AD5C
Reporter abuse_ch
Tags:exe QuasarRAT RAT


Avatar
abuse_ch
Malspam distributing QuasarRAT:

HELO: webmail.cyber.net.pk
Sending IP: 203.101.175.37
From: sales <arktex@cyber.net.pk>
Subject: New ORDER - Quotation Request
Attachment: ORDER-PO29394934.lzh (contains "ORDER-PO29394934.exe")

QuasarRAT C2:
greathop.fastestmaking.com

Intelligence

File Origin
# of uploads :
1
# of downloads :
128
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Launching a process
Using the Windows Management Instrumentation requests
DNS request
Sending an HTTP GET request
Setting a keyboard event handler
Creating a file in the %AppData% subdirectories
Creating a window
Sending a TCP request to an infection source
Enabling autorun by creating a file
Result
Threat name:
Quasar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/487750
Signature
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Creates an undocumented autostart registry key
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected Quasar RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/32298d53ff378e1f1597076d02226c84755b84a84fd40f6261cd1e4cbd723384/
Threat name:
ByteCode-MSIL.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2020-10-11 08:37:40 UTC
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=giuy2u77g6hb6fmxa5wqeitmqr2vxbfij7ka6ytbzupezplsgoca._file
Verdict:
malicious
Label(s):
masslogger
Create hunting rule
Similar samples:
0a699d50cee9fc3eb46b0703c5502a84fbb357757853e25474683baf8f477fe0
QuasarRAT
383422deddf4a90f0a8595727fd85959a847ee602eaf4a460e9cc27c751e26e5
QuasarRAT
420da876f8efdf70da0ec0ccd1b7aaa09547b6868d5fc655c05b50eadf20c360
QuasarRAT
4d304c854141d69a578a006c7982fe1b915f5424b017c46e25ec65301c66f395
QuasarRAT
84321d91850ce025e214ab49400d8c1fade931a55483a87582f4f266e3ec196b
QuasarRAT
8459e6fc893b7dd880895eb1be14cf8a3bec6003bbb8493f819e48ba84491b87
QuasarRAT
96425dbadde8f6374899265654e2e0d7e471c756c34dff01f7d5ab08cb0c6a23
QuasarRAT
a05377124fe9f9a262ddb1b58d2eac7556299ec686bf5c2f005bd4792131a3c8
QuasarRAT
bfd922757fc0667e42b7d5de0b6cf78f7a08a335b3beef49782be73b8433619e
QuasarRAT
f7d1402eb35c67bfb9f0cdf77c4050fc40c936fc0034d8b86bdbd20deed76db0
QuasarRAT
+ 333 additional samples on MalwareBazaar
Result
Malware family:
quasar
Create hunting rule
Score:
  10/10
Tags:
trojan spyware family:quasar
Link:
https://tria.ge/reports/201011-ydggnxwyts/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Looks up external IP address via web service
Quasar RAT
Unpacked files
SH256 hash:
5ef84a54445c1fdb9e809fc2b1b42eab33c5c8b8ce772a09bebab3a727525e38
MD5 hash:
58caa9205f7cae95cfa3795fb9caf527
SHA1 hash:
217aeac650e96539ff62e8904446a6ce0daefac4
Link:
https://www.unpac.me/results/3f22461b-74ad-4a05-b855-e6847f52e5c1/
SH256 hash:
a9297020585c27a43c2dcf2aa2d2a5e57cbcab6e983e163fa0600db160854bc0
MD5 hash:
2bb1b65b97a843053c3683b7ee1e8e99
SHA1 hash:
f3cb66ade4ba1d2f7d8ec2c3370944c68fcd152d
Link:
https://www.unpac.me/results/3f22461b-74ad-4a05-b855-e6847f52e5c1/
SH256 hash:
32298d53ff378e1f1597076d02226c84755b84a84fd40f6261cd1e4cbd723384
MD5 hash:
9f269ba2988704d0b895016b337f2875
SHA1 hash:
2402a53277181acd1e7988daf7667ccd95ebbbc3
Link:
https://www.unpac.me/results/3f22461b-74ad-4a05-b855-e6847f52e5c1/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/32298d53ff378e1f1597076d02226c84755b84a84fd40f6261cd1e4cbd723384

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

QuasarRAT

rar 7b7e7f1d22bb5e31ab8ff025c514f42ed85fdae9a0011acb51e3244950e28a06

QuasarRAT

Executable exe 32298d53ff378e1f1597076d02226c84755b84a84fd40f6261cd1e4cbd723384

(this sample)

  
Dropped by
MD5 76fa52c398656ea66db2deea51794b82
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 7b7e7f1d22bb5e31ab8ff025c514f42ed85fdae9a0011acb51e3244950e28a06
Cape
Cape
https://www.capesandbox.com/analysis/69847/

Comments