MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5aa536fddd85f56a15349992de55d422a379ba2f5ee5e16bc6311d4c6471fddb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

QuasarRAT

Vendor detections: 11

Intelligence 11 IOCs 1 YARA 8 File information Comments

SHA256 hash:	5aa536fddd85f56a15349992de55d422a379ba2f5ee5e16bc6311d4c6471fddb
SHA3-384 hash:	4cac110b841b30dedf6d9178bcf27e0e72e1ce11526daf9a5a187ac0616bc0f14cdfb3de1ca91de23ffcab9aaeb99b5d
SHA1 hash:	ce8ecfa888c58bf7bda7de201c6c225050ab65c9
MD5 hash:	0dec37509a6328db793b1708d9f97e1c
humanhash:	whiskey-grey-low-muppet
File name:	0dec37509a6328db793b1708d9f97e1c.exe
Download:	download sample
Signature	QuasarRAT Create hunting rule
File size:	660'992 bytes
First seen:	2021-06-28 07:20:55 UTC
Last seen:	2021-06-28 07:33:58 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	12288:CC/dIVYS1Yw70gkiF+YTBLlKqvrLJeu9uwvDR4w2U:CodIVz70viFQqvxJ9uwLRn2U
Threatray	84 similar samples on MalwareBazaar
TLSH	5CE46A908EEFDEDEC26F663FA54A0C9214EED306079792E59F464D34B3852238D611E3
Reporter	abuse_ch
Tags:	exe QuasarRAT RAT

abuse_ch

QuasarRAT C2:
91.109.190.2:5490

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
91.109.190.2:5490	https://threatfox.abuse.ch/ioc/154761/

Intelligence

File Origin

# of uploads :

# of downloads :

140

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

0dec37509a6328db793b1708d9f97e1c.exe

Verdict:

Suspicious activity

Analysis date:

2021-06-28 07:22:49 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/f6814f8f-ca7a-4164-90eb-36565d0d6b25

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

QuasarStealer

Link:

https://www.capesandbox.com/analysis/168536/

Detection(s):

SecuriteInfo.com.Trojan.GenericKD.46543391.22089.385.UNOFFICIAL

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Quasar RAT

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/31b9f2cc-5edb-4a84-911f-6179a2d5acaf

Result

Threat name:

Quasar

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/808699

Signature

.NET source code references suspicious native API functions

Hides that the sample has been downloaded from the Internet (zone.identifier)

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses dynamic DNS services

Yara detected Quasar RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/5aa536fddd85f56a15349992de55d422a379ba2f5ee5e16bc6311d4c6471fddb/

Threat name:

ByteCode-MSIL.Trojan.Generic

Status:

Suspicious

First seen:

2021-06-28 00:53:33 UTC

AV detection:

10 of 46 (21.74%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=lkstn7o5qx2wufjutgjn4vouekrxtorpl3s6c26ggeouyzdr7xnq._file

Verdict:

malicious

QuasarRAT

06b4062db19ac0017c3f0e32f27559a48aa9c7305f110c3b8485d5faa62d6814

QuasarRAT

1230b290a583361b44a14b0ebf16925f07d7d6ed0d58ecae0bdd2419903d27b0

QuasarRAT

3bdfd4cd7aacdefa4ab159a25b056056fd011b9ad60fc2166adbb41c5610b044

QuasarRAT

42141ee67236cf596950e3aeebc96b436471ab41d3740f56c4ee5b6029f3a38c

QuasarRAT

5a06fc050c72cc1155f996e5ce2528f0a35d02339e3f507721bb41682730f95b

QuasarRAT

704d41dd4ca17a0c2817c62a2377df8f07c99883a952a3b037bacef4b3114e1e

QuasarRAT

784ed80931d639300835a664cc07fa838cb984e3a910aa6568dfb9820e73cba3

QuasarRAT

7ba2419d74a5a9c7ef362bf40d0e1563bd02fd16fada16c8da39cf178c6306be

QuasarRAT

85e13a72f67635d8590b1952332a37371f5f06400cedd60cd8c85415a051c031

QuasarRAT

+ 74 additional samples on MalwareBazaar

Result

Malware family:

quasar

Score:

10/10

Tags:

family:quasar spyware trojan

Link:

https://tria.ge/reports/210628-pgtndwr88j/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Looks up external IP address via web service

Quasar Payload

Quasar RAT

Unpacked files

SH256 hash:

f536c6afc311c547c0947e1ad0ba7e4b69bb7172322fb3cafbe0b5fbf59a4723

MD5 hash:

69251a7ba76e77b3a98a3ba47f02264f

SHA1 hash:

e1252fe0c4956617098090365b3d03bbe0acf577

Link:

https://www.unpac.me/results/52cc635d-2638-46a9-a5aa-49a360fbb7f7/

SH256 hash:

b36a3e7e2e55bc96800d4f3bc969dac43e63825e773201a3335ae54513ea2c05

MD5 hash:

bb36ade150230ce13157e8c92b08dd2d

SHA1 hash:

6b425fedc07329cfdfca0d448ca1630e7eb59f2f

Link:

https://www.unpac.me/results/52cc635d-2638-46a9-a5aa-49a360fbb7f7/

SH256 hash:

54c54d88972bfc5fc9a8646d11cd1086be60d7162710931ba01c90d496c139f2

MD5 hash:

77fa323aedaaed167fb2b9fac326e358

SHA1 hash:

0d255d9fcb7e97199ef5d91320a44c02638d3578

Link:

https://www.unpac.me/results/52cc635d-2638-46a9-a5aa-49a360fbb7f7/

SH256 hash:

5aa536fddd85f56a15349992de55d422a379ba2f5ee5e16bc6311d4c6471fddb

MD5 hash:

0dec37509a6328db793b1708d9f97e1c

SHA1 hash:

ce8ecfa888c58bf7bda7de201c6c225050ab65c9

Link:

https://www.unpac.me/results/52cc635d-2638-46a9-a5aa-49a360fbb7f7/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/5aa536fddd85f56a15349992de55d422a379ba2f5ee5e16bc6311d4c6471fddb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	CAP_HookExKeylogger Create hunting rule
Author:	Brian C. Bell -- @biebsmalwareguy
Reference:	https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time

Rule name:	Keylog_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Contains Keylog

Rule name:	MALWARE_Win_QuasarStealer Create hunting rule
Author:	ditekshen
Description:	Detects Quasar infostealer

Rule name:	MAL_QuasarRAT_May19_1 Create hunting rule
Author:	Florian Roth
Description:	Detects QuasarRAT malware
Reference:	https://blog.ensilo.com/uncovering-new-activity-by-apt10

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Vermin_Keylogger_Jan18_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Vermin Keylogger
Reference:	https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/