MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 65938e02d2a41a676e7883789f03b13aa9b311ec7c30450448f143a24058e1f9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuasarRAT


Vendor detections: 10


Intelligence 10 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 65938e02d2a41a676e7883789f03b13aa9b311ec7c30450448f143a24058e1f9
SHA3-384 hash: ef7fb6fce4d846b70124a9cf58827b160f279c599fab1a20608c44faa875c717a20908a7b0b2858485c2f07cd6645ceb
SHA1 hash: 38f3861b3e28ffe6cdf94aafd41b89ea33ba980d
MD5 hash: 53c73b2d8e6eb9b663efd5f39ba0ef7e
humanhash: kilo-wyoming-vegan-hamper
File name:Uni.exe
Download: download sample
Signature QuasarRAT
Create hunting rule
File size:8'352'768 bytes
First seen:2023-01-27 10:04:46 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4cea7ae85c87ddc7295d39ff9cda31d1 (85 x RedLineStealer, 71 x LummaStealer, 62 x Rhadamanthys)
ssdeep 196608:JxANmrFNNBahCXpkMcrZHr97mJ10UzZWDxjhAL:JxiG3ahC5M9HhaxqG
Threatray 2'243 similar samples on MalwareBazaar
TLSH T19F8633C3A2B4B1CAD9794F3845A783A75F37BD0B1240CADFA69444864EB22DD9070BD7
TrID 83.0% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
6.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
4.4% (.EXE) Win64 Executable (generic) (10523/12/4)
2.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
0.8% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter r3dbU7z
Tags:exe QuasarRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
226
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Uni.exe
Verdict:
Malicious activity
Analysis date:
2023-01-27 10:07:29 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/76c473d8-b9c1-42fd-a3d2-a6d00f5ea437

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/357350/
Detection(s):
SecuriteInfo.com.decompression.bomb.29185.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Running batch commands
Searching for the window
Creating a process from a recently created file
Creating a file
Enabling the 'hidden' option for files in the %temp% directory
Using the Windows Management Instrumentation requests
Sending a custom TCP request
Launching a process
Creating a file in the Windows directory
Enabling the 'hidden' option for recently created files
Creating a window
Searching for synchronization primitives
Сreating synchronization primitives
Creating a process with a hidden window
Setting browser functions hooks
Launching a tool to kill processes
Unauthorized injection to a system process
Enabling autorun by creating a file
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/63391/overview
Behaviour
MalwareBazaar
SystemUptime
MeasuringTime
EvasionGetTickCount
EvasionQueryPerformanceCounter
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
advpack.dll packed rundll32.exe setupapi.dll shell32.dll
Link:
https://www.filescan.io/uploads/63d3a1d0447edb203a016720/reports/dd440685-bcf4-4cd2-9047-051c99d68e7e/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/151073d6-1afe-478c-9e13-353e093271e9
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1160129
Signature
Bypasses PowerShell execution policy
Creates a thread in another existing process (thread injection)
Drops executables to the windows directory (C:\Windows) and starts them
Hooks files or directories query functions (used to hide files and directories)
Hooks processes query functions (used to hide processes)
Hooks registry keys query functions (used to hide registry keys)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Renames powershell.exe to bypass HIPS
Suspicious powershell command line found
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Very long command line found
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 792866 Sample: Uni.exe Startdate: 27/01/2023 Architecture: WINDOWS Score: 100 72 Multi AV Scanner detection for submitted file 2->72 74 Suspicious powershell command line found 2->74 76 Very long command line found 2->76 78 6 other signatures 2->78 11 Uni.exe 1 3 2->11         started        14 $sxr-powershell.exe 14 2->14         started        16 rundll32.exe 2->16         started        process3 file4 70 C:\Users\user\AppData\Local\Temp\...\Uni.bat, DOS 11->70 dropped 18 cmd.exe 2 11->18         started        22 conhost.exe 14->22         started        process5 file6 60 C:\Users\user\AppData\Local\...\Uni.bat.exe, PE32+ 18->60 dropped 80 Uses ping.exe to sleep 18->80 82 Uses ping.exe to check the status of other devices and networks 18->82 84 Renames powershell.exe to bypass HIPS 18->84 24 Uni.bat.exe 1 22 18->24         started        28 conhost.exe 18->28         started        signatures7 process8 file9 62 C:\Windows\$sxr-powershell.exe, PE32+ 24->62 dropped 64 C:\Windows\System32\vcruntime140d.dll, PE32+ 24->64 dropped 66 C:\Windows\System32\vcruntime140_1d.dll, PE32+ 24->66 dropped 68 C:\Windows\System32\ucrtbased.dll, PE32+ 24->68 dropped 88 Suspicious powershell command line found 24->88 90 Very long command line found 24->90 92 Drops executables to the windows directory (C:\Windows) and starts them 24->92 94 4 other signatures 24->94 30 dllhost.exe 24->30         started        33 cmd.exe 24->33         started        35 $sxr-powershell.exe 13 24->35         started        37 2 other processes 24->37 signatures10 process11 signatures12 96 Injects code into the Windows Explorer (explorer.exe) 30->96 98 Writes to foreign memory regions 30->98 100 Creates a thread in another existing process (thread injection) 30->100 102 Injects a PE file into a foreign processes 30->102 39 lsass.exe 30->39 injected 42 winlogon.exe 30->42 injected 44 svchost.exe 30->44 injected 54 26 other processes 30->54 104 Uses ping.exe to sleep 33->104 46 conhost.exe 33->46         started        48 PING.EXE 33->48         started        50 taskkill.exe 33->50         started        52 attrib.exe 33->52         started        process13 signatures14 86 Writes to foreign memory regions 39->86 56 MpCmdRun.exe 39->56         started        process15 process16 58 conhost.exe 56->58         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/65938e02d2a41a676e7883789f03b13aa9b311ec7c30450448f143a24058e1f9/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mwjy4awsuqngo3tyqn4j6a5rhku3gepmpqyekbci6fb2eqcy4h4q._file
Verdict:
malicious
Label(s):
asyncrat
Create hunting rule
Similar samples:
11206a9fa78626e149a374311542494bd0b438896091cd6e5011f7e11c074ea7
QuasarRAT
13f8728b95a9ca527c725c440726814ffbc88eeaf9323e50958fa3a8df969372
QuasarRAT
1e6ad44f556fd90565bd2318291f94e5250306c5e988343ff259c6b4cb466f53
QuasarRAT
211abb138fdb4df615ae9d97a39fd06c29d7140da2ea5192ab92b6ec94e0cd61
QuasarRAT
266aa1bf199f3bd82bc8e708c177aeef4808e31c439f87d69b68efb8e07da996
QuasarRAT
3e85b31ff1780031f94570fc9801b6a886564a4caa2acc360d2c65f29b22dbb5
QuasarRAT
3e8cd0eb4715ef2b9f3b9f676b90eb16b0842d289a34fdd41e46c106a845d983
QuasarRAT
8f22fed63b011354380ce229b053b3b9167d66d37506acd6288886cf526edefe
QuasarRAT
acb5fd38a1242912e31423cb90abddbd78cb39ed19efe4768b70af99092f1328
QuasarRAT
+ 2'233 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
persistence
Link:
https://tria.ge/reports/230127-l4g3rsab64/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
Suspicious use of NtCreateUserProcessOtherParentProcess
Unpacked files
SH256 hash:
65938e02d2a41a676e7883789f03b13aa9b311ec7c30450448f143a24058e1f9
MD5 hash:
53c73b2d8e6eb9b663efd5f39ba0ef7e
SHA1 hash:
38f3861b3e28ffe6cdf94aafd41b89ea33ba980d
Link:
https://www.unpac.me/results/d72fdd04-59fb-40e8-85f5-9b8f316692bb/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/65938e02d2a41a676e7883789f03b13aa9b311ec7c30450448f143a24058e1f9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AlternativesExample1
Create hunting rule
Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

QuasarRAT

Executable exe 65938e02d2a41a676e7883789f03b13aa9b311ec7c30450448f143a24058e1f9

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/357350/

Comments