MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 421cde677434a520708c647a5709ee40ac8ac0a13e8a7c68ad4997c7f1e040b1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuasarRAT


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 421cde677434a520708c647a5709ee40ac8ac0a13e8a7c68ad4997c7f1e040b1
SHA3-384 hash: 83e896cbc6d10af62083f287ab225504487885229e57fbc519f7e4543e07328be205f98bfb60d95f80c1bb5703c6aca1
SHA1 hash: b2a0d2eda56b57e51e79ffe3770a6ce1efcf506e
MD5 hash: 97d5925e201cf4f8032877ac83e7d534
humanhash: carpet-batman-uniform-glucose
File name:421cde677434a520708c647a5709ee40ac8ac0a13e8a7c68ad4997c7f1e040b1
Download: download sample
Signature QuasarRAT
Create hunting rule
File size:1'532'461 bytes
First seen:2022-07-08 11:34:10 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 24576:ahvJVJdMpzt7QBLvJZVaNtLglDJ/HmpwHPfToJEMpL25Nxq2agL9JKoJAATrVL:K3d2ENJ36LIDJvWwkJu5NxqLgL9JKoJz
TLSH T1F26523CEBA8042F2D67049315829B535F5397C352B10899FB3887C6FB6325D0A736BA7
TrID 91.0% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
3.6% (.EXE) Win64 Executable (generic) (10523/12/4)
1.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.5% (.EXE) Win32 Executable (generic) (4505/5/1)
0.6% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 78c0db4cea7aa0fc (33 x AveMariaRAT, 23 x QuasarRAT, 1 x Loki)
Reporter adrian__luca
Tags:exe QuasarRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
240
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
421cde677434a520708c647a5709ee40ac8ac0a13e8a7c68ad4997c7f1e040b1
Verdict:
Malicious activity
Analysis date:
2022-07-08 11:33:48 UTC
Tags:
evasion trojan
Link:
https://app.any.run/tasks/c7198410-49a9-4bc2-944d-c092e4680deb

