MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 5dcd1649d97e0da882778ec70677be52b49603b6596b044518f02c278d93d0f2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
QuasarRAT
Vendor detections: 8
| SHA256 hash: | 5dcd1649d97e0da882778ec70677be52b49603b6596b044518f02c278d93d0f2 |
|---|---|
| SHA3-384 hash: | 9be1d2794db5a40101dd84fe9ef106012eab79f32f50478cc334af8fd38f87c567c7d8c12547eb7cbe9f2420e8a7d2c8 |
| SHA1 hash: | a63fa3cc878efe75ecf849111c3e3d417fef4fdd |
| MD5 hash: | dc8d9c9a86fe4830053697c1dc59dc6f |
| humanhash: | sodium-carolina-two-three |
| File name: | CDC GUIDES COVID-19 Second Outbreak Warning release.scr |
| Download: | download sample |
| Signature | QuasarRAT |
| File size: | 645'440 bytes |
| First seen: | 2020-11-18 14:40:19 UTC |
| Last seen: | Never |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger) |
| ssdeep | 12288:/4WN/IQY26pufbscH9POzQpGf2JUC5KJq7n8eUUI+PBUJXAXq:/Bb6ZcdOH2+CMJ2aiBUJXAXq |
| Threatray | 152 similar samples on MalwareBazaar |
| TLSH | 1AD412198F519122C3AD0E3B69D6EBB99BB5F9D97DD7EB8B308C51200AD63D10E06C07 |
| Reporter | Anonymous |
| Tags: | QuasarRAT |
Anonymous
Return-Path: <kerwin.john@slaspa.com>X-Envelope-From: <kerwin.john@slaspa.com>
Received: from zim-mta.slaspa.com (mail.slaspa.com [205.217.228.10])
From: CDC INFORMATION CENTER <kerwin.john@slaspa.com>
Subject: 2nd-COVID Outbreak Warning Alerts For Business Owners/Workers
X-Priority: 1
Importance: high
X-Originating-IP: [194.5.48.240]
X-Mailer: Zimbra 8.8.10_GA_3716 (ZimbraWebClient - GC86 (Win)/8.8.10_GA_3041)
------------
Quasar configuration:
VERSION: 1.3.0.0
HOST: devils.shacknet.us:4782
KEY: 1WvgEMPjdwfqIMeM9MclyQ==
AUTHKEY: NcFtjbDOcsw7Evd3coMC0y4koy/SRZGydhNmno81ZOWOvdfg7sv0Cj5ad2ROUfX4QMscAIjYJdjrrs41+qcQwg==
ENCRYPTION KEY: YhO2jdxRbURgtYwRl6uT
TAG: more2020
Intelligence
File Origin
# of uploads :
1
# of downloads :
89
Origin country :
n/a
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:
Behaviour
Using the Windows Management Instrumentation requests
Creating a file in the %AppData% subdirectories
Unauthorized injection to a recently created process
Creating a file
DNS request
Sending an HTTP GET request
Creating a window
Sending a custom TCP request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Result
Gathering data
Result
Threat name:
Quasar
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Signature
.NET source code references suspicious native API functions
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected Quasar RAT
Behaviour
Behavior Graph:
Threat name:
ByteCode-MSIL.Infostealer.Maslog
Status:
Malicious
First seen:
2020-11-17 18:48:26 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
5/5
Detection(s):
Malicious file
Verdict:
malicious
Similar samples:
+ 142 additional samples on MalwareBazaar
Result
Malware family:
quasar
Score:
10/10
Tags:
family:quasar persistence spyware trojan
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Looks up external IP address via web service
Quasar RAT
Unpacked files
SH256 hash:
84b38e8eebae4ada26b9544dcbf60c53e4865ab708f7c01c9d8d1990d822b5e2
MD5 hash:
d9ddd53e15b4696c3f4d6c917a400bd5
SHA1 hash:
187ceebbb34ac63d5b3cb15b6c848df82e3ba721
SH256 hash:
83c08f0721c8b0c96e3d6a8f3ccaf5c96fbcc427d574625c34424c3429fefaa1
MD5 hash:
3c5dbcc3bb27e913e14efd8054811373
SHA1 hash:
b0eba9388abddaef9d5aa49ccd5dbab2924cced0
SH256 hash:
b7b266a86e2f5fc30e32dc4b7733fc53bc1bfd2aa7d0e6f87ccfac1b6ef498a1
MD5 hash:
a2fb76d03b9f22465492046f4723be9f
SHA1 hash:
bd7af913609f515cbe4028256a6a56b30ac8e066
SH256 hash:
c57af0f70350a4b328b4bbfa3305f09ee1b06e42a8eb8fcde46ce1a86efafa64
MD5 hash:
bb3aade09212fefef333a6853becdd79
SHA1 hash:
ff8c5242d60128523704e504fd01d17ae4cd8559
SH256 hash:
5dcd1649d97e0da882778ec70677be52b49603b6596b044518f02c278d93d0f2
MD5 hash:
dc8d9c9a86fe4830053697c1dc59dc6f
SHA1 hash:
a63fa3cc878efe75ecf849111c3e3d417fef4fdd
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Quasar
Score:
1.00
YARA Signatures
MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.
| Rule name: | Chrome_stealer_bin_mem |
|---|---|
| Author: | James_inthe_box |
| Description: | Chrome in files like avemaria |
| Rule name: | CN_disclosed_20180208_KeyLogger_1 |
|---|---|
| Author: | Florian Roth |
| Description: | Detects malware from disclosed CN malware set |
| Reference: | https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details |
| Rule name: | Keylog_bin_mem |
|---|---|
| Author: | James_inthe_box |
| Description: | Contains Keylog |
| Rule name: | MAL_QuasarRAT_May19_1 |
|---|---|
| Author: | Florian Roth |
| Description: | Detects QuasarRAT malware |
| Reference: | https://blog.ensilo.com/uncovering-new-activity-by-apt10 |
| Rule name: | MSILStealer |
|---|---|
| Author: | https://github.com/hwvs |
| Description: | Detects strings from C#/VB Stealers and QuasarRat |
| Reference: | https://github.com/quasar/QuasarRAT |
| Rule name: | Quasar |
|---|---|
| Author: | JPCERT/CC Incident Response Group |
| Description: | detect QuasarRAT in memory |
| Rule name: | Quasar_RAT_1 |
|---|---|
| Author: | Florian Roth |
| Description: | Detects Quasar RAT |
| Reference: | https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf |
| Rule name: | Quasar_RAT_2 |
|---|---|
| Author: | Florian Roth |
| Description: | Detects Quasar RAT |
| Reference: | https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf |
| Rule name: | Select_from_enumeration |
|---|---|
| Author: | James_inthe_box |
| Description: | IP and port combo |
| Rule name: | Vermin_Keylogger_Jan18_1 |
|---|---|
| Author: | Florian Roth |
| Description: | Detects Vermin Keylogger |
| Reference: | https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/ |
| Rule name: | xRAT_1 |
|---|---|
| Author: | Florian Roth |
| Description: | Detects Patchwork malware |
| Reference: | https://goo.gl/Pg3P4W |
File information
The table below shows additional information about this malware sample such as delivery method and external references.
2a419914456b765c0d655c6e7676d1c5d01d499ca5607b6bb5f43e961566720f
Dropped by
MD5 2d5b9dead014ec5e204ffc1dafe5724f
Dropped by
SHA256 2a419914456b765c0d655c6e7676d1c5d01d499ca5607b6bb5f43e961566720f
Delivery method
Distributed via e-mail attachment
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.