MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 48d3e4804c326bea85228d97194d5b803b1226e892219328904e2c788b149e27. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

QuasarRAT

Vendor detections: 7

Intelligence 7 IOCs YARA 6 File information Comments

SHA256 hash:	48d3e4804c326bea85228d97194d5b803b1226e892219328904e2c788b149e27
SHA3-384 hash:	ce93a200cc60527cf133813881408b2b36d02c969c0f5a25c2d3415fcac336e7ac973a6c4cc448242ec133d68c04acae
SHA1 hash:	3c2b1bed10c63b18eff5353ac70887e167f25886
MD5 hash:	2dff754a074a710bdc61cf268fd6baf8
humanhash:	ack-delta-violet-paris
File name:	48d3e4804c326bea85228d97194d5b803b1226e892219328904e2c788b149e27
Download:	download sample
Signature	QuasarRAT Create hunting rule
File size:	514'048 bytes
First seen:	2020-11-09 21:41:44 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	6144:wTEgdc0Y1ebGbXOsA6j1RdhiTrdv91lCJchdXcECcb8F93xaqYEkHcTR3u:wTEgdfYdA6KkUSHPYcdu
Threatray	16 similar samples on MalwareBazaar
TLSH	51B46D8027F88A2BE1AE57B9ECB144206BF4F407BA67EB4F4540B1F92D667069D40773
Reporter	seifreed
Tags:	QuasarRAT

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

Win.Packed.Downeks-6898097-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a file in the Program Files subdirectories

Launching a process

Creating a process from a recently created file

Creating a file

Changing a file

Setting a keyboard event handler

Connection attempt

Unauthorized injection to a recently created process

Enabling autorun by creating a file

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/48d3e4804c326bea85228d97194d5b803b1226e892219328904e2c788b149e27/

Threat name:

ByteCode-MSIL.Trojan.Perseus

Status:

Malicious

First seen:

2020-11-10 00:50:05 UTC

AV detection:

25 of 29 (86.21%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=jdj6jacmgjv6vbjcrwlrstk3qa5rejxisiqzgkeqjywhrcyutytq._file

Verdict:

malicious

QuasarRAT

28781eb82584acf1dcfc5fb193e27152c5a57bed3a0c249f490759b5c1e84b9b

QuasarRAT

3a83d1211c8a9235a72f0dcea5c36ec53a99ed83340e35097e7f41773bc8fb3f

QuasarRAT

41c11b942c8abb394d9ee8b14bdd4edb229962db1b1efff70b36706dbf7f5fba

QuasarRAT

585e4146923404bbe11c2cf5a423e2650a5d133541e9baeacb64a4d675f6484d

QuasarRAT

5ba0344c196d2605e844a2b15cff5c93412d58e9ca5c8446c468fa768604242d

QuasarRAT

a62e4e1d21bdc64eea17d8bbc4ab5e6c48dc57abbb470322c3357abdef15341f

QuasarRAT

ac4d3acc896cc3fd6e4ba14547572dfc0447f47f2c29c28a170db4b0169c6e2f

QuasarRAT

d3922882bfee49abb72584b9d5918f3787221fa40b7f552c98d7bc0e55833234

QuasarRAT

ee2e84f75b0b6043c2a2e3b84bdeabc0be4a4a1e4c6ec6a3ff255963b545425d

QuasarRAT

+ 6 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

8/10

Tags:

n/a

Link:

https://tria.ge/reports/201109-d4e3nhnnte/

Behaviour

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Drops file in Program Files directory

Executes dropped EXE

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Downeks

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/48d3e4804c326bea85228d97194d5b803b1226e892219328904e2c788b149e27

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	CAP_HookExKeylogger Create hunting rule
Author:	Brian C. Bell -- @biebsmalwareguy
Reference:	https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar

Rule name:	Chrome_stealer_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Chrome in files like avemaria

Rule name:	Keylog_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Contains Keylog

Rule name:	MAL_QuasarRAT_May19_1 Create hunting rule
Author:	Florian Roth
Description:	Detects QuasarRAT malware
Reference:	https://blog.ensilo.com/uncovering-new-activity-by-apt10

Rule name:	Select_from_enumeration Create hunting rule
Author:	James_inthe_box
Description:	IP and port combo

Rule name:	Vermin_Keylogger_Jan18_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Vermin Keylogger
Reference:	https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample