MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3659778cc75ed1428fe16a288b28095311ffdc650a1202482376b4f3c04b75f3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuasarRAT


Vendor detections: 12


Intelligence 12 IOCs 1 YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3659778cc75ed1428fe16a288b28095311ffdc650a1202482376b4f3c04b75f3
SHA3-384 hash: 0d28e843e851db73aedbab5b3abd29269815935bf0a1207ab9c46f8c45d81fe31029daeacc49ca7bf13b7ffd548bcfa5
SHA1 hash: 95f5ffd073bbae37c2f6522527ef61d39412925d
MD5 hash: 9daad8a510c67855bc204ebe400a92dc
humanhash: north-stream-angel-carbon
File name:9daad8a510c67855bc204ebe400a92dc.exe
Download: download sample
Signature QuasarRAT
Create hunting rule
File size:1'043'800 bytes
First seen:2022-03-09 18:51:14 UTC
Last seen:2022-03-09 20:52:03 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:lAWU+jrb6pPT1gxpMoR3QHxxlQHcIXZ7Wtavt6qHBRespLAgd1qk30cWTNiWMZUX:Y+Pb6AbjJQREcIJ/16qGs640TTJFV
TLSH T161257CAB23052A45E8BFFA264CECD4264BF253EDC100DD936DB950C469524B93B72CDE
File icon (PE):PE icon
dhash icon ceccc4c6cef0f2d4 (9 x AsyncRAT, 1 x NanoCore, 1 x BitRAT)
Reporter abuse_ch
Tags:exe QuasarRAT RAT signed

Code Signing Certificate

Organisation:TEST
Issuer:TEST
Algorithm:sha1WithRSAEncryption
Valid from:2022-03-07T19:52:52Z
Valid to:2023-03-07T19:52:52Z
Serial number: 532824d4ebce3e89292a061f729ba22f
Thumbprint Algorithm:SHA256
Thumbprint: ca344d4b3e8a266623fbc3caf00851f6131180211c278d8c6be780ad4218d4fd
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
abuse_ch
QuasarRAT C2:
159.69.234.4:4782

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
159.69.234.4:4782 https://threatfox.abuse.ch/ioc/393326/

