MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5c627ab23daa708e73eae534919c3f6494331df0dca30ab67047e0ec65182495. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuasarRAT


Vendor detections: 9


Intelligence 9 IOCs 1 YARA 11 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5c627ab23daa708e73eae534919c3f6494331df0dca30ab67047e0ec65182495
SHA3-384 hash: 184579ee992e139702051df3f0cc469e1d26056bff5baa5e01d50f38b96dff0de1d7bd968a47ec92598f89baea8083f5
SHA1 hash: 837c64df4a5abee07f0f25732d5ce2d17017c990
MD5 hash: 54c95d530834d4a28a4dcb583d61abc3
humanhash: november-california-michigan-winter
File name:54c95d530834d4a28a4dcb583d61abc3.exe
Download: download sample
Signature QuasarRAT
Create hunting rule
File size:716'288 bytes
First seen:2021-06-30 06:21:26 UTC
Last seen:2021-06-30 06:48:25 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:XEFVzMFtW9NM4qpF0pnnntQxug9UzFpp61u2oHB12U:ca14CFQnn86NS9Q2U
Threatray 71 similar samples on MalwareBazaar
TLSH E7E469909EEFDDDEC26F323FA05A0D9215EEC306074792E58B464E74B3852278D661E3
Reporter abuse_ch
Tags:exe QuasarRAT RAT


Avatar
abuse_ch
QuasarRAT C2:
91.109.176.4:5490

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
91.109.176.4:5490 https://threatfox.abuse.ch/ioc/156073/

Intelligence

File Origin
# of uploads :
2
# of downloads :
170
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
54c95d530834d4a28a4dcb583d61abc3.exe
Verdict:
Malicious activity
Analysis date:
2021-06-30 06:22:47 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/864aa7ed-3ffe-4c1c-81d1-82bd56a97cf6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
QuasarStealer
Create hunting rule
Link:
https://www.capesandbox.com/analysis/168896/
Detection(s):
SecuriteInfo.com.Trojan.Inject4.13407.136.4227.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Quasar RAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7fda72b8-5e4b-4a30-9f14-ac24a5ccef6d
Result
Threat name:
Quasar
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/809788
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Writes to foreign memory regions
Yara detected Quasar RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 442199 Sample: 4FXnze0OAN.exe Startdate: 30/06/2021 Architecture: WINDOWS Score: 100 94 societyf500.ddns.net 2->94 124 Multi AV Scanner detection for domain / URL 2->124 126 Found malware configuration 2->126 128 Malicious sample detected (through community Yara rule) 2->128 130 6 other signatures 2->130 12 NVA.exe 5 2->12         started        16 4FXnze0OAN.exe 1 7 2->16         started        18 NVA.exe 2 2->18         started        signatures3 process4 file5 82 C:\Users\user\AppData\Local\Temp82VA.exe, PE32 12->82 dropped 84 C:\Users\user\...84VA.exe:Zone.Identifier, ASCII 12->84 dropped 148 Multi AV Scanner detection for dropped file 12->148 150 Machine Learning detection for dropped file 12->150 152 Writes to foreign memory regions 12->152 20 NVA.exe 12->20         started        24 NVA.exe 12->24         started        26 NVA.exe 12->26         started        36 2 other processes 12->36 86 C:\Users\user\AppData\...\4FXnze0OAN.exe, PE32 16->86 dropped 88 C:\Users\...\4FXnze0OAN.exe:Zone.Identifier, ASCII 16->88 dropped 90 C:\Users\user\...90VA.exe:Zone.Identifier, ASCII 16->90 dropped 92 C:\Users\user\AppData\...\4FXnze0OAN.exe.log, ASCII 16->92 dropped 154 Injects a PE file into a foreign processes 16->154 28 4FXnze0OAN.exe 16->28         started        30 4FXnze0OAN.exe 15 2 16->30         started        32 4FXnze0OAN.exe 16->32         started        34 NVA.exe 18->34         started        38 3 other processes 18->38 signatures6 process7 dnsIp8 96 50.16.220.248, 443, 49734, 49741 AMAZON-AESUS United States 20->96 98 192.168.2.1 unknown unknown 20->98 104 2 other IPs or domains 20->104 132 Hides that the sample has been downloaded from the Internet (zone.identifier) 20->132 40 cmd.exe 20->40         started        134 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 24->134 136 Multi AV Scanner detection for dropped file 28->136 138 May check the online IP address of the machine 28->138 140 Machine Learning detection for dropped file 28->140 100 societyf500.ddns.net 91.109.176.4, 49725, 49732, 49735 IELOIELOMainNetworkFR France 30->100 102 tools.keycdn.com 185.172.148.96, 443, 49727, 49733 PROINITYPROINITYDE Germany 30->102 106 3 other IPs or domains 30->106 108 2 other IPs or domains 34->108 43 cmd.exe 34->43         started        signatures9 process10 signatures11 144 Uses ping.exe to sleep 40->144 146 Uses ping.exe to check the status of other devices and networks 40->146 45 NVA.exe 40->45         started        48 conhost.exe 40->48         started        50 chcp.com 40->50         started        52 PING.EXE 40->52         started        54 NVA.exe 43->54         started        57 conhost.exe 43->57         started        59 chcp.com 43->59         started        61 PING.EXE 43->61         started        process12 file13 156 Injects a PE file into a foreign processes 45->156 63 NVA.exe 45->63         started        80 C:\Users\user\AppData\Local80VA.exe, PE32 54->80 dropped 67 NVA.exe 54->67         started        69 NVA.exe 54->69         started        signatures14 process15 dnsIp16 110 societyf500.ddns.net 63->110 112 23.21.211.162, 443, 49755, 49763 AMAZON-AESUS United States 63->112 118 4 other IPs or domains 63->118 122 Hides that the sample has been downloaded from the Internet (zone.identifier) 63->122 71 cmd.exe 63->71         started        114 societyf500.ddns.net 67->114 116 tools.keycdn.com 67->116 120 3 other IPs or domains 67->120 signatures17 process18 signatures19 142 Uses ping.exe to sleep 71->142 74 conhost.exe 71->74         started        76 chcp.com 71->76         started        78 PING.EXE 71->78         started        process20
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5c627ab23daa708e73eae534919c3f6494331df0dca30ab67047e0ec65182495/
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=lrrhvmr5vjyi447k4u2jdhb7mskdghpq3srqvntqi7qoyziyeskq._file
Verdict:
malicious
Similar samples:
1b7d7515f98891cf08164a7469bb9c9f3133e7834cfe99d55094594ca330e982
QuasarRAT
3bdfd4cd7aacdefa4ab159a25b056056fd011b9ad60fc2166adbb41c5610b044
QuasarRAT
412b77a6a5c1b510f076d010e81749e9a13ebc9b33125d5caa764e78180a28a4
QuasarRAT
47d53feeaa5e7f8f8d8af8aba5b86a805e3276a35d3b785e4fd3275c54c52809
QuasarRAT
585e4146923404bbe11c2cf5a423e2650a5d133541e9baeacb64a4d675f6484d
QuasarRAT
71b507a5d2ef28b951d65ba5a737c75e6e0ecdda454e7c70a40bd37b083ce9bd
QuasarRAT
85e13a72f67635d8590b1952332a37371f5f06400cedd60cd8c85415a051c031
QuasarRAT
8890e3a0436c06a1c1d723352fd159a75e492cf3007f727f38183bbb8b79828e
QuasarRAT
8be3c7231a1d547531c3e669d380fd00b5b3e773da201b34bed04810062329c0
QuasarRAT
a792be03af23fe52b708d22df6cadeb3374bb5500416a862eee57ea56db20fd5
QuasarRAT
+ 61 additional samples on MalwareBazaar
Result
Malware family:
quasar
Create hunting rule
Score:
  10/10
Tags:
family:quasar botnet:office04w persistence spyware trojan
Link:
https://tria.ge/reports/210630-e3gt4bq2wj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Looks up external IP address via web service
Quasar Payload
Quasar RAT
Malware Config
C2 Extraction:
societyf500.ddns.net:5490
Unpacked files
SH256 hash:
8079c57a85f96526d1d7628ef867d90580e3a95442f363fd23bc06fec740e326
MD5 hash:
e8658ac231c3a37363f1948385b1ced6
SHA1 hash:
e05b778443b8beed7766b546b61dd877e1d33c1c
Link:
https://www.unpac.me/results/57c4104b-4e1e-47a0-aacc-8b8503ae940f/
SH256 hash:
d44898629283726c7a4ef5895eec381c2e7772554b9dc32dd433a742435997a3
MD5 hash:
b46373d4cad2b195748678ca224adb8d
SHA1 hash:
aa29a402be7f13981956845b17f1511ea08dd2d5
Link:
https://www.unpac.me/results/57c4104b-4e1e-47a0-aacc-8b8503ae940f/
SH256 hash:
299cba80cf72b0e575295dace32718c5e785855c4d3da462c0d453bdf89a5023
MD5 hash:
9deb771d320cf88a894c209a84799716
SHA1 hash:
8e875e1da24167a50a5f9f3df90b58c70a0d36a9
Link:
https://www.unpac.me/results/57c4104b-4e1e-47a0-aacc-8b8503ae940f/
SH256 hash:
5c627ab23daa708e73eae534919c3f6494331df0dca30ab67047e0ec65182495
MD5 hash:
54c95d530834d4a28a4dcb583d61abc3
SHA1 hash:
837c64df4a5abee07f0f25732d5ce2d17017c990
Link:
https://www.unpac.me/results/57c4104b-4e1e-47a0-aacc-8b8503ae940f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5c627ab23daa708e73eae534919c3f6494331df0dca30ab67047e0ec65182495

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:Chrome_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Chrome in files like avemaria
Rule name:INDICATOR_SUSPICIOUS_GENInfoStealer
Create hunting rule
Author:ditekSHen
Description:Detects executables containing common artifcats observed in infostealers
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:MALWARE_Win_QuasarStealer
Create hunting rule
Author:ditekshen
Description:Detects Quasar infostealer
Rule name:MAL_QuasarRAT_May19_1
Create hunting rule
Author:Florian Roth
Description:Detects QuasarRAT malware
Reference:https://blog.ensilo.com/uncovering-new-activity-by-apt10
Rule name:pe_imphash
Create hunting rule
Rule name:Select_from_enumeration
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Vermin_Keylogger_Jan18_1
Create hunting rule
Author:Florian Roth
Description:Detects Vermin Keylogger
Reference:https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

QuasarRAT

Executable exe 5c627ab23daa708e73eae534919c3f6494331df0dca30ab67047e0ec65182495

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1392911/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/168896/

Comments