MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6e5123bf4f9727b4333d5b98b943b3e4f44f23084f18c3739e0d3ce99646ec94. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

QuasarRAT

Vendor detections: 13

Intelligence 13 IOCs YARA 2 File information Comments

SHA256 hash:	6e5123bf4f9727b4333d5b98b943b3e4f44f23084f18c3739e0d3ce99646ec94
SHA3-384 hash:	6dc653045d15803a538eadbea5392b332370409d28b6820d7b40b632d3d0eff39d3390f18bb328fc28dc73f06dbaab84
SHA1 hash:	ae65d47abb738e904e64b9899091750fa0646189
MD5 hash:	f4f62d7b40a4f994e31023102369b8eb
humanhash:	uranus-hydrogen-lemon-video
File name:	testtestnigga.bin
Download:	download sample
Signature	QuasarRAT Create hunting rule
File size:	351'670 bytes
First seen:	2022-07-12 11:53:24 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	6144:fo8NmY084RfSd6qnwMkWNmrAyu2JPKkPzf2xD1CWLngJpYZtdhAN2H/:fo8kNRenjZ4fZJPfchnt7cu
Threatray	2'918 similar samples on MalwareBazaar
TLSH	T1E1742382D2AD03EDFC325CFFA825B1DD1D54A55E0C0393E178916A891C3AB096F36F66
TrID	52.9% (.EXE) Win32 Executable (generic) (4505/5/1) 23.5% (.EXE) Generic Win/DOS Executable (2002/3) 23.5% (.EXE) DOS Executable Generic (2000/1)
Reporter	JAMESWT_WT
Tags:	exe QuasarRAT

Intelligence

File Origin

# of uploads :

# of downloads :

369

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

quasar

ID:

File name:

testtestnigga.exe

Verdict:

Malicious activity

Analysis date:

2022-07-12 11:45:59 UTC

Tags:

quasar evasion trojan rat

Link:

https://app.any.run/tasks/089e9784-9bc0-47bb-b5a2-2fd6d46b6078

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/286601/

Detection(s):

Win.Trojan.Generic-6898101-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Using the Windows Management Instrumentation requests

Сreating synchronization primitives

DNS request

Sending an HTTP GET request

Creating a file in the %AppData% subdirectories

Enabling the 'hidden' option for recently created files

Creating a process from a recently created file

Creating a file

Setting a keyboard event handler

Creating a window

Sending a custom TCP request

Unauthorized injection to a recently created process

Query of malicious DNS domain

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

obfuscated overlay packed packed

Link:

https://www.filescan.io/uploads/62cd611c8cb06ef4b0a19f3e/reports/2a069fad-8671-4d30-87fc-ea6fbc605e75/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/dcb4c76c-57d4-48a0-959b-db9a52a42ca5

Result

Threat name:

Blackshades, Quasar

Detection:

malicious

Classification:

rans.troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1029414

Signature

.NET source code contains potential unpacker

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Deletes shadow drive data (may be related to ransomware)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Installs a global keyboard hook

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected Blackshades RAT

Yara detected Quasar RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/6e5123bf4f9727b4333d5b98b943b3e4f44f23084f18c3739e0d3ce99646ec94/

Threat name:

ByteCode-MSIL.Trojan.Quasar

Status:

Malicious

First seen:

2022-07-12 11:54:09 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

24 of 26 (92.31%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=nzishp2ps4t3imz5lomlsq5t4t2e6iyij4mmg446bu6otfsg5ska._file

Verdict:

malicious

QuasarRAT

4a78da86088eed90bd838d99d1afd5ceaca6c9c521be450639670f6d06a7fe77

QuasarRAT

4f5eb87739916022c23a6291aaac32e86cef1d92cd9bcf67ec0ed357f1672ca1

QuasarRAT

70d86fc8d1247dcd26ed0927411614973d45216d676978f768e14cb16d362536

QuasarRAT

8bc03680f98a99ea21d78a4a132be678f848a7209efa0656123745fba54fae03

QuasarRAT

9dd91a17703dba0d4582e24431c17eac4fdca602ea8d14f4f43afcc2657b3bbc

QuasarRAT

d4f72d2182411da7606c634ee11876aafb6230f620c36921288c5de1f8d2f795

QuasarRAT

ed190afc14d4389527347867538df5949d132ce9d5da7c323e8812b08c0242be

QuasarRAT

f0b43b05479d8dde3603ef587da02925b703d7d5bc8332656ab9ca7f7e1554a4

QuasarRAT

+ 2'908 additional samples on MalwareBazaar

Result

Malware family:

quasar

Score:

10/10

Tags:

family:quasar spyware suricata trojan

Link:

https://tria.ge/reports/220712-n2vxyshaam/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Looks up external IP address via web service

Executes dropped EXE

Quasar RAT

suricata: ET MALWARE Common RAT Connectivity Check Observed

Unpacked files

SH256 hash:

c4918da450a2f69cb83c5c3055b993cb9f8f56af7ca9748ab99cc4e05d9ca604

MD5 hash:

aa4556c62b1420faf2bb87db5ab9e981

SHA1 hash:

3c79f12faefb52b6481c76a4f9672160348026f0

Link:

https://www.unpac.me/results/a20cba9e-28c2-4253-9387-a7ab33f5db72/

SH256 hash:

6e5123bf4f9727b4333d5b98b943b3e4f44f23084f18c3739e0d3ce99646ec94

MD5 hash:

f4f62d7b40a4f994e31023102369b8eb

SHA1 hash:

ae65d47abb738e904e64b9899091750fa0646189

Link:

https://www.unpac.me/results/a20cba9e-28c2-4253-9387-a7ab33f5db72/

Malware family:

xRAT

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/6e5123bf4f97/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

iSpy Keylogger

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/6e5123bf4f9727b4333d5b98b943b3e4f44f23084f18c3739e0d3ce99646ec94

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/286601/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample