MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 42141ee67236cf596950e3aeebc96b436471ab41d3740f56c4ee5b6029f3a38c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuasarRAT


Vendor detections: 10


Intelligence 10 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 42141ee67236cf596950e3aeebc96b436471ab41d3740f56c4ee5b6029f3a38c
SHA3-384 hash: e631e9838a157b0f82cf01cd2cd5f6a29054b2f5bf3be63fcc77094485dfda3647f6e919dcd36f325c8eef27057083eb
SHA1 hash: 5dccde029dacff9f42336c7975447a3f7e5a42cf
MD5 hash: 70e97b8ae8f08c3f8c2cbf4d81192cf0
humanhash: london-low-alabama-two
File name:70e97b8ae8f08c3f8c2cbf4d81192cf0
Download: download sample
Signature QuasarRAT
Create hunting rule
File size:518'144 bytes
First seen:2021-06-24 09:48:46 UTC
Last seen:2021-06-24 10:44:14 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:BhHbg7n2c3STUFRVT0PyUWZKCap77DBiSuFH2U:BVg7n2c3SSV4yUYKDDBiSuFH2U
Threatray 61 similar samples on MalwareBazaar
TLSH B0B425908EDFDEDEC26F227FA00A0C8618DEC3560787A2E59B465D35F7901239D661E3
Reporter zbetcheckin
Tags:32 exe QuasarRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
146
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
70e97b8ae8f08c3f8c2cbf4d81192cf0
Verdict:
Malicious activity
Analysis date:
2021-06-24 09:49:33 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/04372586-5c13-4e1d-957d-40c58f221a7a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/167968/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.835.6501.20044.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Quasar RAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c42163bd-bad8-4504-8343-2fbb21f99d50
Result
Threat name:
Quasar
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/807357
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected Quasar RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 439767 Sample: 2JafQEfZiu Startdate: 24/06/2021 Architecture: WINDOWS Score: 100 37 con.microgent.ru 2->37 53 Multi AV Scanner detection for domain / URL 2->53 55 Malicious sample detected (through community Yara rule) 2->55 57 Antivirus / Scanner detection for submitted sample 2->57 59 5 other signatures 2->59 7 NVC.exe 5 2->7         started        11 2JafQEfZiu.exe 1 7 2->11         started        13 NVC.exe 2 2->13         started        signatures3 process4 file5 25 C:\Users\user\AppData\Local\Temp25VC.exe, PE32 7->25 dropped 27 C:\Users\user\...27VC.exe:Zone.Identifier, ASCII 7->27 dropped 61 Antivirus detection for dropped file 7->61 63 Multi AV Scanner detection for dropped file 7->63 65 Machine Learning detection for dropped file 7->65 15 NVC.exe 2 7->15         started        29 C:\Users\user\AppData\...\2JafQEfZiu.exe, PE32 11->29 dropped 31 C:\Users\user\AppData\Local31VC.exe, PE32 11->31 dropped 33 C:\Users\...\2JafQEfZiu.exe:Zone.Identifier, ASCII 11->33 dropped 35 2 other malicious files 11->35 dropped 67 Writes to foreign memory regions 11->67 69 Allocates memory in foreign processes 11->69 71 Injects a PE file into a foreign processes 11->71 19 2JafQEfZiu.exe 2 11->19         started        21 NVC.exe 2 13->21         started        23 NVC.exe 13->23         started        signatures6 process7 dnsIp8 39 192.168.2.1 unknown unknown 15->39 45 Hides that the sample has been downloaded from the Internet (zone.identifier) 15->45 41 societyf500.ddns.net 91.109.190.5, 49748, 49753, 49756 IELOIELOMainNetworkFR France 19->41 43 con.microgent.ru 195.133.40.220, 49745, 49749, 49754 SPD-NETTR Russian Federation 19->43 47 Antivirus detection for dropped file 19->47 49 Multi AV Scanner detection for dropped file 19->49 51 Machine Learning detection for dropped file 19->51 signatures9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/42141ee67236cf596950e3aeebc96b436471ab41d3740f56c4ee5b6029f3a38c/
Threat name:
ByteCode-MSIL.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2021-06-20 03:10:00 UTC
AV detection:
13 of 29 (44.83%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=iikb5ztsg3hvs2kq4oxoxsllinshdk2b2n2a6vwe5znwakptuoga._file
Verdict:
malicious
Similar samples:
3a83d1211c8a9235a72f0dcea5c36ec53a99ed83340e35097e7f41773bc8fb3f
QuasarRAT
3bdfd4cd7aacdefa4ab159a25b056056fd011b9ad60fc2166adbb41c5610b044
QuasarRAT
6e6db1ad82efc117c9a344dea662fc8fe8742999af83276fd534c57d8991b971
QuasarRAT
7ba2419d74a5a9c7ef362bf40d0e1563bd02fd16fada16c8da39cf178c6306be
QuasarRAT
85e13a72f67635d8590b1952332a37371f5f06400cedd60cd8c85415a051c031
QuasarRAT
99afe1ad454edbf82e2427bf8ba498c775be2bf11959adaa15952c9668b67dfb
QuasarRAT
aeadf6653dae8d5604cd66d04c621d58809877b0c01df913718184d1306550f5
QuasarRAT
c4eddae996c1704f9a4470ed2f591b48c25e0a6bac1211c897ef7012f121fd23
QuasarRAT
ee2e84f75b0b6043c2a2e3b84bdeabc0be4a4a1e4c6ec6a3ff255963b545425d
QuasarRAT
fb30ae8d4bcce71593ae5da2277634ad9ccf2964f1dc7f9997872b498753aa74
QuasarRAT
+ 51 additional samples on MalwareBazaar
Result
Malware family:
quasar
Create hunting rule
Score:
  10/10
Tags:
family:quasar persistence spyware trojan
Link:
https://tria.ge/reports/210624-fp95eb16wa/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Quasar Payload
Quasar RAT
Unpacked files
SH256 hash:
64d8be0c81382e0d54e17df11313898e682c5b6f64ba2fcbacc50bce4861e71d
MD5 hash:
6f21d42e69f3ed9e73a14578f8aba9e2
SHA1 hash:
75379e7973f7921b40dbce900fc920d6bac6b9d5
Link:
https://www.unpac.me/results/0f4774a6-6360-4d76-80ea-123357ccbabc/
SH256 hash:
e7ed506e5c40adc79d695d6ae98217fe975f58a3d5ee2359a2e7f2a4682d5407
MD5 hash:
f1edf6ffac36543476c39fbc71f2ff9f
SHA1 hash:
38f0db167482141a062a9b97119af629acb28491
Link:
https://www.unpac.me/results/0f4774a6-6360-4d76-80ea-123357ccbabc/
SH256 hash:
e0dc68bbcc09ba84b870c54e26acc0c86ae594a7339707189c6f84a41061c129
MD5 hash:
6d61dcb9c669a0b69b3356b1e78c6606
SHA1 hash:
29f2d13352a1e1ef62cfba44ecd7fc4a5b1ec9bb
Link:
https://www.unpac.me/results/0f4774a6-6360-4d76-80ea-123357ccbabc/
SH256 hash:
42141ee67236cf596950e3aeebc96b436471ab41d3740f56c4ee5b6029f3a38c
MD5 hash:
70e97b8ae8f08c3f8c2cbf4d81192cf0
SHA1 hash:
5dccde029dacff9f42336c7975447a3f7e5a42cf
Link:
https://www.unpac.me/results/0f4774a6-6360-4d76-80ea-123357ccbabc/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/42141ee67236cf596950e3aeebc96b436471ab41d3740f56c4ee5b6029f3a38c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:MALWARE_Win_QuasarStealer
Create hunting rule
Author:ditekshen
Description:Detects Quasar infostealer
Rule name:MAL_QuasarRAT_May19_1
Create hunting rule
Author:Florian Roth
Description:Detects QuasarRAT malware
Reference:https://blog.ensilo.com/uncovering-new-activity-by-apt10
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Vermin_Keylogger_Jan18_1
Create hunting rule
Author:Florian Roth
Description:Detects Vermin Keylogger
Reference:https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

QuasarRAT

Executable exe 42141ee67236cf596950e3aeebc96b436471ab41d3740f56c4ee5b6029f3a38c

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1394285/
Cape
Cape
https://www.capesandbox.com/analysis/167968/
  
URLhaus
https://urlhaus.abuse.ch/url/1395947/

Comments