MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5b441845c2a6dd856d00a56b6dc812a13da0fee80a10e55ed7afd103914e6513. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

QuasarRAT

Vendor detections: 6

Intelligence 6 IOCs YARA File information Comments

SHA256 hash:	5b441845c2a6dd856d00a56b6dc812a13da0fee80a10e55ed7afd103914e6513
SHA3-384 hash:	45cacfddb9e541f324c1a0e04f3bdd8d79ead5efe914cf252b220b4ba92e42a5ce0ee47e91c5fa3f548f51ea3d8c2bec
SHA1 hash:	511e05c074d020b2544361edd9228cb74ff3d3f9
MD5 hash:	a6904914ceeccd8db0aa9c48e74a38de
humanhash:	low-quebec-colorado-alaska
File name:	file
Download:	download sample
Signature	QuasarRAT Create hunting rule
File size:	423'936 bytes
First seen:	2020-02-26 01:21:10 UTC
Last seen:	2020-02-27 13:45:25 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'854 x AgentTesla, 19'783 x Formbook, 12'304 x SnakeKeylogger)
ssdeep	6144:rpNHXf500M01HGAeLs9hbIArtSOwO5mFu17:Fd50MHGAeUPrDpMFu17
Threatray	78 similar samples on MalwareBazaar
TLSH	56947C137394953FD1FE173AA43285150BB4DD467632E3AB5A4872BA6C333868E523B3
Reporter	johannes
Tags:	Emotet QuasarRAT

viql

quasarrat via https://pastebin.com/raw/vavDLuf4

Intelligence

File Origin

# of uploads :

# of downloads :

156

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

Win.Trojan.Generic-6295765-0

Win.Malware.Generic-6623004-0

Gathering data

Threat name:

ByteCode-MSIL.Trojan.Tinclex

Status:

Malicious

First seen:

2020-02-28 13:13:49 UTC

AV detection:

37 of 47 (78.72%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=lncbqrocu3oyk3iauvvw3sasue62b7xibiiokxwxv7iqhekomujq._file

Verdict:

malicious

QuasarRAT

1f39ddbeb7fb355469a2ccc2cffda9006ca641562dc8dd300e855bb2fe2e33de

QuasarRAT

2fd0f9d77de102d8b53f3d38eb559d2cd0d0e9f4ba3cfbc042f952367b5ca65e

QuasarRAT

588eb55b57e118fbee66a6d0586de453ea4e0ae1a781c73e1bbe10e8e24641fc

QuasarRAT

5eb26eb056480f6083f7565a572b2dd6ebc992a99d8220dbf0d736c7b4a12077

QuasarRAT

8fcf4d1528f2945b751c3d9035e17f7143fdbc94ef687f5c9e4e35d892c5922b

QuasarRAT

960ee0a08a3b542c30baa19546f38f1eeeab56543997dc338e79273b0dcecc23

QuasarRAT

a4e79d826cc13a421a5b3b785413d92254992bceb6d392c72de16b61653b346f

QuasarRAT

ba9fd12aa57da28572f82eb2010a44b89a9cc1c9738f801fec02f44857163b8f

QuasarRAT

d478602bac8b8f334f06644dd92fbe60cbba6815ced96503c7aab4df6f305e77

QuasarRAT

+ 68 additional samples on MalwareBazaar

Result

Malware family:

quasar

Score:

10/10

Tags:

family:quasar spyware trojan

Link:

https://tria.ge/reports/201109-dmezbn1prs/

Behaviour

Creates scheduled task(s)

Runs ping.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Program crash

Drops file in System32 directory

Looks up external IP address via web service

Loads dropped DLL

Drops file in Drivers directory

Executes dropped EXE

ServiceHost packer

Quasar RAT

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Unknown

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/5b441845c2a6dd856d00a56b6dc812a13da0fee80a10e55ed7afd103914e6513

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample