MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 585e4146923404bbe11c2cf5a423e2650a5d133541e9baeacb64a4d675f6484d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

QuasarRAT

Vendor detections: 7

Intelligence 7 IOCs YARA 3 File information Comments

SHA256 hash:	585e4146923404bbe11c2cf5a423e2650a5d133541e9baeacb64a4d675f6484d
SHA3-384 hash:	58c6a1d888ed7f1687cd496d46173385defed60e56088987e4e220fe37f5b3bd707c2655baba257a0d14a803978116c4
SHA1 hash:	aa45ac989ae6e752331026a4785390d060fb5ef5
MD5 hash:	47b0943c89eb4b17c9a006b33f524a51
humanhash:	blue-ceiling-michigan-hawaii
File name:	SecuriteInfo.com.Generic.mg.47b0943c89eb4b17.15572
Download:	download sample
Signature	QuasarRAT Create hunting rule
File size:	373'560 bytes
First seen:	2020-09-02 15:31:02 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep	6144:13I5coNBTcom4ijsbAcOZm6M9N4Fu7lAUXFE5ux1E7sDBm79+OhbkM/Tf7CXjoJJ:C2oNBTco4sFZ42CUXW5x7sDBm79qM/TF
Threatray	124 similar samples on MalwareBazaar
TLSH	A18401A5B6A64F21C08F673155E21108177B8FC79E47DBCA78C8AE427A127DE12079CF
Reporter	SecuriteInfoCom
Tags:	QuasarRAT

Intelligence

File Origin

# of uploads :

# of downloads :

107

Origin country :

n/a

Vendor Threat Intelligence

Gathering data

Detection(s):

SecuriteInfo.com.Generic.mg.47b0943c89eb4b17.15572.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Creating a window

Unauthorized injection to a recently created process

Launching a process

Creating a file

Setting a keyboard event handler

Connection attempt

Enabling autorun by creating a file

Result

Threat name:

Quasar

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/457648

Signature

.NET source code contains method to dynamically call methods (often used by packers)

Creates an undocumented autostart registry key

Hides that the sample has been downloaded from the Internet (zone.identifier)

Installs a global keyboard hook

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected Quasar RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/585e4146923404bbe11c2cf5a423e2650a5d133541e9baeacb64a4d675f6484d/

Threat name:

ByteCode-MSIL.Trojan.Quasar

Status:

Malicious

First seen:

2020-09-02 12:58:58 UTC

AV detection:

23 of 29 (79.31%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=lbpecrusgqclxyi4ft22ii7cmuff2ezvihu3v2wlmssnm5pwjbgq._file

Verdict:

malicious

QuasarRAT

3a83d1211c8a9235a72f0dcea5c36ec53a99ed83340e35097e7f41773bc8fb3f

QuasarRAT

4c66ebb40e5abd92b6a6985e8409116c5424ebb9af0c320cbafb031698e5022c

QuasarRAT

5ba0344c196d2605e844a2b15cff5c93412d58e9ca5c8446c468fa768604242d

QuasarRAT

7560ffa1a8f7b05bc142fb1077bcbcda760b45a6b82578cbfeaed1aca164dd2c

QuasarRAT

9760105f3177384c19086dee036cdc67916d744f4a1e7064ecfd906e252dba69

QuasarRAT

97950fbe40dd26ac4eabd641e8bae0fc8f23ce04e3c4cf06ad5e451389b80556

QuasarRAT

ac4d3acc896cc3fd6e4ba14547572dfc0447f47f2c29c28a170db4b0169c6e2f

QuasarRAT

b07177183a0f5cce808293132d98364a64495885d4bf1bbe7e2cdc39418d723d

QuasarRAT

d3922882bfee49abb72584b9d5918f3787221fa40b7f552c98d7bc0e55833234

QuasarRAT

+ 114 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://tria.ge/reports/200902-gn8fejq51s/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Drops file in Windows directory

Suspicious use of SetThreadContext

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Trojan

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/585e4146923404bbe11c2cf5a423e2650a5d133541e9baeacb64a4d675f6484d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	CAP_HookExKeylogger Create hunting rule
Author:	Brian C. Bell -- @biebsmalwareguy
Reference:	https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar

Rule name:	MAL_QuasarRAT_May19_1 Create hunting rule
Author:	Florian Roth
Description:	Detects QuasarRAT malware
Reference:	https://blog.ensilo.com/uncovering-new-activity-by-apt10

Rule name:	Vermin_Keylogger_Jan18_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Vermin Keylogger
Reference:	https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/54459/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample