MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 52d14c318dd0d66fcba72250ee462f8c633fb9f5c44fd2a21368a1016ae41966. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuasarRAT


Vendor detections: 11


Intelligence 11 IOCs YARA 20 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 52d14c318dd0d66fcba72250ee462f8c633fb9f5c44fd2a21368a1016ae41966
SHA3-384 hash: 773e57b70ffcdd6940aa6e82354d396d56c2691b0234cf1b8bf36d7f521c6ba194c767b756e983ea22298bbbd06a28fc
SHA1 hash: 49709a2a5f49f94c11669a5ca74bfbc4707408f3
MD5 hash: 811f46696830ead7b26c5f23b4416939
humanhash: bravo-beryllium-venus-colorado
File name:811f46696830ead7b26c5f23b4416939
Download: download sample
Signature QuasarRAT
Create hunting rule
File size:727'040 bytes
First seen:2021-10-29 22:41:32 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:7yDUw5lIhY2I1OKulGJHiK6SxW72z7Of/zm5DtF4ah/VirZ1rUQ:PQlIhYCZlG0SxPzS3zmHitrDr
Threatray 9 similar samples on MalwareBazaar
TLSH T18CF4BD11279381C9C4F513B80A598391D7217FE0F9E3AB2E794776EAEA722C176503E3
File icon (PE):PE icon
dhash icon 0000000000000000 (872 x AgentTesla, 496 x Formbook, 296 x RedLineStealer)
Reporter zbetcheckin
Tags:32 exe QuasarRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
215
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
811f46696830ead7b26c5f23b4416939
Verdict:
Malicious activity
Analysis date:
2021-10-29 22:48:30 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/abf065c9-8165-4a89-82db-00bbcf71967d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.Win32.Save.a.6999.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a file in the %temp% directory
Delayed writing of the file
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Quasar RAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d9ca2263-cb70-447b-98e2-237f2d92e687
Result
Threat name:
Quasar
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/879639
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Changes security center settings (notifications, updates, antivirus, firewall)
Connects to a pastebin service (likely for C&C)
Creates an undocumented autostart registry key
Disables user account control notifications
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Sigma detected: Powershell Defender Exclusion
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected Quasar RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 512073 Sample: ke5knEn8r3 Startdate: 30/10/2021 Architecture: WINDOWS Score: 100 43 104.23.98.190, 443, 49779 CLOUDFLARENETUS United States 2->43 45 perfect5.publicvm.com 2->45 47 2 other IPs or domains 2->47 57 Malicious sample detected (through community Yara rule) 2->57 59 Multi AV Scanner detection for submitted file 2->59 61 Yara detected AntiVM3 2->61 63 6 other signatures 2->63 9 ke5knEn8r3.exe 3 2->9         started        signatures3 process4 file5 39 C:\Users\user\AppData\...\ke5knEn8r3.exe.log, ASCII 9->39 dropped 65 May check the online IP address of the machine 9->65 67 Uses schtasks.exe or at.exe to add and modify task schedules 9->67 69 Adds a directory exclusion to Windows Defender 9->69 71 Injects a PE file into a foreign processes 9->71 13 ke5knEn8r3.exe 40 6 9->13         started        signatures6 process7 dnsIp8 49 ip-api.com 208.95.112.1, 49747, 49780, 80 TUT-ASUS United States 13->49 51 pastebin.com 104.23.99.190, 443, 49746, 49787 CLOUDFLARENETUS United States 13->51 41 C:\Users\user\AppData\Roaming\...\HSteces.exe, PE32 13->41 dropped 73 Creates an undocumented autostart registry key 13->73 75 Changes security center settings (notifications, updates, antivirus, firewall) 13->75 77 Disables user account control notifications 13->77 79 2 other signatures 13->79 18 HSteces.exe 13->18         started        21 powershell.exe 25 13->21         started        23 powershell.exe 23 13->23         started        25 16 other processes 13->25 file9 signatures10 process11 signatures12 53 May check the online IP address of the machine 18->53 55 Injects a PE file into a foreign processes 18->55 27 conhost.exe 21->27         started        29 conhost.exe 23->29         started        31 conhost.exe 25->31         started        33 conhost.exe 25->33         started        35 conhost.exe 25->35         started        37 13 other processes 25->37 process13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/52d14c318dd0d66fcba72250ee462f8c633fb9f5c44fd2a21368a1016ae41966/
Threat name:
ByteCode-MSIL.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-10-29 18:56:07 UTC
AV detection:
10 of 45 (22.22%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=kliuymmn2dlg7s5hejio4rrprrrt7opvyrh5fiqtncqqc2xedfta._file
Verdict:
malicious
Similar samples:
21e500dd9ca860b8ed0634fed24772cc09672b8e508ad5d52705206ce809eece
QuasarRAT
3b02f2d57c40d4971283bf17b58de4574227c952b555590ef99a64d6b3faca00
QuasarRAT
528a40ac4d415e0fd5d204596f78f372b11188d2ab8edfe57d111b405c0e4d8e
QuasarRAT
6d1cfe521f8ec86635395600f0fe5d40678e789380efbce873f191b67ea015ab
QuasarRAT
78e4ef886190359e5dc1f29aa83ed6c99dd06f8f972f740d9884be524b3cd126
QuasarRAT
9b28ea61b121821fb4682da4773559fce085366f263b266f4e2fb6983bc2c2ed
QuasarRAT
be6f833816e4dd59791654e138d793e1bfb6bfe016f34ae63b9b3e2f6106fc55
QuasarRAT
cf79cdf47dd999b1bda64cea18b85fbe7b217494e652462aa2cce9f7fa57a0ca
QuasarRAT
Result
Malware family:
quasar
Create hunting rule
Score:
  10/10
Tags:
family:quasar evasion persistence spyware trojan
Link:
https://tria.ge/reports/211029-2mn3raecb8/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System policy modification
Suspicious use of SetThreadContext
Adds Run key to start application
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Loads dropped DLL
Windows security modification
Executes dropped EXE
Contains code to disable Windows Defender
Modifies Windows Defender Real-time Protection settings
Modifies security service
Quasar Payload
Quasar RAT
UAC bypass
Windows security bypass
Unpacked files
SH256 hash:
4d1ee061c817ea30ca4e461a4f44388662c1c1c2775be2b323858ddbc1679b35
MD5 hash:
1b6d3d31872537cc611ff4322ffc1099
SHA1 hash:
0108adafb207ce044bfb3f7933da45594c545bee
Link:
https://www.unpac.me/results/5605b6a4-5a61-47c2-b9c6-23cdaf822ecc/
SH256 hash:
df8873a8fa0f1d25156971ccdfc0f6ac2d40a3a82c301d94ac1b4287cf64b378
MD5 hash:
91e4aa705d141297f36c3d92d1c60176
SHA1 hash:
02799b5d5df62ab0b6fbd817aa8f6c9d42656018
Link:
https://www.unpac.me/results/5605b6a4-5a61-47c2-b9c6-23cdaf822ecc/
SH256 hash:
12b52e11a607741e2d3f36803efe1c93efae0b1589cb8f9d7d38a86d46cc2434
MD5 hash:
74c151c96623503aa284b96c798bb9e3
SHA1 hash:
3ce0e36400c41c1b5a49c3e54386f0a3a3790729
Link:
https://www.unpac.me/results/5605b6a4-5a61-47c2-b9c6-23cdaf822ecc/
SH256 hash:
52d14c318dd0d66fcba72250ee462f8c633fb9f5c44fd2a21368a1016ae41966
MD5 hash:
811f46696830ead7b26c5f23b4416939
SHA1 hash:
49709a2a5f49f94c11669a5ca74bfbc4707408f3
Link:
https://www.unpac.me/results/5605b6a4-5a61-47c2-b9c6-23cdaf822ecc/
Malware family:
xRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/52d14c318dd0/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/52d14c318dd0d66fcba72250ee462f8c633fb9f5c44fd2a21368a1016ae41966

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CN_disclosed_20180208_KeyLogger_1
Create hunting rule
Author:Florian Roth
Description:Detects malware from disclosed CN malware set
Reference:https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details
Rule name:CN_disclosed_20180208_KeyLogger_1_RID3227
Create hunting rule
Author:Florian Roth
Description:Detects malware from disclosed CN malware set
Reference:https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details
Rule name:INDICATOR_SUSPICIOUS_ClearWinLogs
Create hunting rule
Author:ditekSHen
Description:Detects executables containing commands for clearing Windows Event Logs
Rule name:INDICATOR_SUSPICIOUS_DisableWinDefender
Create hunting rule
Author:ditekSHen
Description:Detects executables containing artifcats associated with disabling Widnows Defender
Rule name:INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
Author:ditekSHen
Description:Detects Windows executables referencing non-Windows User-Agents
Rule name:INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
Create hunting rule
Author:ditekSHen
Description:Detects executables embedding registry key / value combination indicative of disabling Windows Defedner features
Rule name:INDICATOR_SUSPICIOUS_GENInfoStealer
Create hunting rule
Author:ditekSHen
Description:Detects executables containing common artifcats observed in infostealers
Rule name:MALWARE_Win_QuasarRAT
Create hunting rule
Author:ditekSHen
Description:QuasarRAT payload
Rule name:MAL_QuasarRAT_May19_1
Create hunting rule
Author:Florian Roth
Description:Detects QuasarRAT malware
Reference:https://blog.ensilo.com/uncovering-new-activity-by-apt10
Rule name:MAL_QuasarRAT_May19_1_RID2E1E
Create hunting rule
Author:Florian Roth
Description:Detects QuasarRAT malware
Reference:https://blog.ensilo.com/uncovering-new-activity-by-apt10
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Quasar
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect QuasarRAT in memory
Rule name:Quasar_RAT_2
Create hunting rule
Author:Florian Roth
Description:Detects Quasar RAT
Reference:https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
Rule name:Quasar_RAT_2_RID2B55
Create hunting rule
Author:Florian Roth
Description:Detects Quasar RAT
Reference:https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
Rule name:RDPWrap
Create hunting rule
Author:@bartblaze
Description:Identifies RDP Wrapper, sometimes used by attackers to maintain persistence.
Reference:https://github.com/stascorp/rdpwrap
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Vermin_Keylogger_Jan18_1
Create hunting rule
Author:Florian Roth
Description:Detects Vermin Keylogger
Reference:https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/
Rule name:xRAT_1
Create hunting rule
Author:Florian Roth
Description:Detects Patchwork malware
Reference:https://goo.gl/Pg3P4W
Rule name:xRAT_1_RID2900
Create hunting rule
Author:Florian Roth
Description:Detects Patchwork malware
Reference:https://goo.gl/Pg3P4W

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

QuasarRAT

Executable exe 52d14c318dd0d66fcba72250ee462f8c633fb9f5c44fd2a21368a1016ae41966

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1728157/

Comments


Avatar
zbet commented on 2021-10-29 22:41:33 UTC

url : hxxp://149.28.108.46/112233.exe