MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3fb34d34eaa6800dce2dce585ec89a9b3f98637c624c8774945af5ad8a37a3e8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuasarRAT


Vendor detections: 14


Intelligence 14 IOCs YARA 21 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3fb34d34eaa6800dce2dce585ec89a9b3f98637c624c8774945af5ad8a37a3e8
SHA3-384 hash: ed9d900eed00564074ce11c4611f811142ec191fbaca55834b1f6ac3677742587c1cc672ff5c5e1e4489d0addd7cb827
SHA1 hash: 6983d00bc9cda93f0da126504d99a851ffef6cea
MD5 hash: f6f83ba3f1e87503941e50b3e50d390f
humanhash: don-twelve-ink-hydrogen
File name:f6f83ba3f1e87503941e50b3e50d390f
Download: download sample
Signature QuasarRAT
Create hunting rule
File size:17'408 bytes
First seen:2023-01-25 04:52:18 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 384:O0CqWx4t+dWNzuY7/aAygucwhb6v/uFi:O0CL4sBTguJmei
Threatray 1'024 similar samples on MalwareBazaar
TLSH T17A7217E16A6C4B20F625F77FE8E6ED9447E1F2618C53C81EB88113864D13367CA1E3A0
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter zbetcheckin
Tags:32 exe QuasarRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
213
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
quasar
Create hunting rule
ID:
1
File name:
f6f83ba3f1e87503941e50b3e50d390f
Verdict:
Malicious activity
Analysis date:
2023-01-25 04:53:42 UTC
Tags:
opendir evasion trojan quasar
Link:
https://app.any.run/tasks/2b48feab-d2b9-4755-a156-6ff21bda1907

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
zgRAT
Create hunting rule
Link:
https://www.capesandbox.com/analysis/356610/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Sending a custom TCP request
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Searching for the window
Query of malicious DNS domain
Sending an HTTP GET request to an infection source
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/63d0b5af696b2d97257451e9/reports/bc09d258-6216-4f3e-84cd-d3ba3ca7e1e5/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Quasar RAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6f540b66-abf9-48af-adcb-299bb9659654
Result
Threat name:
Blackshades, Quasar, zgRAT
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1158478
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to disable the Task Manager (.Net Source)
Deletes shadow drive data (may be related to ransomware)
Encrypted powershell cmdline option found
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Blackshades RAT
Yara detected Costura Assembly Loader
Yara detected Generic Downloader
Yara detected Quasar RAT
Yara detected RansomwareGeneric
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 791215 Sample: 1x3IHc9N4r.exe Startdate: 25/01/2023 Architecture: WINDOWS Score: 100 68 Multi AV Scanner detection for domain / URL 2->68 70 Malicious sample detected (through community Yara rule) 2->70 72 Antivirus detection for URL or domain 2->72 74 16 other signatures 2->74 7 1x3IHc9N4r.exe 16 6 2->7         started        12 DriverHelp.exe 14 4 2->12         started        14 DriverHelp.exe 2->14         started        process3 dnsIp4 54 justnormalsite.ddns.net 45.14.165.143, 49701, 49704, 49708 VALCANALE-NETIT Germany 7->54 44 C:\Users\user\AppData\...\DriverHelp.exe, PE32 7->44 dropped 46 C:\Users\...\DriverHelp.exe:Zone.Identifier, ASCII 7->46 dropped 48 C:\Users\user\AppData\...\1x3IHc9N4r.exe.log, ASCII 7->48 dropped 76 Encrypted powershell cmdline option found 7->76 78 Writes to foreign memory regions 7->78 80 Injects a PE file into a foreign processes 7->80 16 RegAsm.exe 14 4 7->16         started        20 cmd.exe 1 7->20         started        22 powershell.exe 16 7->22         started        56 192.168.2.1 unknown unknown 12->56 82 Multi AV Scanner detection for dropped file 12->82 84 Machine Learning detection for dropped file 12->84 24 powershell.exe 12->24         started        26 RegAsm.exe 12->26         started        28 RegAsm.exe 12->28         started        30 powershell.exe 14->30         started        32 RegAsm.exe 14->32         started        file5 signatures6 process7 dnsIp8 50 51.89.157.248, 4782, 49703 OVHFR France 16->50 52 ip-api.com 208.95.112.1, 49702, 80 TUT-ASUS United States 16->52 58 May check the online IP address of the machine 16->58 60 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 16->60 62 Hides that the sample has been downloaded from the Internet (zone.identifier) 16->62 64 Installs a global keyboard hook 16->64 66 Encrypted powershell cmdline option found 20->66 34 powershell.exe 21 20->34         started        36 conhost.exe 20->36         started        38 conhost.exe 22->38         started        40 conhost.exe 24->40         started        42 conhost.exe 30->42         started        signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3fb34d34eaa6800dce2dce585ec89a9b3f98637c624c8774945af5ad8a37a3e8/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-01-24 07:06:50 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
19 of 39 (48.72%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=h6zu2nhku2aa3trnzzmf5se2tm7zqy34mjgio5eull223crxupua._file
Verdict:
malicious
Similar samples:
05dcdd2a96823d827d1ce2b20ebfa706c2cc0826e73b465b58cd4b16352119fa
QuasarRAT
646677233fdd94e469b50ab7f62c47ad726a1fbc14951c3536cfd920c469eb28
QuasarRAT
74494d60aaa78a3af5ed734f5d981cdf32573eefe4a17be66013af895e2987b4
QuasarRAT
77985fca7ae6b60c8025ba326e3bd1d9949c3fb32b9ca0f99f040be633823a7c
QuasarRAT
8acd197dbf6d137acb5929a693166a2731ef4d6427df26a14b3c9127708841d4
QuasarRAT
d8cacda848bd2a780b1a081222e0eb609794e309b13327fb5fc59231022aba81
QuasarRAT
dbd292797768440abad67a9f72fb0507e910d27904e00cf80ba5c4f65412439f
QuasarRAT
+ 1'014 additional samples on MalwareBazaar
Result
Malware family:
revengerat
Create hunting rule
Score:
  10/10
Tags:
family:quasar family:revengerat botnet:office04 persistence spyware trojan
Link:
https://tria.ge/reports/230125-fhy69seh77/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Looks up external IP address via web service
Checks computer location settings
Quasar RAT
Quasar payload
RevengeRAT
Malware Config
C2 Extraction:
51.89.157.248:4782
Unpacked files
SH256 hash:
3fb34d34eaa6800dce2dce585ec89a9b3f98637c624c8774945af5ad8a37a3e8
MD5 hash:
f6f83ba3f1e87503941e50b3e50d390f
SHA1 hash:
6983d00bc9cda93f0da126504d99a851ffef6cea
Link:
https://www.unpac.me/results/2dbe096d-df81-4479-ba69-9e22d3ff09f7/
Malware family:
xRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/3fb34d34eaa6/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.38
Link:
https://yomi.yoroi.company/submissions/3fb34d34eaa6800dce2dce585ec89a9b3f98637c624c8774945af5ad8a37a3e8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CN_disclosed_20180208_KeyLogger_1
Create hunting rule
Author:Florian Roth
Description:Detects malware from disclosed CN malware set
Reference:https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details
Rule name:CN_disclosed_20180208_KeyLogger_1_RID3227
Create hunting rule
Author:Florian Roth
Description:Detects malware from disclosed CN malware set
Reference:https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details
Rule name:INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
Author:ditekSHen
Description:Detects Windows executables referencing non-Windows User-Agents
Rule name:INDICATOR_SUSPICIOUS_GENInfoStealer
Create hunting rule
Author:ditekSHen
Description:Detects executables containing common artifcats observed in infostealers
Rule name:INDICATOR_SUSPICIOUS_GENRansomware
Create hunting rule
Author:ditekSHen
Description:detects command variations typically used by ransomware
Rule name:malware_Quasar_strings
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect QuasarRAT in memory
Rule name:MALWARE_Win_QuasarRAT
Create hunting rule
Author:ditekSHen
Description:QuasarRAT payload
Rule name:MAL_QuasarRAT_May19_1
Create hunting rule
Author:Florian Roth
Description:Detects QuasarRAT malware
Reference:https://blog.ensilo.com/uncovering-new-activity-by-apt10
Rule name:MAL_QuasarRAT_May19_1_RID2E1E
Create hunting rule
Author:Florian Roth
Description:Detects QuasarRAT malware
Reference:https://blog.ensilo.com/uncovering-new-activity-by-apt10
Rule name:pe_imphash
Create hunting rule
Rule name:Quasar_RAT_1
Create hunting rule
Author:Florian Roth
Description:Detects Quasar RAT
Reference:https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
Rule name:Quasar_RAT_1_RID2B54
Create hunting rule
Author:Florian Roth
Description:Detects Quasar RAT
Reference:https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
Rule name:Quasar_RAT_2
Create hunting rule
Author:Florian Roth
Description:Detects Quasar RAT
Reference:https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
Rule name:Quasar_RAT_2_RID2B55
Create hunting rule
Author:Florian Roth
Description:Detects Quasar RAT
Reference:https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Vermin_Keylogger_Jan18_1
Create hunting rule
Author:Florian Roth
Description:Detects Vermin Keylogger
Reference:https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/
Rule name:Windows_Trojan_Quasarrat_e52df647
Create hunting rule
Author:Elastic Security
Rule name:win_blackshades_w0
Create hunting rule
Author:Jean-Philippe Teissier / @Jipe_
Rule name:xRAT_1
Create hunting rule
Author:Florian Roth
Description:Detects Patchwork malware
Reference:https://goo.gl/Pg3P4W
Rule name:xRAT_1_RID2900
Create hunting rule
Author:Florian Roth
Description:Detects Patchwork malware
Reference:https://goo.gl/Pg3P4W

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

QuasarRAT

Executable exe 3fb34d34eaa6800dce2dce585ec89a9b3f98637c624c8774945af5ad8a37a3e8

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2517784/
Cape
Cape
https://www.capesandbox.com/analysis/356610/

Comments


Avatar
zbet commented on 2023-01-25 04:52:23 UTC

url : hxxp://62.204.41.88/lend/redline10.exe