MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5c46967283614668bec2472cc6c95a8983ac5e78cc7c03db2242cdc026d9159b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuasarRAT


Vendor detections: 11


Intelligence 11 IOCs YARA 16 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5c46967283614668bec2472cc6c95a8983ac5e78cc7c03db2242cdc026d9159b
SHA3-384 hash: b3700f37546081a67079c82f5e07eb8fc54caa59edcfd0e7c3bcd56388e8d38ce2dab26140d8fe08f03ef979b6d27f6b
SHA1 hash: f46b157a54ff616a5d91e4890afda8542f4b2ac3
MD5 hash: 3dd582fa094ed1d860fc4f31fa8d660a
humanhash: delta-snake-idaho-burger
File name:@Yoricure.exe
Download: download sample
Signature QuasarRAT
Create hunting rule
File size:24'775'680 bytes
First seen:2023-06-17 18:12:55 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 96c44fa1eee2c4e9b9e77d7bf42d59e6 (4 x Hive, 4 x CobaltStrike, 3 x Snake)
ssdeep 49152:KpXVo0nS3/K3Jjkz3jBk55UeXBqFMGIWqs/9qICJ5eV1HEYoTNscG8O/E0xjT/3p:uVobzeMb
TLSH T1C4472306BEE518B6CBF8F33104A62B603B75B459432677C32E9456BE1D1EBA41D2F324
gimphash f69e52e5ff7acf53742b486b01534833c45ccc9284d1b261295bf88520c5ffc5
TrID 48.7% (.EXE) Win64 Executable (generic) (10523/12/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
Reporter obfusor
Tags:exe QuasarRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
294
Origin country :
HK HK
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
@Yoricure.exe
Verdict:
Malicious activity
Analysis date:
2023-06-17 18:15:35 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/48698d49-96da-4011-b94b-591ac5197fb2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
ditekSHen.MALWARE.Win.Ransomware.Nemty.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file
Running batch commands
Creating a process with a hidden window
Creating a process from a recently created file
Sending a custom TCP request
Creating a window
Moving of the original file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/91197/overview
Behaviour
MalwareBazaar
CPUID_Instruction
MeasuringTime
EvasionQueryPerformanceCounter
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
golang gomal greyware warp
Link:
https://www.filescan.io/uploads/648df7b045f8378ac0425c9b/reports/b73125c3-708c-444e-98c8-c16a6641e228/overview
Verdict:
Malicious
Labled as:
Trojan.Agent
Link:
https://www.hybrid-analysis.com/sample/5c46967283614668bec2472cc6c95a8983ac5e78cc7c03db2242cdc026d9159b
Result
Verdict:
MALICIOUS
Result
Threat name:
Quasar
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/1256570
Signature
Detected unpacking (changes PE section rights)
Drops PE files to the user root directory
Drops PE files with benign system names
Hides threads from debuggers
Machine Learning detection for dropped file
Multi AV Scanner detection for dropped file
PE file has a writeable .text section
Tries to detect virtualization through RDTSC time measurements
Yara detected Quasar RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 889590 Sample: @Yoricure.exe Startdate: 17/06/2023 Architecture: WINDOWS Score: 88 33 Yara detected Quasar RAT 2->33 35 PE file has a writeable .text section 2->35 7 @Yoricure.exe 2 2->7         started        11 Miscorsoft.exe 2 2->11         started        13 Miscorsoft.exe 2 2->13         started        15 2 other processes 2->15 process3 file4 27 C:\Users\user\Desktop\csrss.exe, PE32+ 7->27 dropped 29 C:\Users\Public\Miscorsoft.exe, PE32 7->29 dropped 45 Drops PE files to the user root directory 7->45 47 Drops PE files with benign system names 7->47 17 Miscorsoft.exe 2 2 7->17         started        21 cmd.exe 1 7->21         started        49 Hides threads from debuggers 11->49 signatures5 process6 dnsIp7 31 61.139.65.135, 49715, 49716, 49717 CHINANET-SCIDC-AS-APCHINANETSiChuanTelecomInternetData China 17->31 37 Multi AV Scanner detection for dropped file 17->37 39 Detected unpacking (changes PE section rights) 17->39 41 Machine Learning detection for dropped file 17->41 43 2 other signatures 17->43 23 conhost.exe 21->23         started        25 csrss.exe 21->25         started        signatures8 process9
Gathering data
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lrdjm4udmfdgrpwci4wmnsk2rgb2yxtyzr6ahwzcilg4ajwzcwnq._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  7/10
Tags:
persistence
Link:
https://tria.ge/reports/230617-wtqx2acb8s/
Behaviour
Suspicious behavior: RenamesItself
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Adds Run key to start application
Executes dropped EXE
Loads dropped DLL
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.73
Link:
https://yomi.yoroi.company/submissions/5c46967283614668bec2472cc6c95a8983ac5e78cc7c03db2242cdc026d9159b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:crime_win32_ransom_avaddon_1
Create hunting rule
Author:@VK_Intel
Description:Detects Avaddon ransomware
Reference:https://twitter.com/VK_Intel/status/1300944441390370819
Rule name:GoBinTest
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:golang_binary_string
Create hunting rule
Description:Golang strings present
Rule name:golang_duffcopy_amd64
Create hunting rule
Rule name:identity_golang
Create hunting rule
Author:Eric Yocam
Description:find Golang malware
Rule name:INDICATOR_EXE_Packed_Fody
Create hunting rule
Author:ditekSHen
Description:Detects executables manipulated with Fody
Rule name:MAL_BackNet_Nov18_1
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects BackNet samples
Reference:https://github.com/valsov/BackNet
Rule name:MAL_BackNet_Nov18_1_RID2D6D
Create hunting rule
Author:Florian Roth
Description:Detects BackNet samples
Reference:https://github.com/valsov/BackNet
Rule name:MAL_QuasarRAT_May19_1
Create hunting rule
Description:Detects QuasarRAT malware
Rule name:MAL_QuasarRAT_May19_1_RID2E1E
Create hunting rule
Author:Florian Roth
Description:Detects QuasarRAT malware
Reference:https://blog.ensilo.com/uncovering-new-activity-by-apt10
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:reverse_http
Create hunting rule
Author:CD_R0M_
Description:Identify strings with http reversed (ptth)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments