MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4a3a8abd7f6d5fd9adfb51703085e839781cffc341705123be40b0c146dcf0a9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

QuasarRAT

Vendor detections: 14

Intelligence 14 IOCs 1 YARA 8 File information Comments

SHA256 hash:	4a3a8abd7f6d5fd9adfb51703085e839781cffc341705123be40b0c146dcf0a9
SHA3-384 hash:	adde3512476e9005a5a0a7a06f5a0840c151ecdf2171b40608e9d1ca6d2ffd3d1c40c30d84df90cd715c1b82be74c3d2
SHA1 hash:	dd4a9ddf2b84b3f500cc4a54f08aac1c00fc54cc
MD5 hash:	97532a90b14c6d0084fa2193982358bf
humanhash:	stairway-beer-bulldog-four
File name:	shitgame.bin
Download:	download sample
Signature	QuasarRAT Create hunting rule
File size:	514'048 bytes
First seen:	2022-06-20 17:16:45 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'207 x SnakeKeylogger)
ssdeep	6144:JTEgdc0YtX7IxUpGREWCvnfneqgZXrO1uvkAlcEY3fb8FgEjOjlhTcZ96cTR3J:JTEgdfY2xUZmXDE8HjM7Ta96cdJ
Threatray	1'549 similar samples on MalwareBazaar
TLSH	T195B46D4067F88527E1AE577AE87104319BF5F807B26BEF4F4A40A2F92C6670A9D40773
TrID	53.9% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 12.2% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 9.6% (.SCR) Windows screen saver (13101/52/3) 7.7% (.EXE) Win64 Executable (generic) (10523/12/4) 4.8% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
Reporter	KdssSupport
Tags:	exe QuasarRAT

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
67.241.61.219:4782	https://threatfox.abuse.ch/ioc/717234/

Intelligence

File Origin

# of uploads :

# of downloads :

301

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

quasar

ID:

File name:

shitgame.exe

Verdict:

Malicious activity

Analysis date:

2022-06-20 16:55:55 UTC

Tags:

trojan rat quasar asyncrat

Link:

https://app.any.run/tasks/ae7a66f8-ff53-4ac1-b9cb-5659a50efac7

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

QuasarStealer

Link:

https://www.capesandbox.com/analysis/281695/

Detection(s):

Win.Malware.Generic-9883082-0

Win.Malware.Generic-9883083-0

ditekSHen.MALWARE.Win.Trojan.QuasarStealer.UNOFFICIAL

Win.Packed.Downeks-6898097-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Сreating synchronization primitives

Creating a file in the %AppData% subdirectories

Launching a process

Sending a custom TCP request

Enabling autorun by creating a file

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

anti-vm greyware keylogger packed quasarrat rat shell32.dll stealer

Link:

https://www.filescan.io/uploads/62b0abd08e2643f17a9d8e44/reports/d698d97e-0688-462a-bfef-e4833785c266/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/8eb4fc44-1fb2-4726-8f05-2ee3b1c8f4a8

Result

Threat name:

Quasar

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1016533

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Schedule system process

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected Generic Downloader

Yara detected Quasar RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

quasar

Link:

https://mwdb.cert.pl/sample/4a3a8abd7f6d5fd9adfb51703085e839781cffc341705123be40b0c146dcf0a9/

Threat name:

ByteCode-MSIL.Trojan.Quasar

Status:

Malicious

First seen:

2022-06-20 17:17:09 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

24 of 26 (92.31%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ji5ivpl7nvp5tlp3kfydbbpihf4bz76difyfci56icymcrw46cuq._file

Verdict:

malicious

QuasarRAT

419a43cd026621eb0fb785f00fc7b502bd865e0cae5a65b540b03a12673f38d6

QuasarRAT

76deb78a7177f1e80420103e59ce406209d3c9b8f3b8541034bd18dda4fd1393

QuasarRAT

965a8d621907f2a2c04e8ca84801f448c68e133491b26d5336c851059db5b3ec

QuasarRAT

991e1506dfacc786546d890dc72ed38393ce901592c60d236304998c8e7026d7

QuasarRAT

d328076556526a90907af4a328621d490307be0ff3ff79b14ed8a9c978f9440f

QuasarRAT

+ 1'539 additional samples on MalwareBazaar

Result

Malware family:

quasar

Score:

10/10

Tags:

family:quasar botnet:disc 2.0 spyware suricata trojan

Link:

https://tria.ge/reports/220620-vtpvasabe9/

Behaviour

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Looks up external IP address via web service

Executes dropped EXE

Quasar Payload

Quasar RAT

suricata: ET MALWARE Generic AsyncRAT Style SSL Cert

suricata: ET MALWARE Observed Malicious SSL Cert (Quasar CnC)

Malware Config

C2 Extraction:

67.241.61.219:4782

Unpacked files

SH256 hash:

4a3a8abd7f6d5fd9adfb51703085e839781cffc341705123be40b0c146dcf0a9

MD5 hash:

97532a90b14c6d0084fa2193982358bf

SHA1 hash:

dd4a9ddf2b84b3f500cc4a54f08aac1c00fc54cc

Link:

https://www.unpac.me/results/faf75eeb-bba9-4f7b-b862-8e606b30fd57/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

iSpy Keylogger

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/4a3a8abd7f6d5fd9adfb51703085e839781cffc341705123be40b0c146dcf0a9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA Create hunting rule
Author:	ditekSHen
Description:	Detects Windows executables referencing non-Windows User-Agents

Rule name:	INDICATOR_SUSPICIOUS_GENInfoStealer Create hunting rule
Author:	ditekSHen
Description:	Detects executables containing common artifcats observed in infostealers

Rule name:	MALWARE_Win_QuasarStealer Create hunting rule
Author:	ditekshen
Description:	Detects Quasar infostealer

Rule name:	MAL_Lokibot_Stealer Create hunting rule
Description:	Detects Lokibot Stealer Variants

Rule name:	MAL_QuasarRAT_May19_1 Create hunting rule
Author:	Florian Roth
Description:	Detects QuasarRAT malware
Reference:	https://blog.ensilo.com/uncovering-new-activity-by-apt10

Rule name:	MAL_QuasarRAT_May19_1_RID2E1E Create hunting rule
Author:	Florian Roth
Description:	Detects QuasarRAT malware
Reference:	https://blog.ensilo.com/uncovering-new-activity-by-apt10

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/281695/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample