MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 54d7969a09d2ad3dcf82a96a0fce4e3fc5bbb6ee26d01a0b8517f364b5431217. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
QuasarRAT
Vendor detections: 6
| SHA256 hash: | 54d7969a09d2ad3dcf82a96a0fce4e3fc5bbb6ee26d01a0b8517f364b5431217 |
|---|---|
| SHA3-384 hash: | 5a39580d623bd59efa0c1af909a8d03bd64f728307586b4f66697753154935eb3dac1aa40a07a105ff0722f4d6773b03 |
| SHA1 hash: | 71eec8154b8b19f88c1385a77394b26422f53735 |
| MD5 hash: | 4eb5cbef221e5536af1caa27e23a2abf |
| humanhash: | shade-emma-september-winner |
| File name: | SecuriteInfo.com.Heur.MSIL.Krypt.2.8517.30374 |
| Download: | download sample |
| Signature | QuasarRAT |
| File size: | 1'167'872 bytes |
| First seen: | 2020-09-25 17:35:42 UTC |
| Last seen: | Never |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | f34d5f2d4577ed6d9ceec516c1f5a744 (48'665 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger) |
| ssdeep | 24576:+mr2fNL6dNUtlffkPNeL289e4NoMTro22D:WfNL6dNUtlXo4Sbh |
| TLSH | 7245C65437E2B667C10E7B3AA0610B597678C147BB47A38765901FAC1DF23FB0C698A3 |
| Reporter |  SecuriteInfoCom |
| Tags: | QuasarRAT |
Intelligence
File Origin
# of uploads :
1
# of downloads :
109
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Detection(s):
Result
Verdict:
Malware
Maliciousness:
Behaviour
Sending a UDP request
Sending an HTTP GET request
Creating a file in the %temp% directory
Reading critical registry keys
Using the Windows Management Instrumentation requests
DNS request
Creating a window
Running batch commands
Creating a process with a hidden window
Creating a file
Searching for the window
Launching a process
Stealing user critical data
Launching a tool to kill processes
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.spyw.evad
Score:
84 / 100
Signature
.NET source code references suspicious native API functions
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Uses known network protocols on non-standard ports
Behaviour
Behavior Graph:
Threat name:
ByteCode-MSIL.Trojan.Generic
Status:
Malicious
First seen:
2020-09-24 20:10:00 UTC
AV detection:
20 of 29 (68.97%)
Threat level:
5/5
Detection(s):
Malicious file
Verdict:
unknown
Unpacked files
SH256 hash:
54d7969a09d2ad3dcf82a96a0fce4e3fc5bbb6ee26d01a0b8517f364b5431217
MD5 hash:
4eb5cbef221e5536af1caa27e23a2abf
SHA1 hash:
71eec8154b8b19f88c1385a77394b26422f53735
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Quasar
Score:
1.00
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Web download
Delivery method
Distributed via web download
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.