Intelligence

File Origin
# of uploads :
2
# of downloads :
265
Origin country :
n/a
Vendor Threat Intelligence
Detection:
QuasarStealer
Create hunting rule
Link:
https://www.capesandbox.com/analysis/248844/
Detection(s):
SecuriteInfo.com.Trojan.KillProc2.17470.18660.12062.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Adding an access-denied ACE
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Creating a file in the Windows subdirectories
Sending a custom TCP request
Creating a file
DNS request
Sending an HTTP GET request
Using the Windows Management Instrumentation requests
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Setting a single autorun event
Adding exclusions to Windows Defender
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated overlay packed quasar
Link:
https://www.filescan.io/uploads/6228f758b94fb38cb44a05fc/reports/9bbbe83b-d1a4-42cb-b5c5-a3f2a18f5a74/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Quasar RAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a0835fdd-585a-475b-98d8-8a853b14af72
Result
Threat name:
Quasar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/953563
Signature
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to hide user accounts
Creates an autostart registry key pointing to binary in C:\Windows
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: File Created with System Process Name
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Quasar RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 586040 Sample: FJzVSxTBVm.exe Startdate: 09/03/2022 Architecture: WINDOWS Score: 100 47 tools.keycdn.com 2->47 49 store-images.s-microsoft.com 2->49 51 2 other IPs or domains 2->51 59 Malicious sample detected (through community Yara rule) 2->59 61 Multi AV Scanner detection for submitted file 2->61 63 Yara detected UAC Bypass using CMSTP 2->63 65 10 other signatures 2->65 8 FJzVSxTBVm.exe 4 6 2->8         started        12 svchost.exe 2->12         started        14 svchost.exe 2->14         started        16 9 other processes 2->16 signatures3 process4 dnsIp5 39 C:\Windows\Cursors\LCIzB4k\svchost.exe, PE32 8->39 dropped 41 C:\Users\user\AppData\...\FJzVSxTBVm.exe.log, ASCII 8->41 dropped 73 Creates an autostart registry key pointing to binary in C:\Windows 8->73 75 Writes to foreign memory regions 8->75 77 Adds a directory exclusion to Windows Defender 8->77 85 2 other signatures 8->85 19 aspnet_regbrowsers.exe 8->19         started        23 powershell.exe 26 8->23         started        25 powershell.exe 8->25         started        29 2 other processes 8->29 79 Multi AV Scanner detection for dropped file 12->79 81 Machine Learning detection for dropped file 12->81 83 Changes security center settings (notifications, updates, antivirus, firewall) 14->83 27 MpCmdRun.exe 14->27         started        43 127.0.0.1 unknown unknown 16->43 45 192.168.2.1 unknown unknown 16->45 file6 signatures7 process8 dnsIp9 53 tools.keycdn.com 185.172.148.96, 443, 49783, 49789 PROINITYPROINITYDE Germany 19->53 55 159.69.234.4, 4782, 49782, 49785 HETZNER-ASDE Germany 19->55 57 2 other IPs or domains 19->57 67 May check the online IP address of the machine 19->67 69 Hides that the sample has been downloaded from the Internet (zone.identifier) 19->69 71 Installs a global keyboard hook 19->71 31 conhost.exe 23->31         started        33 conhost.exe 25->33         started        35 conhost.exe 27->35         started        37 conhost.exe 29->37         started        signatures10 process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3659778cc75ed1428fe16a288b28095311ffdc650a1202482376b4f3c04b75f3/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-03-08 12:03:00 UTC
File Type:
PE (.Net Exe)
Extracted files:
2
AV detection:
24 of 42 (57.14%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=gzmxpdghl3iufd7bniuiwkajkmi77xdfbijaesbdo22phqcloxzq._file
Verdict:
malicious
Result
Malware family:
quasar
Create hunting rule
Score:
  10/10
Tags:
family:quasar botnet:office04 evasion persistence spyware suricata trojan
Link:
https://tria.ge/reports/220309-xh3ywsecbj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Suspicious use of SetThreadContext
Adds Run key to start application
Looks up external IP address via web service
Checks computer location settings
Windows security modification
Quasar Payload
Quasar RAT
Windows security bypass
suricata: ET MALWARE Observed Malicious SSL Cert (Quasar CnC)
Malware Config
C2 Extraction:
159.69.234.4:4782
Unpacked files
SH256 hash:
c0f528336c8c013a0cd57ea622705943d9cceaf5a3f330d0098814ce6f89ea75
MD5 hash:
3ce200de1459a487e4261b48c1a2c791
SHA1 hash:
bae0bdb8d774994ccde4c9e95643fd2c2705131a
Link:
https://www.unpac.me/results/c6b4dd54-80ab-4f32-8c8d-73bdb4a3f060/
SH256 hash:
f88b4a2bd48ace457c5690445861c16d361a071ae6f50709830a52ed5094db80
MD5 hash:
f83bdd44ef3cb1f3c2d0ba6ac6d2bead
SHA1 hash:
53df8bb7b49705f0c8a65abeca1705db77f54e90
Link:
https://www.unpac.me/results/c6b4dd54-80ab-4f32-8c8d-73bdb4a3f060/
SH256 hash:
8c762d4e92718b1596953e110cf56b67c4914feb70ddd219456b9c41a0f6daac
MD5 hash:
d91dcd913aa6e0ec4b4f5d184564c08a
SHA1 hash:
17406ba0e1bffb1af47a1d137cf1b1a21a37b074
Link:
https://www.unpac.me/results/c6b4dd54-80ab-4f32-8c8d-73bdb4a3f060/
SH256 hash:
70b785e5cb5b2e61c0f5da4a71ab0bbd14d9a0849387f037e0d75cc1ffe0a082
MD5 hash:
5951b52c9b4d11ca7f4f33e5a3fb2c31
SHA1 hash:
0bc54fd699fff7b93e5c447a141c0d904924ab0d
Link:
https://www.unpac.me/results/c6b4dd54-80ab-4f32-8c8d-73bdb4a3f060/
SH256 hash:
3659778cc75ed1428fe16a288b28095311ffdc650a1202482376b4f3c04b75f3
MD5 hash:
9daad8a510c67855bc204ebe400a92dc
SHA1 hash:
95f5ffd073bbae37c2f6522527ef61d39412925d
Link:
https://www.unpac.me/results/c6b4dd54-80ab-4f32-8c8d-73bdb4a3f060/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3659778cc75ed1428fe16a288b28095311ffdc650a1202482376b4f3c04b75f3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
Author:ditekSHen
Description:Detects Windows executables referencing non-Windows User-Agents
Rule name:INDICATOR_SUSPICIOUS_GENInfoStealer
Create hunting rule
Author:ditekSHen
Description:Detects executables containing common artifcats observed in infostealers
Rule name:MALWARE_Win_QuasarStealer
Create hunting rule
Author:ditekshen
Description:Detects Quasar infostealer
Rule name:MAL_QuasarRAT_May19_1
Create hunting rule
Author:Florian Roth
Description:Detects QuasarRAT malware
Reference:https://blog.ensilo.com/uncovering-new-activity-by-apt10
Rule name:MAL_QuasarRAT_May19_1_RID2E1E
Create hunting rule
Author:Florian Roth
Description:Detects QuasarRAT malware
Reference:https://blog.ensilo.com/uncovering-new-activity-by-apt10
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/248844/

Comments