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.37098799.28291.25939.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %AppData% directory
Running batch commands
Creating a process from a recently created file
Launching a process
Launching a service
Creating a file
Changing a file
Delayed writing of the file
Modifying a system executable file
Using the Windows Management Instrumentation requests
DNS request
Sending an HTTP GET request
Creating a file in the %AppData% subdirectories
Creating a process with a hidden window
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/24573/overview
Behaviour
MalwareBazaar
MeasuringTime
EvasionQueryPerformanceCounter
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
60%
Tags:
greyware overlay packed scar setupapi.dll shdocvw.dll shell32.dll
Link:
https://www.filescan.io/uploads/62c8166b11764e36f8226807/reports/b6ad083e-7ee6-42cd-8b1f-a8e88b810ed4/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7e0038e9-32b2-4229-ba6f-ae9cce367004
Result
Threat name:
Quasar
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1027171
Signature
.NET source code references suspicious native API functions
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
Yara detected Quasar RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 659666 Sample: fNIxTc1AxV Startdate: 08/07/2022 Architecture: WINDOWS Score: 100 83 topimoiofnfiomog.freedynamicdns.org 2->83 85 ip-api.com 2->85 103 Snort IDS alert for network traffic 2->103 105 Multi AV Scanner detection for domain / URL 2->105 107 Malicious sample detected (through community Yara rule) 2->107 109 8 other signatures 2->109 13 fNIxTc1AxV.exe 9 2->13         started        16 gnm.exe 2->16         started        signatures3 process4 file5 81 C:\Users\user\AppData\Roaming\gnm.sfx.exe, PE32 13->81 dropped 19 cmd.exe 1 13->19         started        101 Injects a PE file into a foreign processes 16->101 22 gnm.exe 2 16->22         started        signatures6 process7 dnsIp8 111 Uses ping.exe to sleep 19->111 113 Uses ping.exe to check the status of other devices and networks 19->113 25 gnm.sfx.exe 7 19->25         started        29 conhost.exe 19->29         started        87 192.168.2.1 unknown unknown 22->87 89 ip-api.com 22->89 115 Hides that the sample has been downloaded from the Internet (zone.identifier) 22->115 31 updates.exe 22->31         started        33 schtasks.exe 22->33         started        signatures9 process10 file11 77 C:\Users\user\AppData\Roaming\gnm.exe, PE32 25->77 dropped 137 Multi AV Scanner detection for dropped file 25->137 35 gnm.exe 1 25->35         started        139 Injects a PE file into a foreign processes 31->139 38 updates.exe 31->38         started        41 conhost.exe 33->41         started        signatures12 process13 dnsIp14 117 Multi AV Scanner detection for dropped file 35->117 119 May check the online IP address of the machine 35->119 121 Machine Learning detection for dropped file 35->121 125 2 other signatures 35->125 43 gnm.exe 15 4 35->43         started        91 topimoiofnfiomog.freedynamicdns.org 38->91 93 ip-api.com 38->93 123 Hides that the sample has been downloaded from the Internet (zone.identifier) 38->123 48 cmd.exe 38->48         started        50 schtasks.exe 38->50         started        signatures15 process16 dnsIp17 99 ip-api.com 208.95.112.1, 49743, 49757, 49758 TUT-ASUS United States 43->99 79 C:\Users\user\AppData\Roaming\...\updates.exe, PE32 43->79 dropped 141 Hides that the sample has been downloaded from the Internet (zone.identifier) 43->141 52 updates.exe 1 43->52         started        55 schtasks.exe 1 43->55         started        143 Uses ping.exe to sleep 48->143 57 updates.exe 48->57         started        59 conhost.exe 48->59         started        61 chcp.com 48->61         started        63 PING.EXE 48->63         started        65 conhost.exe 50->65         started        file18 signatures19 process20 signatures21 127 Multi AV Scanner detection for dropped file 52->127 129 May check the online IP address of the machine 52->129 131 Machine Learning detection for dropped file 52->131 67 updates.exe 52->67         started        69 conhost.exe 55->69         started        133 Injects a PE file into a foreign processes 57->133 71 updates.exe 57->71         started        process22 dnsIp23 75 WerFault.exe 67->75         started        95 topimoiofnfiomog.freedynamicdns.org 71->95 97 ip-api.com 71->97 135 Hides that the sample has been downloaded from the Internet (zone.identifier) 71->135 signatures24 process25
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/421cde677434a520708c647a5709ee40ac8ac0a13e8a7c68ad4997c7f1e040b1/
Threat name:
ByteCode-MSIL.Trojan.Heracles
Create hunting rule
Status:
Malicious
First seen:
2022-06-27 17:42:00 UTC
File Type:
PE (Exe)
Extracted files:
15
AV detection:
16 of 25 (64.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=iion4z3ugsssa4emmr5focpoicwivqfbh2fhy2fnjgl4p4paicyq._file
Verdict:
malicious
Result
Malware family:
quasar
Create hunting rule
Score:
  10/10
Tags:
family:quasar botnet:toon spyware suricata trojan
Link:
https://tria.ge/reports/220708-npz15sebe4/
Behaviour
Creates scheduled task(s)
Runs ping.exe
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Looks up external IP address via web service
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Quasar RAT
Quasar payload
suricata: ET MALWARE Common RAT Connectivity Check Observed
Malware Config
C2 Extraction:
topimoiofnfiomog.freedynamicdns.org:64890
yerrionminutes.freedynamicdns.org:64890
Unpacked files
SH256 hash:
766b19c8160fc4eafe7d6cf289906457c75a3f12b93fe7a32a51c848e464efc0
MD5 hash:
18c5dd299bfa5aad6529a0c22568217c
SHA1 hash:
34164bc1294fb6651c38dcf3e19b3aa10e35f0e0
Link:
https://www.unpac.me/results/4ed67df8-8e48-44c4-9e90-7092f7be0cd4/
SH256 hash:
bc15bce4580d61db247f6e0299413a84c7ab053e63f6cd2ad272056d88a4187e
MD5 hash:
6c2abc4ce770b2527d99030059f2a01c
SHA1 hash:
27cb132869abfcfcab1ad67cccd799dfbd2fc06d
Link:
https://www.unpac.me/results/4ed67df8-8e48-44c4-9e90-7092f7be0cd4/
SH256 hash:
aebda6676155377b0ca10632775eb705fcce44b0a1d4769489d22dc566a53aba
MD5 hash:
2279b7f651fe76b4bdf45b8e72e86152
SHA1 hash:
0b7950e2a91856b05ddc3280dc24badcde60c169
Link:
https://www.unpac.me/results/4ed67df8-8e48-44c4-9e90-7092f7be0cd4/
SH256 hash:
fcdd8199c6655b54f1f0406bc0b082ea585edb36e9fa041a4972912eaf212dc1
MD5 hash:
2a7e7e953ef9d1369241f076cd8f134a
SHA1 hash:
014b9533bb96e8684586315cccb80dc29de84a29
Link:
https://www.unpac.me/results/4ed67df8-8e48-44c4-9e90-7092f7be0cd4/
SH256 hash:
421cde677434a520708c647a5709ee40ac8ac0a13e8a7c68ad4997c7f1e040b1
MD5 hash:
97d5925e201cf4f8032877ac83e7d534
SHA1 hash:
b2a0d2eda56b57e51e79ffe3770a6ce1efcf506e
Link:
https://www.unpac.me/results/4ed67df8-8e48-44c4-9e90-7092f7be0cd4/
Malware family:
xRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/421cde677434/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/421cde677434a520708c647a5709ee40ac8ac0a13e8a7c68ad4997c7f1e040b1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:suspicious_sfx_files_simple_rule
Create hunting rule
Author:Razvan.A.B
Description:Detects suspicious files containing sfx
Rule name:suspicious_sfx_files_size_rule
Create hunting rule
Author:Razvan.A.B
Description:Detects suspicious files containing sfx

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments