MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4a72f3948f014c2ded502832814c6d65feb78bd1caef7df8bcecb78f7a90b6e2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuasarRAT


Vendor detections: 16


Intelligence 16 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4a72f3948f014c2ded502832814c6d65feb78bd1caef7df8bcecb78f7a90b6e2
SHA3-384 hash: 5236ca49123ea7e8401dd46e2d90b1c06c6dcff7c332fd9646edda7541913ecda600caa4eef3e465f453bbe53e8783e7
SHA1 hash: 5076d5c3a1aa6f2ffcc299f803d0dd01b33d6dd7
MD5 hash: 05eecfc1820ab3273409323601a71f23
humanhash: pizza-illinois-princess-summer
File name:build.exe
Download: download sample
Signature QuasarRAT
Create hunting rule
File size:3'124'224 bytes
First seen:2024-06-08 22:56:48 UTC
Last seen:2025-01-27 07:55:38 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash d9ca0b2979f53d063e2f67bf794d871e (1 x QuasarRAT)
ssdeep 49152:rBT0kcpBrQvDFw/Wb/Zy8kIvLSXkbPvEZNLlUHDZQ:rdcf8i/2/Zy8kIO10Q
TLSH T1F5E5C012BB92C26DC39134B0996DA76BE265DFF82B224AC377C43D0E56368D32533E54
TrID 54.9% (.DLL) foobar 2000 generic component (102066/2/5)
31.0% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
5.6% (.EXE) Win64 Executable (generic) (10523/12/4)
2.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
2.4% (.EXE) Win32 Executable (generic) (4504/4/1)
File icon (PE):PE icon
dhash icon 4dc8c0b296cc69b2 (2 x RemcosRAT, 1 x QuasarRAT)
Reporter V3n0mStrike
Tags:exe mediafire-zip QuasarRAT roblox-airdns-org

Intelligence

File Origin
# of uploads :
3
# of downloads :
343
Origin country :
CL CL
Vendor Threat Intelligence
Malware family:
quasar
Create hunting rule
ID:
1
File name:
4a72f3948f014c2ded502832814c6d65feb78bd1caef7df8bcecb78f7a90b6e2.exe
Verdict:
Malicious activity
Analysis date:
2024-06-08 22:59:39 UTC
Tags:
evasion quasar
Link:
https://app.any.run/tasks/0b4feff1-abab-4f51-9977-3f7ee80309f6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.W32.PossibleThreat.17160.31200.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=666702d0a439c6d6b0874418win10vpnfull_triage
Tags:
Execution Generic Infostealer Network Static Stealth Quasar
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Launching a process
Using the Windows Management Instrumentation requests
DNS request
Connection attempt
Sending an HTTP GET request
Creating a file in the %AppData% subdirectories
Creating a window
Unauthorized injection to a system process
Verdict:
Malicious
Labled as:
Win/malicious_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/4a72f3948f014c2ded502832814c6d65feb78bd1caef7df8bcecb78f7a90b6e2
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/c5e13d29-1050-4e9b-bb7f-ec7a1b47820f
Result
Threat name:
Quasar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1454159
Signature
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Detected Quasar RAT
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Writes to foreign memory regions
Yara detected Generic Downloader
Yara detected Quasar RAT
Behaviour
Behavior Graph:
Download SVG
Score:
76%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/4a72f3948f014c2ded502832814c6d65feb78bd1caef7df8bcecb78f7a90b6e2
Detection:
quasar
Create hunting rule
Link:
https://mwdb.cert.pl/sample/4a72f3948f014c2ded502832814c6d65feb78bd1caef7df8bcecb78f7a90b6e2/
Threat name:
Win32.Trojan.Acll
Create hunting rule
Status:
Malicious
First seen:
2024-06-07 22:48:12 UTC
File Type:
PE (Exe)
Extracted files:
51
AV detection:
15 of 38 (39.47%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jjzphfepafgc33kqfazictdnmx7lpc6rzlxx36f45s3y66uqw3ra._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/240608-2w9e2shf31/
Behaviour
Suspicious use of WriteProcessMemory
Program crash
Verdict:
Unknown
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/0a5e7a40-b1fc-47e3-afe3-fce890db472c
Unpacked files
SH256 hash:
d29245f16b906e83ea7c0c7405d0c64906119d090f6fde0de184f2b158b52528
MD5 hash:
b9e27423a37b2d7317e43f557ec30ce1
SHA1 hash:
51a130037cfdad2b30b66b89444347842e860761
Detections:
QuasarRAT
Create hunting rule
malware_windows_xrat_quasarrat
Create hunting rule
CN_disclosed_20180208_KeyLogger_1
Create hunting rule
cn_utf8_windows_terminal
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
Quasar_RAT_2
Create hunting rule
Quasar
Create hunting rule
Vermin_Keylogger_Jan18_1
Create hunting rule
MAL_QuasarRAT_May19_1
Create hunting rule
MALWARE_Win_QuasarRAT
Create hunting rule
INDICATOR_SUSPICIOUS_GENInfoStealer
Create hunting rule
Quasar_RAT_1
Create hunting rule
xRAT_1
Create hunting rule
win_quasarrat_j1
Create hunting rule
Link:
https://www.unpac.me/results/80c84214-30d1-4080-bbe1-c1a88893452f/
SH256 hash:
4a72f3948f014c2ded502832814c6d65feb78bd1caef7df8bcecb78f7a90b6e2
MD5 hash:
05eecfc1820ab3273409323601a71f23
SHA1 hash:
5076d5c3a1aa6f2ffcc299f803d0dd01b33d6dd7
Link:
https://www.unpac.me/results/80c84214-30d1-4080-bbe1-c1a88893452f/
Malware family:
QuasarRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/4a72f3948f01/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4a72f3948f014c2ded502832814c6d65feb78bd1caef7df8bcecb78f7a90b6e2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin

File information

The table below shows additional information about this malware sample such as delivery method and external references.

QuasarRAT

HTML Application (hta) hta d5647dd8dbd73ac01bad18aefafab4b7848861c12eaff129b37f65cfc940575d

QuasarRAT

Executable exe 4a72f3948f014c2ded502832814c6d65feb78bd1caef7df8bcecb78f7a90b6e2

(this sample)

  
Delivery method
Distributed via web download
  
Dropped by
SHA256 d5647dd8dbd73ac01bad18aefafab4b7848861c12eaff129b37f65cfc940575d
  
Dropped by
MD5 81d631fdb7e6f1d8b2222355bdea0d92
  
URLhaus
https://urlhaus.abuse.ch/url/2880629/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
ole32.dll::CreateStreamOnHGlobal
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteW
SHELL32.dll::ShellExecuteExW
SS_APIUses SS APIADVAPI32.dll::CryptVerifySignatureW
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::LoadLibraryExA
KERNEL32.dll::GetSystemInfo
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetCommandLineW
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::MoveFileExW
KERNEL32.dll::ReadDirectoryChangesW
KERNEL32.dll::GetFileAttributesW
KERNEL32.dll::FindFirstFileW
WIN_CRYPT_APIUses Windows Crypt APIADVAPI32.dll::CryptAcquireContextW
ADVAPI32.dll::CryptCreateHash
ADVAPI32.dll::CryptGetHashParam
ADVAPI32.dll::CryptHashData
ADVAPI32.dll::CryptImportKey
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyW
ADVAPI32.dll::RegCreateKeyExW
ADVAPI32.dll::RegOpenKeyW
ADVAPI32.dll::RegOpenKeyExW
ADVAPI32.dll::RegQueryInfoKeyW
ADVAPI32.dll::RegQueryValueExW
WIN_USER_APIPerforms GUI ActionsUSER32.dll::AppendMenuW
USER32.dll::EmptyClipboard
USER32.dll::OpenClipboard
USER32.dll::PeekMessageW
USER32.dll::CreateWindowExW

Comments