MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 48d29a8519bd574b03306f6c5e47cc9918d204a4a492acf654ce3acafa59498c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuasarRAT


Vendor detections: 14


Intelligence 14 IOCs YARA 19 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 48d29a8519bd574b03306f6c5e47cc9918d204a4a492acf654ce3acafa59498c
SHA3-384 hash: db899f41427d929b20ffdfd823a304593463bd9c53fd9cfe6477fd37c9d482b1cadae41e307de2fa86e692f6de3aa013
SHA1 hash: 400f92c9f55ca3644560b6831eeff393fa901d92
MD5 hash: bad746e94cb27a53eec289c208f2e8fe
humanhash: eleven-london-apart-aspen
File name:48d29a8519bd574b03306f6c5e47cc9918d204a4a492acf654ce3acafa59498c
Download: download sample
Signature QuasarRAT
Create hunting rule
File size:2'112'000 bytes
First seen:2022-03-23 08:04:33 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash afcdf79be1557326c854b6e20cb900a7 (1'102 x FormBook, 936 x AgentTesla, 399 x RemcosRAT)
ssdeep 24576:su6J33O0c+JY5UZ+XC0kGso6FaI1IXgM6YmenKKSUlmDaGJTA4Pqa6jUvOkQwKYt:2u0c++OCvkGs9Fap5aLKLkDl+dUvO9Yv
Threatray 6'582 similar samples on MalwareBazaar
TLSH T109A5BE41A3DC82A1CE6A4372BA36DB219B777C692634F70E1ED83D7A3E723521518353
File icon (PE):PE icon
dhash icon d4c4c4d8ccd4f0cc (241 x AgentTesla, 65 x Loki, 41 x Formbook)
Reporter JAMESWT_WT
Tags:exe QuasarRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
150
Origin country :
n/a
Vendor Threat Intelligence
Detection:
HiddenVNC
Create hunting rule
Link:
https://www.capesandbox.com/analysis/255435/
Detection(s):
Win.Dropper.Miner-7086570-0
Create hunting rule

Win.Packed.Autoit-7640561-0
Create hunting rule

Win.Packed.Passwordstealera-9792228-0
Create hunting rule

Win.Malware.Carberp-9796259-0
Create hunting rule

Win.Packed.Generic-9830106-0
Create hunting rule

Win.Malware.Generic-6623004-0
Create hunting rule

SecuriteInfo.com.BehavesLike.Win32.Generic.vh.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a file in the %temp% directory
Creating a process from a recently created file
Launching a process
Creating a process with a hidden window
Creating a file
Enabling the 'hidden' option for recently created files
DNS request
Sending an HTTP POST request
Using the Windows Management Instrumentation requests
Sending an HTTP GET request
Creating a file in the %AppData% subdirectories
Sending a custom TCP request
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Enabling autorun by creating a file
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/10721/overview
Behaviour
MalwareBazaar
MeasuringTime
CheckNumberOfProcessor
CheckCmdLine
EvasionQueryPerformanceCounter
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm autoit carberp cmd.exe control.exe eventvwr.exe expand.exe explorer.exe greyware hacktool keylogger keylogger mmc.exe overlay packed packed quasar quasarrat rat schtasks.exe shell32.dll stealer vermin xrat
Link:
https://www.filescan.io/uploads/623ad4f0b94fb38cb4d7974d/reports/007c4de2-c1e8-4014-8213-ef97fa5db5dd/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Gathering data
Result
Threat name:
AZORult Quasar Ramnit
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/962765
Behaviour
Behavior Graph:
n/a
Detection:
quasar
Create hunting rule
Link:
https://mwdb.cert.pl/sample/48d29a8519bd574b03306f6c5e47cc9918d204a4a492acf654ce3acafa59498c/
Threat name:
Win32.Trojan.MoksSteal
Create hunting rule
Status:
Malicious
First seen:
2022-03-14 12:29:00 UTC
File Type:
PE (Exe)
Extracted files:
49
AV detection:
36 of 42 (85.71%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=jdjjvbizxvluwazqn5wf4r6mtemnebfeusjkz5suzy5mv6szjgga._file
Verdict:
malicious
Label(s):
azorult
Create hunting rule
Similar samples:
02915d95d547fb99913510cb80de6f84bace739e40fc1aa4a5e5689e7a1ca4d2
QuasarRAT
16c80a82f353e2d4ba539b68fd79b969045f03d5f51c0fe3cd0e63c909d69d31
QuasarRAT
2006d79276316eea72f9c19d6169a67fd71eefd25b8e1007d9a72f1a1154b1e5
QuasarRAT
21b45cf293c8b1587d29f4a641b448ff3f817d6c99fa114841858208a0e2ae0a
QuasarRAT
30bc6d1024943ded3b3b666c9bebaea8059b6cd06d9af6ec346e113407f439db
QuasarRAT
6e46c37c824f13c573fea62962c995f2e614c4751db1102e842033c176014378
QuasarRAT
96393c19d6a8749a8772ad2cec560aa8715db7f4efc3edc6e33f1d5dc525af3c
QuasarRAT
d064d129468e2dc39658850f39237561aa02ed7c87715c4f3b37ec475904cf04
QuasarRAT
d1ad5fd5f6ed1ca6556b80636b019b020755c7b3586c683fcddeb9688ed0017e
QuasarRAT
+ 6'572 additional samples on MalwareBazaar
Result
Malware family:
quasar
Create hunting rule
Score:
  10/10
Tags:
family:azorult family:quasar botnet:ebayprofiles infostealer spyware trojan
Link:
https://tria.ge/reports/220323-jyv2bsaac9/
Behaviour
Creates scheduled task(s)
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
AutoIT Executable
Suspicious use of SetThreadContext
Enumerates connected drives
Looks up external IP address via web service
Maps connected drives based on registry
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Azorult
Quasar Payload
Quasar RAT
Malware Config
C2 Extraction:
5.8.88.191:443
sockartek.icu:443
http://0x21.in:8000/_az/
Unpacked files
SH256 hash:
0fe774d249d7c3093dd6b8de1c9c045f6efd4553710d877828e871e1be0e54f4
MD5 hash:
8246d054df8814106a8c11ae6df1e946
SHA1 hash:
8e9e84bd726fd9042fb99139b8c7dd00fccdc0a2
Detections:
win_azorult_g1
Create hunting rule
win_azorult_auto
Create hunting rule
Link:
https://www.unpac.me/results/23eee810-b55e-49ec-8c3d-811db4763119/
Parent samples :
570f6415d2dec01d2fa1616a85636e20b8cb9bd437d4be605704f28568172e31
9b6bd1205d9c3f35fd1e97d34e831af1454faa78338d22cdf507d255250259bc
d9549ad3ed734261a0029adbed59926fed150f14d0e44fb85fa583a9fe6327f3
9ab585c5c9aa389cb859ce05381200cf0949d9543a9634d2cfcde9ff65fe874e
d6925f01c421c035fb4cdb32f6d1c143eede807c8ff264c691501213af9c5aa0
f52d1fc9f4b66a779a6c8c35b63f58546933f40ad39d15287009f44b14986bcb
ff87441fe213e765819165032d00061e5ca6a94905f213e6a4798bd35273a7c3
4d93f781c3e7509fb4a1f962a1752c4d36e5243cae382db1cdcc4064086035c2
8f2ad0a7a9bcd06a6f4dffe37c5bcba72e653f9752c2af2fd22176416cbe12b5
ff1fe4e3fd829fd0146c1e15dbbff49e610e67b6cd55d8135233675c28431f77
e04f76e1a3dae89b31aa188c667e177f38abc85daf2ee7dccaac9d79a2c25f05
454709c8e3b81f6fe53cf0937bb361d951b8ea05706adb0c9ad90118a9c157ee
d3fb7826cbcb6f33fbfcd59d74d77040265017d512477fe34d61f6fb3880b90a
486224ce113ae629b279a03505bd035a762144f3573113e9ca199b4272508cad
ef7887e2a018cf7d973e731609c48c0600cb47329e526f5d6bf50636624c786c
c48cecba8431d80cfa7c6a46e6e7e49de8d031816c09505527874ce113f95df2
4bfc73e59f71614b6344622009eceee0c8b5c0ecb6f9e617676c6d4fe6b76024
cf3223c925614fb3b773a1f3048605b1424e6e954a42065ea4834bbba02abe6d
d4d6982ec8929bd7f596b1c32cc19f8d95430b7e8dafb3994de890761ba1e9de
f28325f4da5423889167b710090cc10a524341a4ae4cd31d6c011f77756d9e17
562b5b8f2b94be983e46ef2e851570371473c03e324d3d951014579c8f566042
5285fc4f59a5847a66117240c59925f42dd6e5c7a17c2e90c49234d7913b6afb
4839f576da58bcfd097c24c5c3ff4d72029377dfd450420e99b745b3deda62bc
8f44f9b4e0716329638b3cf4b2470df57e199e9b66bb58e225aa767d9d48dd7e
94f9f632bad9fa9d923de55c08186af273b060d05bd305212fce8ec782bdad7f
6bb7ee8547b6d468228ef89c407d4abaee8067f0edb58d626b10ff7aba6c1ef3
aa5a4440dab4909f58308d8c80a2d2a0b2edfb56aa4e60aa67e83e9203773a07
4ce95594d4b615d8612589de57a0df0dfc3d059f0bc61f7df4d2bbeefe5323e4
540108c43aa0ca447ad443bdae4995b45c4cb52f523f7c31908f6b062f931a04
07db5ffae9143270d00563a1b95b456633a7c2fa07fe26cbe138a7b233dff180
381c28bd8d6e3538bcdea645faa825012355305a2ea5df8ad4f526b3750484e5
1d4a50a04f528b48ae1eec907ffae079186843b16e29f1488ff3fbc5e9f253f0
afe362f2b4c796b7177aea8bd909fedbe9e22b07dcec38234a454c47264e6b82
96eb8d5baeb832fcb780f73a0528b1ac2a4ae5b6a91517d727e38443129db0a5
7035da8898c0867d775597910d50f55a1428bc4588558319f70b1b219cb067be
f8a421f5b3771603d633527896e9e5d9f566ad88ecfb4f7204c7482966a1653c
ee6cf94ca7b7652517a776b59b503a8cb8c4f30136a28a3967d14b6d8fdd3597
40981ed2079d1c26fa7b1fb1640aa315dfdebd128741fdc1e3629d0e470e9238
ac0c1890dabbd2f119231b92b9a5f4174de5d7a335e91aad2836baf2a647d66c
5bafba82265fc0cd3b3b802850bfc982a7427239f87c364c881591c96c717cb5
6175df01c768533f5c4e3e3d1a49d0770a2dcca9c45ae2d150d95f4ff666b54f
466bd07ba5662c8787479a2ead7d90419ef31c4b61f36b9384968b9ea1822a10
c93d2d7d45d531ead9824e70925767ef0e8adc23f88f05baafb7e6435772db58
ccd68adcb8b8997dfabaf2d2b960d56a9d03e4ffaf8aff1cb6e0a83f948cf850
38da70826e367c9808b135717c5ea31e4e69ef03eef307e958773053508badf3
10bba880bc376e0d2f6578ba5aa30e2145730f9e5f49c95dc15d36f3cf9369b7
773a219eb43af7fb4a56992e11871dbd3463acae0f7a82f12efa25ac84248d13
422d646c28b4fda4b6291e868342895495b714cba76384d01b769db14ead4c79
760d1df67b31599e46ae064d183e44f511acfa7c2d5f6241fe96bf6e484e7dab
f699ae77419a80e03b5113a3f60b5e06a98b304db624c4d331e227555e51b563
3569516ca7fb25dbd76547a0d73e55e201838126e90b4f6aad641e29a87c67eb
4e2212b5c17f53f53984fa67051a2aa386147eba453d51f6bb6798b833c7ad1e
16c80a82f353e2d4ba539b68fd79b969045f03d5f51c0fe3cd0e63c909d69d31
02915d95d547fb99913510cb80de6f84bace739e40fc1aa4a5e5689e7a1ca4d2
efacb905cbe59645ce57ea6ac46d32add5f48278aefd411bf4f53116ca0fb0e0
d064d129468e2dc39658850f39237561aa02ed7c87715c4f3b37ec475904cf04
c468c0cee1e4f984dddcd81bfa0108b6f8fa97f6666ece1df8f912c52109feb9
f4b43bbc941d68dd3f835a9fc776c5b3e4e0e7442836bcd845d31c87acf64be7
96393c19d6a8749a8772ad2cec560aa8715db7f4efc3edc6e33f1d5dc525af3c
30bc6d1024943ded3b3b666c9bebaea8059b6cd06d9af6ec346e113407f439db
b7b94daf07f73603e9cfe3ffc082ce9a63db71e9815c2cf1105d25653bb1d32f
6e46c37c824f13c573fea62962c995f2e614c4751db1102e842033c176014378
d1ad5fd5f6ed1ca6556b80636b019b020755c7b3586c683fcddeb9688ed0017e
2006d79276316eea72f9c19d6169a67fd71eefd25b8e1007d9a72f1a1154b1e5
48d29a8519bd574b03306f6c5e47cc9918d204a4a492acf654ce3acafa59498c
21b45cf293c8b1587d29f4a641b448ff3f817d6c99fa114841858208a0e2ae0a
53cddb13890406ae74bed519674f611b58188fb94b6485d624a60680f6d0b786
c5b1a84308686f8d0009dc18291bb28be36ea5863180cfcf5fa5206e0daa7df5
SH256 hash:
4e8a99cd33c9e5c747a3ce8f1a3e17824846f4a8f7cb0631aebd0815db2ce3a4
MD5 hash:
b8ba87ee4c3fc085a2fed0d839aadce1
SHA1 hash:
b3a2e3256406330e8b1779199bb2b9865122d766
Link:
https://www.unpac.me/results/23eee810-b55e-49ec-8c3d-811db4763119/
SH256 hash:
d450f677fa392721f94fddf9f54d67bacd4bb93716ad2be85acd1cfc057379f7
MD5 hash:
c15241ac2ec164aaa68f810a84a1471c
SHA1 hash:
8239a3c454419fb057cbfd879c1e9d4ba0e9515a
Link:
https://www.unpac.me/results/23eee810-b55e-49ec-8c3d-811db4763119/
Parent samples :
c332f4d57dabe228b40ae4a6003b31647cb9241658b79f681680ff5f89d68be1
ecb11a3ef61c5e48bc36f4dda326720913f71eeb26161e42c46b0b01cf4e8b3d
2c6ab1efe207f8a2f8528ce232dcd1e2ff0b0dd82c5b460f51457a7bf97f60d9
877106f8412be6c602573e6ece4b51e3dd4eaa33030946b9ae785ed9d19933a4
c9bff2976429c2bf5aaebb22ff100e6b11f6e60e2bd085463f1fa42a288c6618
3a4a38ed839a1f73825b8456fc1efa73a65a7af25ba3513472d05cfac5ecef78
SH256 hash:
7050608d53f80269df951d00883ed79815c060ce7678a76b5c3f6a2a985beea9
MD5 hash:
b4a202e03d4135484d0e730173abcc72
SHA1 hash:
01b30014545ea526c15a60931d676f9392ea0c70
Link:
https://www.unpac.me/results/23eee810-b55e-49ec-8c3d-811db4763119/
Parent samples :
c332f4d57dabe228b40ae4a6003b31647cb9241658b79f681680ff5f89d68be1
ecb11a3ef61c5e48bc36f4dda326720913f71eeb26161e42c46b0b01cf4e8b3d
2c6ab1efe207f8a2f8528ce232dcd1e2ff0b0dd82c5b460f51457a7bf97f60d9
877106f8412be6c602573e6ece4b51e3dd4eaa33030946b9ae785ed9d19933a4
c9bff2976429c2bf5aaebb22ff100e6b11f6e60e2bd085463f1fa42a288c6618
3a4a38ed839a1f73825b8456fc1efa73a65a7af25ba3513472d05cfac5ecef78
SH256 hash:
48d29a8519bd574b03306f6c5e47cc9918d204a4a492acf654ce3acafa59498c
MD5 hash:
bad746e94cb27a53eec289c208f2e8fe
SHA1 hash:
400f92c9f55ca3644560b6831eeff393fa901d92
Link:
https://www.unpac.me/results/23eee810-b55e-49ec-8c3d-811db4763119/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/48d29a8519bd574b03306f6c5e47cc9918d204a4a492acf654ce3acafa59498c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AutoIT_Compiled
Create hunting rule
Author:@bartblaze
Description:Identifies compiled AutoIT script (as EXE).
Rule name:Azorult
Create hunting rule
Author:kevoreilly
Description:Azorult Payload
Rule name:crime_win32_hvnc_banker_gen
Create hunting rule
Author:@VK_Intel
Description:Detects malware banker hidden VNC
Reference:https://twitter.com/VK_Intel/status/1247058432223477760
Rule name:crime_win32_hvnc_zloader1_hvnc_generic
Create hunting rule
Author:@VK_Intel
Description:Detects Zloader hidden VNC
Reference:https://twitter.com/malwrhunterteam/status/1240664014121828352
Rule name:dridex_halo_generated
Create hunting rule
Author:Halogen Generated Rule, Corsin Camichel
Rule name:HiddenVNC
Create hunting rule
Author:@bartblaze
Description:Identifies HiddenVNC, which can start remote sessions.
Rule name:INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
Author:ditekSHen
Description:Detects Windows executables referencing non-Windows User-Agents
Rule name:INDICATOR_SUSPICIOUS_EXE_References_CryptoWallets
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many cryptocurrency mining wallets or apps. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_GENInfoStealer
Create hunting rule
Author:ditekSHen
Description:Detects executables containing common artifcats observed in infostealers
Rule name:malware_Quasar_strings
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect QuasarRAT in memory
Rule name:MALWARE_Win_QuasarRAT
Create hunting rule
Author:ditekSHen
Description:QuasarRAT payload
Rule name:MAL_QuasarRAT_May19_1
Create hunting rule
Author:Florian Roth
Description:Detects QuasarRAT malware
Reference:https://blog.ensilo.com/uncovering-new-activity-by-apt10
Rule name:MAL_QuasarRAT_May19_1_RID2E1E
Create hunting rule
Author:Florian Roth
Description:Detects QuasarRAT malware
Reference:https://blog.ensilo.com/uncovering-new-activity-by-apt10
Rule name:Quasar_RAT_1
Create hunting rule
Author:Florian Roth
Description:Detects Quasar RAT
Reference:https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
Rule name:Quasar_RAT_1_RID2B54
Create hunting rule
Author:Florian Roth
Description:Detects Quasar RAT
Reference:https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
Rule name:Quasar_RAT_2
Create hunting rule
Author:Florian Roth
Description:Detects Quasar RAT
Reference:https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
Rule name:Quasar_RAT_2_RID2B55
Create hunting rule
Author:Florian Roth
Description:Detects Quasar RAT
Reference:https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
Rule name:Redline_Stealer_Monitor
Create hunting rule
Description:Detects RedLine Stealer Variants
Rule name:win_azorult_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.azorult.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/255435/

Comments