MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 371aab310f82dd4f64f09981c1d3d8974f18227c98679af43bd0559ec6752dde. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuasarRAT


Vendor detections: 8


Intelligence 8 IOCs YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 371aab310f82dd4f64f09981c1d3d8974f18227c98679af43bd0559ec6752dde
SHA3-384 hash: 630bb9a8d78754a7de8ce2ea48350b420aee7fca813f46c1ab9611a5c0580446145d3e49d581ad6532042e703baffc0a
SHA1 hash: 5b63c4438578a99dcdfbe681d86d5914b33b6169
MD5 hash: 04a99f5b0aee36834546d1482a21d798
humanhash: oscar-speaker-neptune-hydrogen
File name:04a99f5b0aee36834546d1482a21d798
Download: download sample
Signature QuasarRAT
Create hunting rule
File size:72'192 bytes
First seen:2021-08-30 04:08:45 UTC
Last seen:2021-08-30 05:24:28 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 47b0da2d13e0214f54c3bd05550e8319 (1 x QuasarRAT, 1 x CoinMiner, 1 x Adware.Generic)
ssdeep 1536:JqcmDHE9l2jV5onOelkT57Y0S73jQSlfYG8Jg:3Hcolp0kf1Yfg
Threatray 15 similar samples on MalwareBazaar
TLSH T170635A43B6C20772C68146B185A239BAD775DB3A87165FC7D318D983DEA40F1CC722EA
Reporter zbetcheckin
Tags:32 exe QuasarRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
109
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
04a99f5b0aee36834546d1482a21d798
Verdict:
No threats detected
Analysis date:
2021-08-30 04:14:43 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/8a426719-2bf7-484c-888c-098aad1beca7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/183384/
Detection(s):
PUA.Win.Packer.Purebasic-2
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Using the Windows Management Instrumentation requests
Sending a UDP request
DNS request
Connection attempt
Creating a process from a recently created file
Creating a file in the %AppData% subdirectories
Deleting a recently created file
Replacing files
Creating a window
Creating a file in the %temp% subdirectories
Running batch commands
Creating a process with a hidden window
Launching a process
Creating a file
Sending a custom TCP request
Downloading the file
Unauthorized injection to a recently created process
Enabling autorun by creating a file
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/370312e9-5c34-4e22-a4be-3e4d66c52669
Result
Threat name:
Unknown
Detection:
malicious
Classification:
adwa.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/841235
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Changes security center settings (notifications, updates, antivirus, firewall)
Drops PE files to the startup folder
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Powershell drops PE file
Sigma detected: Powershell Defender Exclusion
Suspicious powershell command line found
Tries to download and execute files (via powershell)
Yara detected BatToExe compiled binary
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 473663 Sample: JXuFklFMgb Startdate: 30/08/2021 Architecture: WINDOWS Score: 100 48 Multi AV Scanner detection for dropped file 2->48 50 Multi AV Scanner detection for submitted file 2->50 52 .NET source code contains potential unpacker 2->52 54 5 other signatures 2->54 7 JXuFklFMgb.exe 6 2->7         started        10 svchost.exe 2->10         started        13 svchost.exe 2->13         started        16 10 other processes 2->16 process3 dnsIp4 32 C:\Users\user\AppData\Local\Temp\...\3018.bat, ASCII 7->32 dropped 18 cmd.exe 1 7->18         started        68 Changes security center settings (notifications, updates, antivirus, firewall) 10->68 46 127.0.0.1 unknown unknown 13->46 file5 signatures6 process7 signatures8 56 Suspicious powershell command line found 18->56 58 Tries to download and execute files (via powershell) 18->58 60 Adds a directory exclusion to Windows Defender 18->60 21 powershell.exe 17 18->21         started        24 IPTV-TOOLS-BY-MANZERA-AYENA.exe 18->24         started        27 powershell.exe 18->27         started        30 19 other processes 18->30 process9 dnsIp10 62 Drops PE files to the startup folder 21->62 64 Powershell drops PE file 21->64 34 C:\Users\user\...\System.Data.SQLite.dll, PE32 24->34 dropped 66 Machine Learning detection for dropped file 24->66 44 www.uplooder.net 172.67.159.16, 443, 49703 CLOUDFLARENETUS United States 27->44 36 C:\Users\...\IPTV-TOOLS-BY-MANZERA-AYENA.exe, PE32 27->36 dropped 38 C:\Users\user\AppData\...38otepad_u.exe, PE32+ 30->38 dropped 40 C:\Users\user\AppData\...xplorer_u.exe, PE32+ 30->40 dropped 42 C:\Users\user\AppData\...\Conhost_u.exe, PE32+ 30->42 dropped file11 signatures12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/371aab310f82dd4f64f09981c1d3d8974f18227c98679af43bd0559ec6752dde/
Threat name:
Win32.Trojan.Boxter
Create hunting rule
Status:
Malicious
First seen:
2021-08-29 19:29:54 UTC
AV detection:
16 of 28 (57.14%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
09de50c42d342a45215b027b4b041d96fafa5348aeb71c15db3d46725c3aeaa2
QuasarRAT
1b7d7515f98891cf08164a7469bb9c9f3133e7834cfe99d55094594ca330e982
QuasarRAT
2bfcc18ff3157d5b800d7d8f3d2ca77a131f228a7e37c64632977073efa9d279
QuasarRAT
504229eb947e4ae07f6cb408da3dde9ae2ae2996b4df208ab9d06558f39d2cf5
QuasarRAT
610ba149c7874ac9c4e30d8a65ae5bb8a94d68d544ce97e8337cdeb75a8ed674
QuasarRAT
630d32b6440a2825ba58cd1c0f3ce1f8b431b42722227ba075ad907384dd23fc
QuasarRAT
6bbbe63faf9184516d51c5855240541037a3c5e8b3365e1cc7890e19fd3651c7
QuasarRAT
6f5d1877439a052152114afc05dfea429caa781229f52954e0671cde6dfa5376
QuasarRAT
8bc0620aa9e06ff8861c9cbba4ea13329b42b13fe35c9ba35c30580cf27068b3
QuasarRAT
9c2be0c1c80a7f7c5de355be5d52ea7f1b023ca29fcf33a753c41c13bbdb8ef9
QuasarRAT
+ 5 additional samples on MalwareBazaar
Result
Malware family:
quasar
Create hunting rule
Score:
  10/10
Tags:
family:quasar botnet:titaniummc evasion spyware trojan
Link:
https://tria.ge/reports/210830-h4gs28rw16/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Enumerates physical storage devices
Drops startup file
Loads dropped DLL
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
Sets file to hidden
Quasar Payload
Quasar RAT
Malware Config
C2 Extraction:
haberci.ddns.net:55501
Dropper Extraction:
https://www.uplooder.net/f/tl/50/5a7738ca5a4ef2f8e6ca8176c4b19309/IPTV-TOOLS-BY-MANZERA-AYENA.exe
https://www.uplooder.net/f/tl/97/292e50f9634017a81374cd6072e5f150/Explorer-uninstaller.exe
https://www.uplooder.net/img/image/97/c11c62d5eb22c23bda1e0822b498c028/conhost-uninstaller.png
https://www.uplooder.net/img/image/64/afe1378587588874f2cd7088cfe56b13/Notepad-uninstaller.png
https://www.uplooder.net/f/tl/90/70cb04997dd8db769f55cae125ee424e/svchost.exe
https://www.uplooder.net/f/tl/5/f37d6b3bf16189104c1ca9ce9103217a/Notepad.EXE
Unpacked files
SH256 hash:
371aab310f82dd4f64f09981c1d3d8974f18227c98679af43bd0559ec6752dde
MD5 hash:
04a99f5b0aee36834546d1482a21d798
SHA1 hash:
5b63c4438578a99dcdfbe681d86d5914b33b6169
Detections:
win_koadic_auto
Create hunting rule
Link:
https://www.unpac.me/results/36bdca0f-eff8-4d5e-9609-9c25aab6683d/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/371aab310f82/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/371aab310f82dd4f64f09981c1d3d8974f18227c98679af43bd0559ec6752dde

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_koadic_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.koadic.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

QuasarRAT

Executable exe 371aab310f82dd4f64f09981c1d3d8974f18227c98679af43bd0559ec6752dde

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1576624/
Cape
Cape
https://www.capesandbox.com/analysis/183384/

Comments


Avatar
zbet commented on 2021-08-30 04:08:46 UTC

url : hxxps://www.uplooder.net/f/tl/24/eda12b0cde9bc2f7e7ddfa53e5747a27/svchost.exe