MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 56d092c2d8c927f25843226203655bf07c46845fb927d7d2640120862989bfdf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuasarRAT


Vendor detections: 12


Intelligence 12 IOCs 1 YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 56d092c2d8c927f25843226203655bf07c46845fb927d7d2640120862989bfdf
SHA3-384 hash: 5884045a74c30871c7f8d794045843900367c5fce89d7b846a02f664bd914bdd509f0314ba951d6c04ef46d032aceee7
SHA1 hash: caf337cf85f3d89ab4d4f2a4c8d6f4f5137fe13e
MD5 hash: d3b411350e9ef770aeb358856d002cf7
humanhash: batman-music-lion-alaska
File name:a4cf6d455730caf6c6fffcb14a325d31.exe
Download: download sample
Signature QuasarRAT
Create hunting rule
File size:1'188'864 bytes
First seen:2022-04-20 19:26:59 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 24576:BnEFblF1XpXanI9ARQyaYD7BK97ucOg6huvRt99L2OAeJkd8:cZF1XvARFr7BK97ucOg6G9L6eJkK
Threatray 1'684 similar samples on MalwareBazaar
TLSH T10445F1423245DCD6E00729F248AFD56061B87E9E8075C60E3783BB2B95E7343259BB9F
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):PE icon
dhash icon f29296968e9e9ea6 (60 x AgentTesla, 37 x RedLineStealer, 35 x Formbook)
Reporter abuse_ch
Tags:exe QuasarRAT RAT


Avatar
abuse_ch
QuasarRAT C2:
3.83.129.253:4747

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
3.83.129.253:4747 https://threatfox.abuse.ch/ioc/521651/

Intelligence

File Origin
# of uploads :
1
# of downloads :
362
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/265234/
Detection(s):
SecuriteInfo.com.Artemis4C29EEE44DC5.22863.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Launching a process
Creating a process with a hidden window
Changing a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/62605ed3eab80a7a6c4d341a/reports/14195d84-4897-49d9-84e7-aa4e63f36481/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5dfce973-ea45-40b5-a21b-bcce59ba85a0
Result
Threat name:
Quasar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/979961
Behaviour
Behavior Graph:
n/a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/56d092c2d8c927f25843226203655bf07c46845fb927d7d2640120862989bfdf/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-04-19 02:58:50 UTC
File Type:
PE (.Net Exe)
Extracted files:
46
AV detection:
23 of 42 (54.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=k3ijfqwyzet7ewcdejragzk36b6enbc7xet5puteaeqimkmjx7pq._file
Verdict:
malicious
Similar samples:
185ba54811bf367e51e498ccb60534544790abe9d757a5fd2fdd4ff94c2cd912
QuasarRAT
3a83d1211c8a9235a72f0dcea5c36ec53a99ed83340e35097e7f41773bc8fb3f
QuasarRAT
75dc265d032be64eba35add54a98a93fc11568d4fa95f3c9a4e9700f094b4d52
QuasarRAT
7d6cfc5cfb6243152ee28b41a00650c3c95cc3615a5407c6ec094632926b99e2
QuasarRAT
82c6bcebf68686e31c276add1615229d2d8635cb15bae9c131293fc5b57617ea
QuasarRAT
aa0a18dad402f0cfbd776899ece4ec642f451f8ad0ae5a5faa0682bf1ca21930
QuasarRAT
ab5ea57fdd5bfa91a11db4d85f99a84e342ead177da5744dff012398d153f4ba
QuasarRAT
f251387bb1ec7acdd3634ab829ee4389a4b973cf699863f2769e7521d4e58a45
QuasarRAT
+ 1'674 additional samples on MalwareBazaar
Result
Malware family:
quasar
Create hunting rule
Score:
  10/10
Tags:
family:quasar botnet:office spyware trojan
Link:
https://tria.ge/reports/220420-x53awacbf9/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Looks up external IP address via web service
Checks computer location settings
Quasar Payload
Quasar RAT
Malware Config
C2 Extraction:
3.83.129.253:4747
Unpacked files
SH256 hash:
8ea304ac5df03dca1531f54d045ffd4dc86f5664ecec18f8b73f5d35ac298cb6
MD5 hash:
acfefdd6f3ea81f80a7d32c73a2354a1
SHA1 hash:
fa5f7fdd7764bc48dae336189a6350e3b0be94ac
Link:
https://www.unpac.me/results/76e11e7d-3782-499a-a068-9aaa9737e924/
SH256 hash:
042b75c33e1b67cbe0e90aadf606fe53c58418a5922d03528cd4811e6f0f9d52
MD5 hash:
e4b5b8a21e9c1c57e1068ec3d47ac66e
SHA1 hash:
96d3001a29add495aa123b0f5bdbd8fca1a92cb0
Link:
https://www.unpac.me/results/76e11e7d-3782-499a-a068-9aaa9737e924/
SH256 hash:
e4e49fe9368891e8e18b084b71997200e4016f1268cda8b418b17dbc828b6f98
MD5 hash:
9ed576d0c2c23bf902ffa0c97ed22c81
SHA1 hash:
3d017dce80e56f159602da8f37df227fa5b58476
Link:
https://www.unpac.me/results/76e11e7d-3782-499a-a068-9aaa9737e924/
SH256 hash:
7172472f86ff1ff133d5c8ba5bad21ecad8457bf416a5f54e95bee9606639e7d
MD5 hash:
e70ed9e06e6161eebd8c96f36e7b50fa
SHA1 hash:
1789866b0f4ba135471a28d8eaea75151b1bb2c8
Link:
https://www.unpac.me/results/76e11e7d-3782-499a-a068-9aaa9737e924/
SH256 hash:
56d092c2d8c927f25843226203655bf07c46845fb927d7d2640120862989bfdf
MD5 hash:
d3b411350e9ef770aeb358856d002cf7
SHA1 hash:
caf337cf85f3d89ab4d4f2a4c8d6f4f5137fe13e
Link:
https://www.unpac.me/results/76e11e7d-3782-499a-a068-9aaa9737e924/
Malware family:
xRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/56d092c2d8c9/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/56d092c2d8c927f25843226203655bf07c46845fb927d7d2640120862989bfdf

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
Author:ditekSHen
Description:Detects Windows executables referencing non-Windows User-Agents
Rule name:INDICATOR_SUSPICIOUS_GENInfoStealer
Create hunting rule
Author:ditekSHen
Description:Detects executables containing common artifcats observed in infostealers
Rule name:MALWARE_Win_QuasarStealer
Create hunting rule
Author:ditekshen
Description:Detects Quasar infostealer
Rule name:MAL_Lokibot_Stealer
Create hunting rule
Description:Detects Lokibot Stealer Variants
Rule name:MAL_QuasarRAT_May19_1
Create hunting rule
Author:Florian Roth
Description:Detects QuasarRAT malware
Reference:https://blog.ensilo.com/uncovering-new-activity-by-apt10
Rule name:MAL_QuasarRAT_May19_1_RID2E1E
Create hunting rule
Author:Florian Roth
Description:Detects QuasarRAT malware
Reference:https://blog.ensilo.com/uncovering-new-activity-by-apt10
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Vermin_Keylogger_Jan18_1
Create hunting rule
Author:Florian Roth
Description:Detects Vermin Keylogger
Reference:https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/265234/

Comments