MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 42e5b76705daee37d79456402795f0353bcd7eecbdcecfa863a5179dafe3c967. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

QuasarRAT

Vendor detections: 10

Intelligence 10 IOCs YARA 4 File information Comments

SHA256 hash:	42e5b76705daee37d79456402795f0353bcd7eecbdcecfa863a5179dafe3c967
SHA3-384 hash:	000326cac299f89bf548e27eb6f08756c80cbffbe3934d4f7aefb82ef12276ef94717d7e73c04317fedaaa79f6256eab
SHA1 hash:	5a5ab0ffe753a9f278a44fc92f219cf7efd86b71
MD5 hash:	dd8c70113c9c68b1eaafe290014e1037
humanhash:	kilo-carpet-kentucky-pennsylvania
File name:	dd8c70113c9c68b1eaafe290014e1037.exe
Download:	download sample
Signature	QuasarRAT Create hunting rule
File size:	39'424 bytes
First seen:	2022-01-31 12:18:01 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	384:F52WmPNLobsqTd/LULrGH3bOvitQwkc1gdZinnnGODdreUVnjOo1wdQNoMxDWt8j:mWmobbYTqtIRWnnnPreUVnjO6wGNjz
Threatray	4'961 similar samples on MalwareBazaar
TLSH	T12303B746F750E5B8D97D4F38CC52DAE05E352D42D950869B30E07E8F6CB42602633EAE
File icon (PE):
dhash icon	00e8e0f8e8e8e800 (1 x QuasarRAT)
Reporter	abuse_ch
Tags:	exe QuasarRAT

Intelligence

File Origin

# of uploads :

# of downloads :

187

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Dekont.xls

Verdict:

Malicious activity

Analysis date:

2022-01-31 09:35:30 UTC

Tags:

macros macros-on-open maldoc-5 evasion trojan

Link:

https://app.any.run/tasks/91ab544b-d2ea-4afc-9e40-13f8e96cc991

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/228423/

Result

Verdict:

Suspicious

Maliciousness:

Behaviour

Searching for the window

Сreating synchronization primitives

Launching a process

Creating a process with a hidden window

Running batch commands

DNS request

Sending a custom TCP request

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

cmd.exe obfuscated packed replace.exe

Link:

https://www.filescan.io/uploads/61f7d381fc92af0d80a82144/reports/654ba486-bb57-4460-979b-5e701c3ccf9c/overview

Result

Verdict:

SUSPICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/5b0bb1d6-d1c6-4ef7-907a-9ae69230f0fe

Result

Threat name:

Unknown

Detection:

malicious

Classification:

evad

Score:

60 / 100

Link:

https://www.joesandbox.com/analysis/930818

Behaviour

Behavior Graph:

n/a

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/42e5b76705daee37d79456402795f0353bcd7eecbdcecfa863a5179dafe3c967/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2022-01-31 12:18:12 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

17 of 28 (60.71%)

Threat level:

5/5

Verdict:

malicious

QuasarRAT

55560b608e7a7515329d395c72dc9cebc5cdd7b4c0f153d6e02eb74c2a609feb

QuasarRAT

6407591df6ce61f946e24715faa6fba1b1f3221e2baf22f6c4f5a64f1ea98eb5

QuasarRAT

6e4b969192c1648bf70e8a371d404eb2c612c6d1868141bfcd15ee165bdb0715

QuasarRAT

72c173db6d117938cd5ac0615728a10ec8fad24a57707f362122f8dc36536ccd

QuasarRAT

88019b018015f33c8ca9290a531027e90eae517f6b590fb1711de81ff222ed98

QuasarRAT

affd6e89b3357f6a8418ceb96c5a101eb38ea0af16b2d8a0ac256459130740ff

QuasarRAT

bcdcaf81b3d7d4434c2a0caf687317a8b641d0a7f6b32a9130e4ccbf289d2eb6

QuasarRAT

caa57a0d7208775ee50b80b88384a83804e8b132229162b88db9a3a57abb7acb

QuasarRAT

+ 4'951 additional samples on MalwareBazaar

Result

Malware family:

quasar

Score:

10/10

Tags:

family:quasar botnet:remote2 persistence spyware trojan

Link:

https://tria.ge/reports/220131-pgmarahbbq/

Behaviour

Delays execution with timeout.exe

Modifies data under HKEY_USERS

Runs ping.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Adds Run key to start application

Looks up external IP address via web service

Checks computer location settings

Sets service image path in registry

Quasar Payload

Quasar RAT

Malware Config

C2 Extraction:

thomasfunte.zapto.org:64779
yncesucesss.chickenkiller.com:64779

Unpacked files

SH256 hash:

42e5b76705daee37d79456402795f0353bcd7eecbdcecfa863a5179dafe3c967

MD5 hash:

dd8c70113c9c68b1eaafe290014e1037

SHA1 hash:

5a5ab0ffe753a9f278a44fc92f219cf7efd86b71

Link:

https://www.unpac.me/results/1dde1cfd-6577-4e66-84ea-393a3a610316/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/42e5b76705daee37d79456402795f0353bcd7eecbdcecfa863a5179dafe3c967

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_EXE_DiscordURL Create hunting rule
Author:	ditekSHen
Description:	Detects executables Discord URL observed in first stage droppers

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	SUSP_PE_Discord_Attachment_Oct21_1 Create hunting rule
Author:	Florian Roth
Description:	Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN)
Reference:	Internal Research