MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 40ba4a68575cda8b4da56ef2efae3f3c217bf7b78d68c29086e86d324d3ebffa. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

QuasarRAT

Vendor detections: 17

Intelligence 17 IOCs YARA 4 File information Comments 1

SHA256 hash:	40ba4a68575cda8b4da56ef2efae3f3c217bf7b78d68c29086e86d324d3ebffa
SHA3-384 hash:	1785672b3ef3505fc141d3fe886d385585275e7a34aa19ec7dcf8445c4f1ab9c52d0e8dd410d5d10f7656bc8167c15bb
SHA1 hash:	eedcf0f081c78adfcefe3e9208bc83b252f1b4aa
MD5 hash:	78f7efed48c531657b84cd66911c7eef
humanhash:	mango-early-pasta-april
File name:	78f7efed48c531657b84cd66911c7eef
Download:	download sample
Signature	QuasarRAT Create hunting rule
File size:	619'520 bytes
First seen:	2024-04-14 07:27:10 UTC
Last seen:	2024-04-14 08:29:12 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	12288:JvqsfIozrJqppjn1rmq12WaD+1Fri1xbcR:h9vrMjn1r5aCjg9cR
Threatray	319 similar samples on MalwareBazaar
TLSH	T14FD45A5586068482F6D31772482D5AB044DA3FBCA4793101FC92FB5598FBDBBC0A2B7E
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4504/4/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):
dhash icon	16f4f1b336c4e029 (1 x QuasarRAT)
Reporter	zbetcheckin
Tags:	32 exe QuasarRAT

Intelligence

File Origin

# of uploads :

# of downloads :

353

Origin country :

Vendor Threat Intelligence

Malware family:

quasar

ID:

File name:

40ba4a68575cda8b4da56ef2efae3f3c217bf7b78d68c29086e86d324d3ebffa.exe

Verdict:

Malicious activity

Analysis date:

2024-04-14 07:27:50 UTC

Tags:

evasion rat quasar remote stormkitty

Link:

https://app.any.run/tasks/fb918e65-0c40-4504-b388-97c1a91b0637

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a file in the %temp% directory

Сreating synchronization primitives

Creating a process from a recently created file

Creating a file

Using the Windows Management Instrumentation requests

DNS request

Connection attempt

Sending an HTTP GET request

Creating a file in the %AppData% subdirectories

Launching a process

Setting a keyboard event handler

Sending a custom TCP request

Reading critical registry keys

Running batch commands

Launching the process to change network settings

Searching for synchronization primitives

Unauthorized injection to a recently created process

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Stealing user critical data

Enabling autorun by creating a file

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

nanocore packed

Link:

https://www.filescan.io/uploads/661b8584b6333d443cce13cf/reports/4ad02388-7c21-4510-961d-b031d8a57b98/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/40ba4a68575cda8b4da56ef2efae3f3c217bf7b78d68c29086e86d324d3ebffa

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Stealerium Stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/ce35f3c6-a580-4097-a393-f20546934bdb

Result

Threat name:

AsyncRAT, Blackshades, Quasar, StormKitt

Detection:

malicious

Classification:

rans.troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1425707

Signature

.NET source code contains potential unpacker

Antivirus detection for dropped file

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Contains functionality to capture screen (.Net source)

Contains functionality to log keystrokes (.Net Source)

Deletes shadow drive data (may be related to ransomware)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Installs a global keyboard hook

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sigma detected: Capture Wi-Fi password

Snort IDS alert for network traffic

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal WLAN passwords

Uses netsh to modify the Windows network and firewall settings

Uses schtasks.exe or at.exe to add and modify task schedules

Uses the Telegram API (likely for C&C communication)

Yara detected AsyncRAT

Yara detected Blackshades RAT

Yara detected Generic Downloader

Yara detected Quasar RAT

Yara detected RansomwareGeneric

Yara detected StormKitty Stealer

Yara detected Telegram RAT

Yara detected Telegram Recon

Yara detected WorldWind Stealer

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/40ba4a68575cda8b4da56ef2efae3f3c217bf7b78d68c29086e86d324d3ebffa

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/40ba4a68575cda8b4da56ef2efae3f3c217bf7b78d68c29086e86d324d3ebffa/

Threat name:

ByteCode-MSIL.Backdoor.AsyncRAT

Status:

Malicious

First seen:

2024-04-10 20:22:52 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

21 of 24 (87.50%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ic5eu2cxltniwtnfn3zo7lr7hqqxx55xrvumfeeg5bwtetj6x75a._file

Verdict:

malicious

QuasarRAT

8c8bc051a42578631ab04380a0daef57e67abd8cf1a272e75213285929a74c5e

QuasarRAT

e131950a925158b637f77523a77a2c5566f5b4b102a84a703b979b603e199ce4

QuasarRAT

ec09b2c859db05f126fe206dfbc586fcde34d159946601bdd5a48911fe057132

QuasarRAT

+ 309 additional samples on MalwareBazaar

Result

Malware family:

stormkitty

Score:

10/10

Tags:

family:asyncrat family:quasar family:stormkitty botnet:default rat spyware stealer trojan

Link:

https://tria.ge/reports/240414-janbkshg8s/

Behaviour

Checks processor information in registry

Creates scheduled task(s)

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Enumerates physical storage devices

Drops desktop.ini file(s)

Looks up external IP address via web service

Looks up geolocation information via web service

Checks computer location settings

Executes dropped EXE

Reads user/profile data of web browsers

Async RAT payload

AsyncRat

Quasar RAT

StormKitty

StormKitty payload

Malware Config

C2 Extraction:

127.0.0.1:6606
127.0.0.1:7707
127.0.0.1:8808

Unpacked files

SH256 hash:

d7aa8af80cea9de8d9800baf65fe78251e4621df74fafdada24c87ea5226704c

MD5 hash:

86065e0ba99822dbf546c5dab6bb67ad

SHA1 hash:

0a06e21353cb5c43f45fca49e19028a88063f928

Detections:

Quasar_RAT_2

Vermin_Keylogger_Jan18_1

Quasar_RAT_1

xRAT_1

win_quasarrat_j1

Link:

https://www.unpac.me/results/43a814b7-d545-4cc2-9b71-3bdee85138a5/

SH256 hash:

4ff2fde65efb563f5e895f398ed45ef76ae9284a31ffbe5f15494979fce2915a

MD5 hash:

03c26f9adbebd81f75300a22979d475e

SHA1 hash:

8d10f68a2ef94e2cd9fbb015bf7885a71d9709bd

Detections:

WorldWindStealer

win_asyncrat_w0

INDICATOR_SUSPICIOUS_EXE_WirelessNetReccon

INDICATOR_SUSPICIOUS_EXE_TelegramChatBot

SUSP_NET_Msil_Suspicious_Use_StrReverse

INDICATOR_SUSPICIOUS_EXE_Discord_Regex

INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse

cn_utf8_windows_terminal

INDICATOR_SUSPICIOUS_EXE_References_VPN

MALWARE_Win_WorldWind

INDICATOR_SUSPICIOUS_EXE_RawPaste_URL

INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL

MALWARE_Win_Multi_Family_InfoStealer

MALWARE_Win_StormKitty

INDICATOR_SUSPICIOUS_EXE_CC_Regex

INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID

asyncrat

INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL

INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store

Link:

https://www.unpac.me/results/43a814b7-d545-4cc2-9b71-3bdee85138a5/

SH256 hash:

1b1bd40cb888ad62de1159c1ffbf00e25385ea44a3275d4b062692cde9200951

MD5 hash:

bab911b977f652767b210317cda9cb93

SHA1 hash:

4b926f9542f8a1f0c985fb71a640b328e2c8f212

Link:

https://www.unpac.me/results/43a814b7-d545-4cc2-9b71-3bdee85138a5/

SH256 hash:

dcb51777d90bae3e8f983bbdc038737a623fba71571f80094c181594b5d1320a

MD5 hash:

7d22c6c9d4f8937720802e3c1653fb3b

SHA1 hash:

b59791edc350ffcc01ccf50efed7e91ac901d90a

Link:

https://www.unpac.me/results/43a814b7-d545-4cc2-9b71-3bdee85138a5/

SH256 hash:

40ba4a68575cda8b4da56ef2efae3f3c217bf7b78d68c29086e86d324d3ebffa

MD5 hash:

78f7efed48c531657b84cd66911c7eef

SHA1 hash:

eedcf0f081c78adfcefe3e9208bc83b252f1b4aa

Link:

https://www.unpac.me/results/43a814b7-d545-4cc2-9b71-3bdee85138a5/

Malware family:

AsyncRAT

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/40ba4a68575c/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

iSpy Keylogger

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/40ba4a68575cda8b4da56ef2efae3f3c217bf7b78d68c29086e86d324d3ebffa

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

QuasarRAT

exe 40ba4a68575cda8b4da56ef2efae3f3c217bf7b78d68c29086e86d324d3ebffa

(this sample)

Delivery method

Distributed via web download

URLhaus

https://urlhaus.abuse.ch/url/2811712/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

zbet commented on 2024-04-14 07:27:11 UTC

url : hxxp://193.233.132.167/lend/st200.exe