MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 40ac8e128b78d30d49accda865a6ca90a23cf7b7e5f31042c7df55a9fe1b5af4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuasarRAT


Vendor detections: 5


Intelligence 5 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 40ac8e128b78d30d49accda865a6ca90a23cf7b7e5f31042c7df55a9fe1b5af4
SHA3-384 hash: 29caccf77c91f2b900c9f19adfcaf0f7bc5a06de0252f6b8f1ecc19f4c3fbeb84821c94cd94cfffb0c1689e278c89702
SHA1 hash: 4062152e4ce93c4eb94ab02e07ef40a89ed1c2cf
MD5 hash: 84e8d03c10baa648a20afda9b1849614
humanhash: high-bluebird-nevada-pip
File name:40ac8e128b78d30d49accda865a6ca90a23cf7b7e5f31042c7df55a9fe1b5af4
Download: download sample
Signature QuasarRAT
Create hunting rule
File size:2'110'640 bytes
First seen:2020-06-03 09:51:03 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash afcdf79be1557326c854b6e20cb900a7 (1'102 x FormBook, 936 x AgentTesla, 399 x RemcosRAT)
ssdeep 24576:su6J33O0c+JY5UZ+XC0kGso6FaI1IXgM6YmenKKSUlmDaGJTA4Pqa6jUvOkQwKY0:2u0c++OCvkGs9Fap5aLKLkDl+dUvO9Ye
Threatray 998 similar samples on MalwareBazaar
TLSH 4AA5BE41A3DC82A1CE6A4372BA36DB219B777C692634F70E1ED83D7A3E723521518353
Reporter raashidbhatt
Tags:exe QuasarRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
90
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Win.Malware.Generic-6623004-0
Create hunting rule

Win.Dropper.Miner-7086570-0
Create hunting rule

Win.Packed.Autoit-7640561-0
Create hunting rule

SecuriteInfo.com.BehavesLike.Win32.Generic.vh.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Pincav
Create hunting rule
Status:
Malicious
First seen:
2020-06-03 17:09:13 UTC
AV detection:
41 of 48 (85.42%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=icwi4eulpdjq2snmzwugljwkscrdz55x4xzraqwh35k2t7q3ll2a._file
Verdict:
malicious
Label(s):
azorult
Create hunting rule
Similar samples:
0fadb9fa2742735b1d7001fd5511627318e45fc51d8798f5b9f4bb20cfbd70e8
QuasarRAT
1f6a8fd32a14dd74a23ad8e588d3543120b254290283d6092693d564ea0fc265
QuasarRAT
25a419f3b2963cf24fda8824b538b67dc73fd2e4d32e73cd5bfdf935c61769dd
QuasarRAT
26cb425375a7613736c367866d0b79b8b7d8845437ec88e87bc83146445f892e
QuasarRAT
764e98acd8f742f4037570abd1aa19d8acf37e22691159f2ab3e380b76437fff
QuasarRAT
b29a1b48648aacf2fe60861692bd0991cf226956ea986b687972667496e1d7d7
QuasarRAT
b3d36e86a478b5223968e34ca51bff54002eb9b1a01ef26d8b657d49dd4dd831
QuasarRAT
d6031bb15fd16cac9b514985035e18f08f0beaaa0542a66274467cb66e76a8fd
QuasarRAT
e2d6b8bc603260f1a7564a044523d230c31c8d873deabb579cae90b88f1b92b9
QuasarRAT
e99398f753e61710eaea626dc778a19fc47a34f103b5ff1daaa0d7ad7f6432c4
QuasarRAT
+ 988 additional samples on MalwareBazaar
Result
Malware family:
azorult
Create hunting rule
Score:
  10/10
Tags:
family:azorult infostealer trojan
Link:
https://tria.ge/reports/201109-t49eej2g8x/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Enumerates connected drives
Looks up external IP address via web service
Maps connected drives based on registry
Loads dropped DLL
Executes dropped EXE
ServiceHost packer
Azorult
Malware Config
C2 Extraction:
http://0x21.in:8000/_az/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MAL_QuasarRAT_May19_1
Create hunting rule
Author:Florian Roth
Description:Detects QuasarRAT malware
Reference:https://blog.ensilo.com/uncovering-new-activity-by-apt10
Rule name:MSILStealer
Create hunting rule
Author:https://github.com/hwvs
Description:Detects strings from C#/VB Stealers and QuasarRat
Reference:https://github.com/quasar/QuasarRAT
Rule name:Quasar_RAT_1
Create hunting rule
Author:Florian Roth
Description:Detects Quasar RAT
Reference:https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
Rule name:Quasar_RAT_2
Create hunting rule
Author:Florian Roth
Description:Detects Quasar RAT
Reference:https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments