MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4f72467f5cb515fd7cfa3cdb38486d581310a70b053fb0494f6a8971ade19ada. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuasarRAT


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4f72467f5cb515fd7cfa3cdb38486d581310a70b053fb0494f6a8971ade19ada
SHA3-384 hash: 899e1fe497183cbc20aec0e36b8eef3a71efcfbf6eada2954687431805852bc5187e53b47c18b3cbccb63bdb9c44dc04
SHA1 hash: 180b10e46ea18626001bbd38dbb552b9881159ff
MD5 hash: bde60dd34ea566808c2f7b6a74f9d0fe
humanhash: angel-ceiling-juliet-speaker
File name:4f72467f5cb515fd7cfa3cdb38486d581310a70b053fb0494f6a8971ade19ada
Download: download sample
Signature QuasarRAT
Create hunting rule
File size:4'480'512 bytes
First seen:2021-02-28 07:26:48 UTC
Last seen:2021-02-28 10:08:22 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'665 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 98304:umtS6SxY/f/aTSyqttmEblMMOommtS6SxY/f/aTSyqttmEblMMOo8RDPUkg:dtSjxY/HaTgmEbztSjxY/HaTgmEb8DPG
Threatray 44 similar samples on MalwareBazaar
TLSH A226335032F60EE9F965103EEE03723D10B1EA4CEC52B0AEDBE64B54F6807751B15B6A
Reporter JAMESWT_WT
Tags:QuasarRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
887
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
4f72467f5cb515fd7cfa3cdb38486d581310a70b053fb0494f6a8971ade19ada
Verdict:
Suspicious activity
Analysis date:
2021-02-28 08:12:36 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/12ae521c-ab6c-417f-865c-a821beaf1ee5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/119979/
Detection(s):
SecuriteInfo.com.Variant.Razy.681276.1863.29129.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %temp% directory
Creating a process from a recently created file
Launching a process
Searching for the window
Changing a file
Connection attempt
Unauthorized injection to a recently created process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Quasar
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
50 / 100
Link:
https://www.joesandbox.com/analysis/620778
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected Quasar RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 359382 Sample: x4F1uS8nAq Startdate: 28/02/2021 Architecture: WINDOWS Score: 50 50 Malicious sample detected (through community Yara rule) 2->50 52 Antivirus / Scanner detection for submitted sample 2->52 54 Multi AV Scanner detection for submitted file 2->54 56 2 other signatures 2->56 8 x4F1uS8nAq.exe 5 12 2->8         started        process3 file4 36 C:\Users\user\AppData\Local\...\Qjmkvzsd.exe, PE32 8->36 dropped 38 C:\Users\user\AppData\Local\Temp\Fkfjqa.exe, PE32 8->38 dropped 40 C:\Users\user\AppData\...\Bjceiaavpu.exe, PE32 8->40 dropped 42 2 other files (1 malicious) 8->42 dropped 11 Qjmkvzsd.exe 8 8->11         started        15 Fkfjqa.exe 1 8->15         started        17 Bjceiaavpu.exe 8->17         started        19 4 other processes 8->19 process5 dnsIp6 44 127.0.0.1 unknown unknown 11->44 58 Antivirus detection for dropped file 11->58 60 Multi AV Scanner detection for dropped file 11->60 62 Machine Learning detection for dropped file 11->62 64 Hides that the sample has been downloaded from the Internet (zone.identifier) 11->64 21 WerFault.exe 15->21         started        23 WerFault.exe 17->23         started        46 192.168.2.1 unknown unknown 19->46 25 RdrCEF.exe 19->25         started        27 AcroRd32.exe 2 5 19->27         started        29 AcroRd32.exe 19->29         started        signatures7 process8 process9 31 RdrCEF.exe 25->31         started        34 RdrCEF.exe 25->34         started        dnsIp10 48 80.0.0.0 NTLGB United Kingdom 31->48
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4f72467f5cb515fd7cfa3cdb38486d581310a70b053fb0494f6a8971ade19ada/
Threat name:
ByteCode-MSIL.Trojan.Tiggre
Create hunting rule
Status:
Malicious
First seen:
2021-02-27 02:12:00 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
04d4ebdb690749b84d74422ccbb583acc3180cbe3eb280b9ece53ef5eb3b3abf
QuasarRAT
1aabe4a4ce09025edf03501ea5cce117d4315f4baa19c0110e1c779ae2bd9ad3
QuasarRAT
2db2ac3aed53448534d201250a3cad8a82a35c04b37e28bbeb0549987918d2d4
QuasarRAT
3a83d1211c8a9235a72f0dcea5c36ec53a99ed83340e35097e7f41773bc8fb3f
QuasarRAT
47d53feeaa5e7f8f8d8af8aba5b86a805e3276a35d3b785e4fd3275c54c52809
QuasarRAT
585e4146923404bbe11c2cf5a423e2650a5d133541e9baeacb64a4d675f6484d
QuasarRAT
5ef2ac4a085e0ad9f43f72a645d0dfe77389b6f2fcc7fc4323df59aecaafa3d2
QuasarRAT
8890e3a0436c06a1c1d723352fd159a75e492cf3007f727f38183bbb8b79828e
QuasarRAT
d3922882bfee49abb72584b9d5918f3787221fa40b7f552c98d7bc0e55833234
QuasarRAT
ee2e84f75b0b6043c2a2e3b84bdeabc0be4a4a1e4c6ec6a3ff255963b545425d
QuasarRAT
+ 34 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/210228-1rh1783ck6/
Behaviour
Checks processor information in registry
Modifies Internet Explorer settings
Modifies registry class
Opens file in notepad (likely ransom note)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Executes dropped EXE
Unpacked files
SH256 hash:
bd52ab1bdd0f3668fffade808d43dc5be0924d178a71f06192e663268fa83fd9
MD5 hash:
7a2a3c08b71b0bcdc4abc24d04c2adef
SHA1 hash:
7479cdfac87c208cc88c95e9a352034f6afd628d
Link:
https://www.unpac.me/results/8413ded6-4ade-4e76-9013-f6c85c6b933c/
SH256 hash:
0d2853b76cb428fcefac591786abb7ca3e01aa27a719d70ffb3f1f28491c9b90
MD5 hash:
c04301a306a0393e43d09b1e045a3ab0
SHA1 hash:
2a027e87787013a3f8b5b6e3f98dd4fdd40211dd
Link:
https://www.unpac.me/results/8413ded6-4ade-4e76-9013-f6c85c6b933c/
SH256 hash:
4f72467f5cb515fd7cfa3cdb38486d581310a70b053fb0494f6a8971ade19ada
MD5 hash:
bde60dd34ea566808c2f7b6a74f9d0fe
SHA1 hash:
180b10e46ea18626001bbd38dbb552b9881159ff
Link:
https://www.unpac.me/results/8413ded6-4ade-4e76-9013-f6c85c6b933c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4f72467f5cb515fd7cfa3cdb38486d581310a70b053fb0494f6a8971ade19ada

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/119979/

Comments