MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4fafe7319dc4a4277a09863f72cbd14328e1607cdee608bc9f65945ec8055848. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

QuasarRAT

Vendor detections: 15

Intelligence 15 IOCs YARA 20 File information Comments

SHA256 hash:	4fafe7319dc4a4277a09863f72cbd14328e1607cdee608bc9f65945ec8055848
SHA3-384 hash:	b82eaf69a54bff55e3aa69afcadfb5fd8cf7aa4feeb6775beac2181068462e0d697dee38092855af579bc16505a34810
SHA1 hash:	1cc670cd744bb76596167ac5cd3bc97c04207a0c
MD5 hash:	bd2a3591a9168a9030f32c30db2e0d32
humanhash:	vermont-triple-happy-victor
File name:	Quote#002.exe
Download:	download sample
Signature	QuasarRAT Create hunting rule
File size:	1'157'120 bytes
First seen:	2022-04-14 10:41:24 UTC
Last seen:	2022-04-20 10:25:00 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	24576:lLk5ovSCLJNNGbphooRXSpwLiOhQCmIoMPNWg2kd8:iCLJGbpJZsw9QCmagg2kK
Threatray	889 similar samples on MalwareBazaar
TLSH	T12B35D0427254A986D0575EF3186FC66066786D9E8020C64E3B83BE2B94F3B03346FB5F
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):
dhash icon	f29296968e9e9ea6 (60 x AgentTesla, 37 x RedLineStealer, 35 x Formbook)
Reporter	pr0xylife
Tags:	exe QuasarRAT

Intelligence

File Origin

# of uploads :

# of downloads :

266

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

quasar

ID:

File name:

Quote#002.exe

Verdict:

Malicious activity

Analysis date:

2022-04-14 10:47:21 UTC

Tags:

trojan evasion quasar

Link:

https://app.any.run/tasks/dd9f1599-1178-4f48-984e-7c372c918697

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

QuasarRAT

Link:

https://www.capesandbox.com/analysis/263659/

Detection(s):

SecuriteInfo.com.Trojan.PWS.Stealer.23680.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a file in the %AppData% directory

Enabling the 'hidden' option for recently created files

Adding an access-denied ACE

Сreating synchronization primitives

Creating a process from a recently created file

Creating a process with a hidden window

Creating a file in the %temp% directory

Launching a process

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

control.exe greyware obfuscated packed remote.exe replace.exe

Link:

https://www.filescan.io/uploads/6257fa64ffe27d5119cd28bb/reports/690cd74f-caf6-49d9-8bcd-801a73aa9285/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Quasar RAT

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/d0ba4054-bb7e-4407-b448-d17826ca21b6

Result

Threat name:

Quasar

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/976745

Signature

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

Adds a directory exclusion to Windows Defender

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Found malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Installs a global keyboard hook

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Suspicious Add Scheduled Task From User AppData Temp

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected AntiVM3

Yara detected Quasar RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/4fafe7319dc4a4277a09863f72cbd14328e1607cdee608bc9f65945ec8055848/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2022-04-11 15:12:53 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

24 of 42 (57.14%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=j6x6omm5yssco6qjqy7xfs6rimuocyd433tarpe7mwkf5saflbea._file

Verdict:

malicious

QuasarRAT

4d9f9ebfea637dfcd6415af650b54f8930d38c3b93192164cddd59e64ce86e74

QuasarRAT

5c395df95b067f10c115f92e193d7f61bc6ce05eefb20bfc86aac86f278e0600

QuasarRAT

672d98cad4d5aab1bea0ab262b4f154bb877844a61e742416ac73ed723f1cb99

QuasarRAT

7431f9ba6aec04eac9673c804378df129f167a06927649ec7aca9872fb15f14b

QuasarRAT

a98fb020ed1b1b79495423933331d152b65d0db7947e403bdebe41f999540e6d

QuasarRAT

b6e510ac38643fbc455d38144a8ab0990056379c596c5728987d062fa3a64efc

QuasarRAT

c76303ad32caa1dc46b93eadd1de1342a67001559c2be9ab42e50b4615c71baa

QuasarRAT

f2833315c599f86d9a2f1d020ae68f39329c8b43401b8e03eecca32c5bf014ea

QuasarRAT

+ 879 additional samples on MalwareBazaar

Result

Malware family:

quasar

Score:

10/10

Tags:

family:quasar botnet:office04 spyware trojan

Link:

https://tria.ge/reports/220414-mrnv8abad5/

Behaviour

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

Enumerates physical storage devices

Suspicious use of SetThreadContext

Looks up external IP address via web service

Checks computer location settings

Quasar Payload

Quasar RAT

Malware Config

C2 Extraction:

216.250.250.94:4788

Unpacked files

SH256 hash:

007694272e71c5aa5e99bee9e6f9a48bd591a5f1d84f7e4d82b86d32570815b0

MD5 hash:

df10f342c5a36206cae9c53f0fbda9dd

SHA1 hash:

fc0e8645a7ed3fe8eb6a6ec45e34753baa2b1461

Link:

https://www.unpac.me/results/eced356c-b4ab-4ef1-9425-673fcc2723c0/

SH256 hash:

3116ad193d097c7857df13599d6204cec8f6fe84eeeb39fa013497ad8c316900

MD5 hash:

bf0788d028241b29760c0620212ad066

SHA1 hash:

f63c2a10c525bf129020db6259a90017712e4bd6

Link:

https://www.unpac.me/results/eced356c-b4ab-4ef1-9425-673fcc2723c0/

SH256 hash:

71f90aa162164b378a4ede95abbba6fa72536b49e916906f7f6952bdee4528f4

MD5 hash:

8eac6d78d1bc43fed7738b5115870e74

SHA1 hash:

bbf4b104f114ed3bad212ca722ea2ddd4e200b17

Link:

https://www.unpac.me/results/eced356c-b4ab-4ef1-9425-673fcc2723c0/

SH256 hash:

ab15509a4b1ba9b734c4354b8d8aa9210a46ce8dd613a2eb6a2fd73f0e7eb2b4

MD5 hash:

d1f0f5af9987e0185ee4966b23893bf9

SHA1 hash:

5c8045a622eba7fa059a0bdbc335fe4fb64c7dbc

Link:

https://www.unpac.me/results/eced356c-b4ab-4ef1-9425-673fcc2723c0/

SH256 hash:

4fafe7319dc4a4277a09863f72cbd14328e1607cdee608bc9f65945ec8055848

MD5 hash:

bd2a3591a9168a9030f32c30db2e0d32

SHA1 hash:

1cc670cd744bb76596167ac5cd3bc97c04207a0c

Link:

https://www.unpac.me/results/eced356c-b4ab-4ef1-9425-673fcc2723c0/

Malware family:

Quasar

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/4fafe7319dc4/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

iSpy Keylogger

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/4fafe7319dc4a4277a09863f72cbd14328e1607cdee608bc9f65945ec8055848

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BitcoinAddress Create hunting rule
Author:	Didier Stevens (@DidierStevens)
Description:	Contains a valid Bitcoin address

Rule name:	CN_disclosed_20180208_KeyLogger_1 Create hunting rule
Author:	Florian Roth
Description:	Detects malware from disclosed CN malware set
Reference:	https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details

Rule name:	CN_disclosed_20180208_KeyLogger_1_RID3227 Create hunting rule
Author:	Florian Roth
Description:	Detects malware from disclosed CN malware set
Reference:	https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details

Rule name:	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA Create hunting rule
Author:	ditekSHen
Description:	Detects Windows executables referencing non-Windows User-Agents

Rule name:	INDICATOR_SUSPICIOUS_GENInfoStealer Create hunting rule
Author:	ditekSHen
Description:	Detects executables containing common artifcats observed in infostealers

Rule name:	malware_Quasar_strings Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect QuasarRAT in memory

Rule name:	MALWARE_Win_QuasarRAT Create hunting rule
Author:	ditekSHen
Description:	QuasarRAT payload

Rule name:	MAL_Lokibot_Stealer Create hunting rule
Description:	Detects Lokibot Stealer Variants

Rule name:	MAL_QuasarRAT_May19_1 Create hunting rule
Author:	Florian Roth
Description:	Detects QuasarRAT malware
Reference:	https://blog.ensilo.com/uncovering-new-activity-by-apt10

Rule name:	MAL_QuasarRAT_May19_1_RID2E1E Create hunting rule
Author:	Florian Roth
Description:	Detects QuasarRAT malware
Reference:	https://blog.ensilo.com/uncovering-new-activity-by-apt10

Rule name:	pe_imphash Create hunting rule

Rule name:	pe_imphash Create hunting rule

Rule name:	Quasar_RAT_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Quasar RAT
Reference:	https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf

Rule name:	Quasar_RAT_1_RID2B54 Create hunting rule
Author:	Florian Roth
Description:	Detects Quasar RAT
Reference:	https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf

Rule name:	Quasar_RAT_2 Create hunting rule
Author:	Florian Roth
Description:	Detects Quasar RAT
Reference:	https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf

Rule name:	Quasar_RAT_2_RID2B55 Create hunting rule
Author:	Florian Roth
Description:	Detects Quasar RAT
Reference:	https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Vermin_Keylogger_Jan18_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Vermin Keylogger
Reference:	https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/

Rule name:	xRAT_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Patchwork malware
Reference:	https://goo.gl/Pg3P4W

Rule name:	xRAT_1_RID2900 Create hunting rule
Author:	Florian Roth
Description:	Detects Patchwork malware
Reference:	https://goo.gl/Pg3P4W

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/263659/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample