MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4c91c1999a25d525a41e688d4f86dee6d583f51210b58ca20d1a2ac312d8b93f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuasarRAT


Vendor detections: 8


Intelligence 8 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4c91c1999a25d525a41e688d4f86dee6d583f51210b58ca20d1a2ac312d8b93f
SHA3-384 hash: 5423360b380f3dd81522879efbb37967259059d5e98fecf058385374c7158a7eda0d1a5f622d4c0f15b48925d8a55b22
SHA1 hash: 9488ca9830a2d9004a6b470f2b4e92842c3ea63d
MD5 hash: 4b927b51956430d5852ffdd828261bc4
humanhash: skylark-pennsylvania-edward-potato
File name:16904401279cf6086d452a8867321f3e61b90c85fdc4b90f7f48e9739de34b3586c52cd444511.dat-decoded
Download: download sample
Signature QuasarRAT
Create hunting rule
File size:45'056 bytes
First seen:2023-07-27 06:42:08 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash dae02f32a21e03ce65412f6e56942daa (123 x YellowCockatoo, 60 x CobaltStrike, 44 x JanelaRAT)
ssdeep 768:R3E2aHxeW8rwTi9pQPbSoEY4V0QP22pAzB1rZt7EEGXjgvu+2fVCQ:uHxRtRP+nZpoVt7Ebzf
Threatray 3 similar samples on MalwareBazaar
TLSH T1EC135A57B7578A72C1E80BB7D497818007B0D34A7A33EB1F754E239EAE133DB4A81A45
TrID 87.2% (.DLL) Generic .NET DLL/Assembly (236632/4/32)
3.8% (.EXE) Win64 Executable (generic) (10523/12/4)
2.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
1.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.6% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:base64-decoded dll QuasarRAT


Avatar
abuse_ch
Malware dropped as base64 encoded payload

Intelligence

File Origin
# of uploads :
1
# of downloads :
281
Origin country :
DE DE
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/434654/
Detection(s):
SecuriteInfo.com.Win32.TrojanX-gen.26927.10127.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/64c211f84e8e3d763475ac5b/reports/7c19ec80-f7e6-4821-959c-34138e5b4195/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/4c91c1999a25d525a41e688d4f86dee6d583f51210b58ca20d1a2ac312d8b93f
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Quasar RAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/498a13dd-dbe1-410a-86f3-9fba1c470a15
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/1280868
Signature
Antivirus / Scanner detection for submitted sample
Machine Learning detection for sample
Sigma detected: Execute DLL with spoofed extension
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1280868 Sample: 16904401279cf6086d452a88673... Startdate: 27/07/2023 Architecture: WINDOWS Score: 60 15 Antivirus / Scanner detection for submitted sample 2->15 17 Sigma detected: Execute DLL with spoofed extension 2->17 19 Machine Learning detection for sample 2->19 7 loaddll32.exe 1 2->7         started        process3 process4 9 cmd.exe 1 7->9         started        11 conhost.exe 7->11         started        process5 13 rundll32.exe 9->13         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4c91c1999a25d525a41e688d4f86dee6d583f51210b58ca20d1a2ac312d8b93f/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-07-27 06:43:06 UTC
File Type:
PE (.Net Dll)
Extracted files:
4
AV detection:
14 of 24 (58.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jsi4dgm2exkslja6ncgu7bw643kyh5iscc2yziqndivmgewyxe7q._file
Verdict:
unknown
Similar samples:
5dd81b46f9b2a310868ab2b1ea4d61619ab039d8d19e8abff4a559930be4fe19
QuasarRAT
60035c20c6889c26178deeba950e22da4224795ad96f4d3f3eea3ad77f031c85
QuasarRAT
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/230727-hgx9paab66/
Unpacked files
SH256 hash:
4c91c1999a25d525a41e688d4f86dee6d583f51210b58ca20d1a2ac312d8b93f
MD5 hash:
4b927b51956430d5852ffdd828261bc4
SHA1 hash:
9488ca9830a2d9004a6b470f2b4e92842c3ea63d
Link:
https://www.unpac.me/results/2f85aab9-8559-4c3c-a015-bde4c0fb1337/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:extracted_at_0x44b
Create hunting rule
Author:cb
Description:sample - file extracted_at_0x44b.exe
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

9cf6086d452a8867321f3e61b90c85fdc4b90f7f48e9739de34b3586c52cd444

QuasarRAT

DLL dll 4c91c1999a25d525a41e688d4f86dee6d583f51210b58ca20d1a2ac312d8b93f

(this sample)

  
Dropped by
SHA256 9cf6086d452a8867321f3e61b90c85fdc4b90f7f48e9739de34b3586c52cd444
  
Dropped by
MD5 7d494bc32a11ff70ff33df822083defb
  
URLhaus
https://urlhaus.abuse.ch/url/2690791/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/434654/

Comments