MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 35ff4deae0c490da9ad29de5ebdfd852e4ef514987598e826921bee6da5edc77. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuasarRAT


Vendor detections: 12


Intelligence 12 IOCs YARA 16 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 35ff4deae0c490da9ad29de5ebdfd852e4ef514987598e826921bee6da5edc77
SHA3-384 hash: 63f6097246d53fcec9e352081552bfa480fbeb96d59d7679f1c57e16c142d1e32ab3fb3e5a2a4531eae1891a03e28c3f
SHA1 hash: 342a69c5857f56e9eddc91fec38be1e34a3ed5ed
MD5 hash: 4c35b1756289e507682aa375acda9978
humanhash: alaska-missouri-september-enemy
File name:Client-built.exe
Download: download sample
Signature QuasarRAT
Create hunting rule
File size:357'376 bytes
First seen:2021-07-05 13:43:34 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 6144:vKMJx4pweP7kJS3iwwGuIp7zWRPtr6nvPv6xWinKbxocOYKlFUtEM5zkq9N:vKoSznnv6MinPrFUtEM5Qq9N
Threatray 198 similar samples on MalwareBazaar
TLSH 39746C556BA8C72AE2AE177BF571C50587B2A55BB51FE38B179C80B82C33382DD402D3
Reporter Anonymous
Tags:exe QuasarRAT RAT


Avatar
Anonymous
Retrieved from: https://cdn.discordapp.com/attachments/771351958783131690/861589139328466954/Client-built.exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
235
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
https://cdn.discordapp.com/attachments/771351958783131690/861589139328466954/Client-built.exe
Verdict:
Malicious activity
Analysis date:
2021-07-05 13:37:35 UTC
Tags:
rat quasar evasion trojan
Link:
https://app.any.run/tasks/343f7b35-9a88-45c9-b457-278bdfc62b47

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
QuasarRAT
Create hunting rule
Link:
https://www.capesandbox.com/analysis/169755/
Detection(s):
Win.Malware.Generic-6623004-0
Create hunting rule

Win.Packed.Passwordstealera-9792228-0
Create hunting rule

Win.Packed.Generic-9830106-0
Create hunting rule

ditekSHen.MALWARE.Win.Trojan.Phoenix-Keylogger.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Quasar RAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2f028a2a-8992-4783-bebc-6f7a79853152
Result
Threat name:
Quasar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/811876
Signature
.NET source code references suspicious native API functions
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Quasar RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 444285 Sample: Client-built.exe Startdate: 05/07/2021 Architecture: WINDOWS Score: 100 45 Found malware configuration 2->45 47 Malicious sample detected (through community Yara rule) 2->47 49 Antivirus / Scanner detection for submitted sample 2->49 51 5 other signatures 2->51 8 Client-built.exe 15 5 2->8         started        13 Client-built.exe 2 2->13         started        process3 dnsIp4 31 ip-api.com 208.95.112.1, 49688, 49692, 80 TUT-ASUS United States 8->31 27 C:\Users\user\AppData\Roaming\...\Client.exe, PE32 8->27 dropped 29 C:\Users\user\...\Client-built.exe.log, ASCII 8->29 dropped 53 May check the online IP address of the machine 8->53 55 Uses schtasks.exe or at.exe to add and modify task schedules 8->55 57 Hides that the sample has been downloaded from the Internet (zone.identifier) 8->57 15 Client.exe 14 4 8->15         started        19 schtasks.exe 1 8->19         started        file5 signatures6 process7 dnsIp8 33 jereshost.ddns.net 85.76.45.68, 4782 ELISA-ASHelsinkiFinlandEU Finland 15->33 35 ip-api.com 15->35 37 Antivirus detection for dropped file 15->37 39 May check the online IP address of the machine 15->39 41 Machine Learning detection for dropped file 15->41 43 2 other signatures 15->43 21 schtasks.exe 1 15->21         started        23 conhost.exe 19->23         started        signatures9 process10 process11 25 conhost.exe 21->25         started       
Detection:
quasar
Create hunting rule
Link:
https://mwdb.cert.pl/sample/35ff4deae0c490da9ad29de5ebdfd852e4ef514987598e826921bee6da5edc77/
Threat name:
ByteCode-MSIL.Trojan.Quasar
Create hunting rule
Status:
Malicious
First seen:
2021-07-05 13:44:12 UTC
AV detection:
27 of 29 (93.10%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gx7u32xaysinvgwstxs6xx6yklso6ukjq5my5atjeg7onws63r3q._file
Verdict:
malicious
Similar samples:
26cb425375a7613736c367866d0b79b8b7d8845437ec88e87bc83146445f892e
QuasarRAT
2df82d12b3e4627ffb2f7c0e6c8371f23c4beabb935f93b2c88389953fc07027
QuasarRAT
40ac8e128b78d30d49accda865a6ca90a23cf7b7e5f31042c7df55a9fe1b5af4
QuasarRAT
707bb653348d222860771a6117aa869ab2a032f6cdfe0d29a251374462e59058
QuasarRAT
7276f014cbee4a7ffd297a0e90472bfa17b024932cb6371a06c0845e143b88e1
QuasarRAT
b3d36e86a478b5223968e34ca51bff54002eb9b1a01ef26d8b657d49dd4dd831
QuasarRAT
bbf62b7d87429bb832abb5c8f37635c05be6724eaab9afd13a7780595919f3a2
QuasarRAT
cf09bc45a7101670e26f9468d7425a42880ee539626b1653216c4ceb4a89b7fb
QuasarRAT
d6031bb15fd16cac9b514985035e18f08f0beaaa0542a66274467cb66e76a8fd
QuasarRAT
e2d6b8bc603260f1a7564a044523d230c31c8d873deabb579cae90b88f1b92b9
QuasarRAT
+ 188 additional samples on MalwareBazaar
Result
Malware family:
quasar
Create hunting rule
Score:
  10/10
Tags:
family:quasar botnet:dartz-pc spyware trojan
Link:
https://tria.ge/reports/210705-8r4rqp7vza/
Behaviour
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Looks up external IP address via web service
Loads dropped DLL
Executes dropped EXE
Quasar Payload
Quasar RAT
Malware Config
C2 Extraction:
jereshost.ddns.net:4782
Unpacked files
SH256 hash:
35ff4deae0c490da9ad29de5ebdfd852e4ef514987598e826921bee6da5edc77
MD5 hash:
4c35b1756289e507682aa375acda9978
SHA1 hash:
342a69c5857f56e9eddc91fec38be1e34a3ed5ed
Link:
https://www.unpac.me/results/1c9000b0-0326-469e-9994-f4f2bb6242fe/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/35ff4deae0c490da9ad29de5ebdfd852e4ef514987598e826921bee6da5edc77

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Chrome_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Chrome in files like avemaria
Rule name:CN_disclosed_20180208_KeyLogger_1
Create hunting rule
Author:Florian Roth
Description:Detects malware from disclosed CN malware set
Reference:https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details
Rule name:INDICATOR_SUSPICIOUS_GENInfoStealer
Create hunting rule
Author:ditekSHen
Description:Detects executables containing common artifcats observed in infostealers
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:MALWARE_Win_QuasarRAT
Create hunting rule
Author:ditekSHen
Description:QuasarRAT payload
Rule name:MAL_QuasarRAT_May19_1
Create hunting rule
Author:Florian Roth
Description:Detects QuasarRAT malware
Reference:https://blog.ensilo.com/uncovering-new-activity-by-apt10
Rule name:MSILStealer
Create hunting rule
Author:https://github.com/hwvs
Description:Detects strings from C#/VB Stealers and QuasarRat
Reference:https://github.com/quasar/QuasarRAT
Rule name:pe_imphash
Create hunting rule
Rule name:Quasar
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect QuasarRAT in memory
Rule name:Quasar_RAT_1
Create hunting rule
Author:Florian Roth
Description:Detects Quasar RAT
Reference:https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
Rule name:Quasar_RAT_2
Create hunting rule
Author:Florian Roth
Description:Detects Quasar RAT
Reference:https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
Rule name:Select_from_enumeration
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Vermin_Keylogger_Jan18_1
Create hunting rule
Author:Florian Roth
Description:Detects Vermin Keylogger
Reference:https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/
Rule name:xRAT_1
Create hunting rule
Author:Florian Roth
Description:Detects Patchwork malware
Reference:https://goo.gl/Pg3P4W

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

QuasarRAT

Executable exe 35ff4deae0c490da9ad29de5ebdfd852e4ef514987598e826921bee6da5edc77

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/169755/
  
URLhaus
https://urlhaus.abuse.ch/url/1428635/

Comments