MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 36e218a56b1ac20ad3a0f11aa704594c103e497d7ef0bce75279f73b978858c3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

QuasarRAT

Vendor detections: 11

Intelligence 11 IOCs YARA 1 File information Comments

SHA256 hash:	36e218a56b1ac20ad3a0f11aa704594c103e497d7ef0bce75279f73b978858c3
SHA3-384 hash:	2bae1435793f484cce93dc67dc71f8125ac14978cdeb0e0ba726b0145aedeec964bd149b2891b50d4e5ae28086bdd334
SHA1 hash:	b3982d18f73e06118ccb3e49c999ff2e68102e2d
MD5 hash:	110acf84cc496110193a75f3a75082c7
humanhash:	spaghetti-cup-south-india
File name:	aklsjdsad.exe
Download:	download sample
Signature	QuasarRAT Create hunting rule
File size:	9'828'992 bytes
First seen:	2024-01-26 14:00:41 UTC
Last seen:	2024-01-26 15:26:32 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	b40f29cd171eb54c01b1dd2683c9c26b (45 x GuLoader, 16 x RemcosRAT, 15 x VIPKeylogger)
ssdeep	196608:0UjjAsZXxF1cWUvjzJF08vS5Hwb7GLejMH1qWeuH3:tQsXhwnJF/U47GiMV
TLSH	T12BA63384E7579DE6FB08C47593B2D174FE619D841332292FA3C83C2B796909ACB16077
TrID	92.7% (.EXE) NSIS - Nullsoft Scriptable Install System (846567/2/133) 3.4% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 1.1% (.EXE) Win64 Executable (generic) (10523/12/4) 0.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 0.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):
dhash icon	c4d4c4d4e8709271 (1 x QuasarRAT)
Reporter	Anonymous
Tags:	exe QuasarRAT

Intelligence

File Origin

# of uploads :

# of downloads :

335

Origin country :

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/473068/

Detection(s):

SecuriteInfo.com.FileRepMalware.22007.14967.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a window

Creating a file in the %AppData% subdirectories

Creating a file in the %temp% subdirectories

Sending a custom TCP request

Delayed reading of the file

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

installer lolbin overlay packed shell32

Link:

https://www.filescan.io/uploads/65b3bb1f87258803c2406019/reports/50a122d9-9070-4427-a932-626b8acb2336/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_60%

Link:

https://www.hybrid-analysis.com/sample/36e218a56b1ac20ad3a0f11aa704594c103e497d7ef0bce75279f73b978858c3

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/a181591e-f224-4cac-8bdc-9df81d9a00a5

Score:

20%

Verdict:

Benign

File Type:

Link:

https://malprob.io/report/36e218a56b1ac20ad3a0f11aa704594c103e497d7ef0bce75279f73b978858c3

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/36e218a56b1ac20ad3a0f11aa704594c103e497d7ef0bce75279f73b978858c3/

Threat name:

Win32.Trojan.Guloader

Status:

Malicious

First seen:

2024-01-26 14:01:06 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

6 of 24 (25.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=g3rbrjlldlbavu5a6enkobczjqid4sl5p3ylzz2sph3txf4ildbq._file

Verdict:

malicious

Result

Malware family:

quasar

Score:

10/10

Tags:

family:quasar botnet:developer spyware trojan

Link:

https://tria.ge/reports/240126-rbjnsafcd3/

Behaviour

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Checks QEMU agent file

Loads dropped DLL

Quasar RAT

Quasar payload

Malware Config

C2 Extraction:

iniwork.4cloud.click:1980

Unpacked files

SH256 hash:

3b6a5cb2a3c091814fce297c04fb677f72732fb21615102c62a195fdc2e7dfac

MD5 hash:

cf85183b87314359488b850f9e97a698

SHA1 hash:

6b6c790037eec7ebea4d05590359cb4473f19aea

Link:

https://www.unpac.me/results/e8ee157d-e5fd-4397-b28a-4541a40f9891/

SH256 hash:

36e218a56b1ac20ad3a0f11aa704594c103e497d7ef0bce75279f73b978858c3

MD5 hash:

110acf84cc496110193a75f3a75082c7

SHA1 hash:

b3982d18f73e06118ccb3e49c999ff2e68102e2d

Link:

https://www.unpac.me/results/e8ee157d-e5fd-4397-b28a-4541a40f9891/

Malware family:

GuLoader

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/36e218a56b1a/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Quasar

Score:

0.90

Link:

https://yomi.yoroi.company/submissions/36e218a56b1ac20ad3a0f11aa704594c103e497d7ef0bce75279f73b978858c3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Detect_SliverFox_String Create hunting rule
Author:	huoji
Description:	Detect files is `SliverFox` malware

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/473068/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample