MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4c6c1c0d7925af6c2891164d67743204132fcc8ea3cda471c005f446ea1cfda1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuasarRAT


Vendor detections: 5


Intelligence 5 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4c6c1c0d7925af6c2891164d67743204132fcc8ea3cda471c005f446ea1cfda1
SHA3-384 hash: 7252d55ef2883d415f728fb04a01730895ae012922ddcebc4d8e538d0f0c4155bdc829d1de629b991097509ff06187f6
SHA1 hash: e3c0bd66934cd61b81eb0013f7c30b291a69f504
MD5 hash: e6b91b21f30ecfa6b02996fadde7bb3d
humanhash: pennsylvania-sink-sierra-texas
File name:e6b91b21f30ecfa6b02996fadde7bb3d.exe
Download: download sample
Signature QuasarRAT
Create hunting rule
File size:1'516'032 bytes
First seen:2020-06-02 16:35:07 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 3d95adbf13bbe79dc24dccb401c12091 (881 x AgentTesla, 737 x FormBook, 236 x SnakeKeylogger)
ssdeep 24576:vtb20pkaCqT5TBWgNQ7aL3Niqy6RA/+77GzU+mlb+tj6ft6A:sVg5tQ7aL3cMAmGulf15
Threatray 1'027 similar samples on MalwareBazaar
TLSH 2965E01373DE8365C7725273BA267B11AEBF782506A1F96B2FD4093DEC20122521E673
Reporter abuse_ch
Tags:exe QuasarRAT RAT


Avatar
abuse_ch
QuasarRAT C2:
77.247.127.107:52419

Intelligence

File Origin
# of uploads :
1
# of downloads :
81
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.27684.AidExe.UNOFFICIAL
Create hunting rule

Sanesecurity.Malware.27686.AidExe.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.PSW.Agent.BORA.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Injector
Create hunting rule
Status:
Malicious
First seen:
2020-06-02 16:18:23 UTC
AV detection:
22 of 31 (70.97%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=jrwbydlzewxwykerczgwo5bsaqjs7teoupg2i4oaax2en2q47wqq._file
Verdict:
malicious
Similar samples:
07b55ae89038136fc1da21d2aaea7b9e6d17ea18843d26f9bbcad7124eb5f1be
QuasarRAT
0a44ee4a63f01378570de7668ee2daa17534d296a6ff2c45bc14d8f9b07bb837
QuasarRAT
0af91caf5bfd256133203be73629b6fc15dda3a6d11b007549babf7118763cfe
QuasarRAT
2dd7ab98c842ba266d58d3ad1495727981952821c2375d86b1423c137799a753
QuasarRAT
733258140e397a26743a3a559b6961324ef07b03291d07699b2b4f4ecc5c8a0b
QuasarRAT
7b30f4495b6650b1059c97b73bfb14d5ce76636cfdeaf3f5537a1973e625bcb4
QuasarRAT
9a2ffcf3f6be8f2fb3ea792c854fbe72e907c99391ded77733a1401d4d168e9e
QuasarRAT
b78e68fd36980a2fa7c1de03af87095dc637985959414c9684b11c24d37e97b3
QuasarRAT
b8cedaeefb46ff748af412d63d33b2d508966d4e33fd88efc592072b64017f5c
QuasarRAT
f8166e1205c9dd0761f42f47c8d3e3c944b72b1fd3713a0383040f263987a649
QuasarRAT
+ 1'017 additional samples on MalwareBazaar
Result
Malware family:
quasar
Create hunting rule
Score:
  10/10
Tags:
family:quasar spyware trojan
Link:
https://tria.ge/reports/201109-ezzzkf99ta/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Delays execution with timeout.exe
Program crash
Suspicious use of SetThreadContext
Looks up external IP address via web service
Quasar RAT
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CN_disclosed_20180208_KeyLogger_1
Create hunting rule
Author:Florian Roth
Description:Detects malware from disclosed CN malware set
Reference:https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details
Rule name:MAL_QuasarRAT_May19_1
Create hunting rule
Author:Florian Roth
Description:Detects QuasarRAT malware
Reference:https://blog.ensilo.com/uncovering-new-activity-by-apt10
Rule name:MSILStealer
Create hunting rule
Author:https://github.com/hwvs
Description:Detects strings from C#/VB Stealers and QuasarRat
Reference:https://github.com/quasar/QuasarRAT
Rule name:Quasar
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect QuasarRAT in memory
Rule name:Quasar_RAT_1
Create hunting rule
Author:Florian Roth
Description:Detects Quasar RAT
Reference:https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
Rule name:Quasar_RAT_2
Create hunting rule
Author:Florian Roth
Description:Detects Quasar RAT
Reference:https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
Rule name:Vermin_Keylogger_Jan18_1
Create hunting rule
Author:Florian Roth
Description:Detects Vermin Keylogger
Reference:https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/
Rule name:xRAT_1
Create hunting rule
Author:Florian Roth
Description:Detects Patchwork malware
Reference:https://goo.gl/Pg3P4W

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

QuasarRAT

Executable exe 4c6c1c0d7925af6c2891164d67743204132fcc8ea3cda471c005f446ea1cfda1

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/374424/
  
Delivery method
Distributed via web download

Comments