MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 724ff8546f194ffa5aadb446a00a6476aceedda46114bb9ad8f8ad9f32e27493. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

QuasarRAT

Vendor detections: 13

Intelligence 13 IOCs YARA 10 File information Comments 1

SHA256 hash:	724ff8546f194ffa5aadb446a00a6476aceedda46114bb9ad8f8ad9f32e27493
SHA3-384 hash:	31b6e6fde53e3df6ded55e91c10b2ae55dbde85d192502636e0c3d6442c77faf7216a280a8d97660d4efdccb7b0f0f60
SHA1 hash:	e645bcfa5bbd61818ca6d9cc651bfd256c857b38
MD5 hash:	41eb4ab1efca9fb7f1c9a56eaf72b3c1
humanhash:	gee-rugby-kansas-charlie
File name:	41eb4ab1efca9fb7f1c9a56eaf72b3c1
Download:	download sample
Signature	QuasarRAT Create hunting rule
File size:	9'148'416 bytes
First seen:	2022-07-21 11:35:04 UTC
Last seen:	2022-07-22 11:22:02 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep	196608:DK67iZRRrTpioJekPFbHAlnNMHslwFUrnTWpB8xScxP9yoEvHCWL:+6KgkPFpHs8UfA49uvHP
Threatray	355 similar samples on MalwareBazaar
TLSH	T1CD9633635368EAB7E1FD2236E0B5030A0BB1A159B701E3DBBA6C11785C7A3C19D517B3
TrID	59.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 13.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 8.6% (.EXE) Win64 Executable (generic) (10523/12/4) 5.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter	zbetcheckin
Tags:	32 exe QuasarRAT

Intelligence

File Origin

# of uploads :

# of downloads :

336

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/293162/

Detection(s):

Win.Packed.Generic-9829635-0

Win.Packed.Generic-9830106-0

Win.Trojan.Generic-6295765-0

Win.Malware.Generic-6623004-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Using the Windows Management Instrumentation requests

Сreating synchronization primitives

DNS request

Sending an HTTP GET request

Setting a keyboard event handler

Creating a file in the %AppData% subdirectories

Creating a window

Verdict:

Malicious

Threat level:

10/10

Confidence:

75%

Tags:

anti-vm fingerprint greyware keylogger packed quasar quasarrat rat shell32.dll stealer stealer

Link:

https://www.filescan.io/uploads/62d93a37f56fa6e45df813b6/reports/f00a03d0-8f78-44fc-9347-63216854d491/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Quasar RAT

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/3c41f7aa-415c-4e96-87b9-02fc20f2c3d8

Result

Threat name:

Quasar

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1038548

Signature

.NET source code references suspicious native API functions

Antivirus / Scanner detection for submitted sample

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Installs a global keyboard hook

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Yara detected Generic Downloader

Yara detected Quasar RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

quasar

Link:

https://mwdb.cert.pl/sample/724ff8546f194ffa5aadb446a00a6476aceedda46114bb9ad8f8ad9f32e27493/

Threat name:

ByteCode-MSIL.Trojan.Quasar

Status:

Malicious

First seen:

2022-07-21 11:36:16 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

22 of 25 (88.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ojh7qvdpdfh7uwvnwrdkacteo2wo5xnemeklxgwy7cwz6mxcosjq._file

Verdict:

malicious

QuasarRAT

189dfc7eca70dc08e242e9079d35198826b189f27e919aaf13c4482a763ae1a3

QuasarRAT

539e45b1f7d67766a32c951c59325d4e045892da59661b2b569a3389a1ff6f5e

QuasarRAT

66c0b3969424c37bc46498d8f51e9cd6c82ac5a66b50302fa1d13a4ac2d82e6d

QuasarRAT

695722bddb32724a102d8d12aca0ebc841c4944f52632c3ea595941a6e988759

QuasarRAT

6ff685e5acfd946101b558f9f9d47a0d515c62e7476f5f83694609d64343315e

QuasarRAT

8b21d5d222c521b730f85690aa3f88c00b2c9ce7e8b208564509e093b5eed814

QuasarRAT

99a6c8e156dba4fda6e2b6ca0802cc08d49556b489e97618e565768329521413

QuasarRAT

b2cc06da4ded75a02683e73536f3a0af671b55bc28c9a2627d7afdaac66b9e32

QuasarRAT

+ 345 additional samples on MalwareBazaar

Result

Malware family:

quasar

Score:

10/10

Tags:

family:quasar botnet:blackmagic design spyware suricata trojan

Link:

https://tria.ge/reports/220721-nqkylsffbm/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Looks up external IP address via web service

Quasar RAT

Quasar payload

suricata: ET MALWARE Common RAT Connectivity Check Observed

Malware Config

C2 Extraction:

manecraft.giize.com:1980

Unpacked files

SH256 hash:

724ff8546f194ffa5aadb446a00a6476aceedda46114bb9ad8f8ad9f32e27493

MD5 hash:

41eb4ab1efca9fb7f1c9a56eaf72b3c1

SHA1 hash:

e645bcfa5bbd61818ca6d9cc651bfd256c857b38

Link:

https://www.unpac.me/results/ae7b9a19-1355-4a13-96b2-c1e7ed10ba88/

Malware family:

xRAT

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/724ff8546f19/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

iSpy Keylogger

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/724ff8546f194ffa5aadb446a00a6476aceedda46114bb9ad8f8ad9f32e27493

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA Create hunting rule
Author:	ditekSHen
Description:	Detects Windows executables referencing non-Windows User-Agents

Rule name:	INDICATOR_SUSPICIOUS_GENInfoStealer Create hunting rule
Author:	ditekSHen
Description:	Detects executables containing common artifcats observed in infostealers

Rule name:	malware_Quasar_strings Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect QuasarRAT in memory

Rule name:	MALWARE_Win_QuasarRAT Create hunting rule
Author:	ditekSHen
Description:	QuasarRAT payload

Rule name:	MAL_QuasarRAT_May19_1 Create hunting rule
Author:	Florian Roth
Description:	Detects QuasarRAT malware
Reference:	https://blog.ensilo.com/uncovering-new-activity-by-apt10

Rule name:	MAL_QuasarRAT_May19_1_RID2E1E Create hunting rule
Author:	Florian Roth
Description:	Detects QuasarRAT malware
Reference:	https://blog.ensilo.com/uncovering-new-activity-by-apt10

Rule name:	pe_imphash Create hunting rule

Rule name:	Quasar_RAT_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Quasar RAT
Reference:	https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf

Rule name:	Quasar_RAT_1_RID2B54 Create hunting rule
Author:	Florian Roth
Description:	Detects Quasar RAT
Reference:	https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf