MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 784ed80931d639300835a664cc07fa838cb984e3a910aa6568dfb9820e73cba3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuasarRAT


Vendor detections: 11


Intelligence 11 IOCs 1 YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 784ed80931d639300835a664cc07fa838cb984e3a910aa6568dfb9820e73cba3
SHA3-384 hash: 413d60b65bbbf665f3a87a33bf6b1cf393b283e5fef362f100b654e6f49b2619f65790058a09b4c92cb4e7a0f8bf9d19
SHA1 hash: cd887577c2d7618cce98a85ea319c2b23cdd51ca
MD5 hash: 75e7308aacb22402184d08ee9712f89b
humanhash: arkansas-fourteen-ceiling-network
File name:75e7308aacb22402184d08ee9712f89b
Download: download sample
Signature QuasarRAT
Create hunting rule
File size:691'200 bytes
First seen:2021-06-24 14:04:03 UTC
Last seen:2021-06-24 14:50:46 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:POenhIZmIhluNdH8jNOkwfnx77DzjlhLgqpDktB1DW74xbxH2U:POwIYIh+H8Bhwflfz5dgqpDEDI4BxH2U
Threatray 140 similar samples on MalwareBazaar
TLSH D7E44A61AE9BC9DEC26FE23F9005DC46689FCF060A9352D48B853EB9B3B11135D216D3
Reporter zbetcheckin
Tags:32 exe QuasarRAT

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
91.109.176.5:5490 https://threatfox.abuse.ch/ioc/153284/

Intelligence

File Origin
# of uploads :
2
# of downloads :
146
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
75e7308aacb22402184d08ee9712f89b
Verdict:
Malicious activity
Analysis date:
2021-06-24 14:06:12 UTC
Tags:
trojan rat quasar
Link:
https://app.any.run/tasks/aaf92d4b-4fd1-47b8-90e0-bce06da74d23

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
QuasarStealer
Create hunting rule
Link:
https://www.capesandbox.com/analysis/168056/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.46517765.3700.6393.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Quasar RAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b29166cb-cc86-47d8-b19d-b275885623d8
Result
Threat name:
Quasar
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/807540
Signature
.NET source code references suspicious native API functions
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Writes to foreign memory regions
Yara detected Quasar RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 439951 Sample: gz0QHRgLW9 Startdate: 24/06/2021 Architecture: WINDOWS Score: 100 93 societyf500.ddns.net 2->93 95 tools.keycdn.com 2->95 97 3 other IPs or domains 2->97 129 Multi AV Scanner detection for domain / URL 2->129 131 Malicious sample detected (through community Yara rule) 2->131 133 Multi AV Scanner detection for submitted file 2->133 135 6 other signatures 2->135 12 NV.exe 5 2->12         started        16 gz0QHRgLW9.exe 1 7 2->16         started        18 NV.exe 2->18         started        signatures3 process4 file5 81 C:\Users\user\AppData\Local\Temp81V.exe, PE32 12->81 dropped 83 C:\Users\user\...83V.exe:Zone.Identifier, ASCII 12->83 dropped 153 Multi AV Scanner detection for dropped file 12->153 155 Machine Learning detection for dropped file 12->155 157 Writes to foreign memory regions 12->157 20 NV.exe 14 4 12->20         started        85 C:\Users\user\AppData\...\gz0QHRgLW9.exe, PE32 16->85 dropped 87 C:\Users\...\gz0QHRgLW9.exe:Zone.Identifier, ASCII 16->87 dropped 89 C:\Users\user\...89V.exe:Zone.Identifier, ASCII 16->89 dropped 91 C:\Users\user\AppData\...\gz0QHRgLW9.exe.log, ASCII 16->91 dropped 24 gz0QHRgLW9.exe 15 2 16->24         started        159 Injects a PE file into a foreign processes 18->159 26 NV.exe 18->26         started        28 NV.exe 18->28         started        30 NV.exe 18->30         started        32 NV.exe 18->32         started        signatures6 process7 dnsIp8 99 nagano-19599.herokussl.com 20->99 101 api.ipify.org 20->101 137 Multi AV Scanner detection for dropped file 20->137 139 May check the online IP address of the machine 20->139 141 Machine Learning detection for dropped file 20->141 34 cmd.exe 20->34         started        103 societyf500.ddns.net 91.109.176.5, 49726, 49732, 49738 IELOIELOMainNetworkFR France 24->103 105 tools.keycdn.com 185.172.148.96, 443, 49728, 49733 PROINITYPROINITYDE Germany 24->105 109 4 other IPs or domains 24->109 143 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 24->143 107 23.21.136.132, 443, 49740 AMAZON-AESUS United States 26->107 111 2 other IPs or domains 26->111 145 Hides that the sample has been downloaded from the Internet (zone.identifier) 26->145 37 cmd.exe 26->37         started        signatures9 process10 signatures11 125 Uses ping.exe to sleep 34->125 127 Uses ping.exe to check the status of other devices and networks 34->127 39 NV.exe 34->39         started        42 conhost.exe 34->42         started        44 chcp.com 34->44         started        46 PING.EXE 34->46         started        48 NV.exe 37->48         started        50 conhost.exe 37->50         started        52 chcp.com 37->52         started        54 PING.EXE 37->54         started        process12 signatures13 149 Injects a PE file into a foreign processes 39->149 56 NV.exe 39->56         started        60 NV.exe 48->60         started        62 NV.exe 48->62         started        process14 dnsIp15 113 societyf500.ddns.net 56->113 115 tools.keycdn.com 56->115 151 Hides that the sample has been downloaded from the Internet (zone.identifier) 56->151 64 cmd.exe 56->64         started        117 societyf500.ddns.net 60->117 119 54.225.165.85, 443, 49751, 49755 AMAZON-AESUS United States 60->119 121 4 other IPs or domains 60->121 67 cmd.exe 60->67         started        signatures16 process17 signatures18 123 Uses ping.exe to sleep 64->123 69 NV.exe 64->69         started        73 conhost.exe 64->73         started        75 chcp.com 64->75         started        77 PING.EXE 64->77         started        process19 file20 79 C:\Users\user\AppData\Local79V.exe, PE32 69->79 dropped 147 Injects a PE file into a foreign processes 69->147 signatures21
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/784ed80931d639300835a664cc07fa838cb984e3a910aa6568dfb9820e73cba3/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-06-24 14:04:18 UTC
File Type:
PE (.Net Exe)
Extracted files:
30
AV detection:
17 of 29 (58.62%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pbhnqcjr2y4tacbvuzsmyb72qogltbhdveikuzli364yedttzorq._file
Verdict:
malicious
Similar samples:
0993337058dcc57bb0451776eb23ae1bb1fc7199f390fdb78ddb753482e276e2
QuasarRAT
0b6311976a5d7d94c5bf373e982e9e03ea64cb4869b9399fb1f90c122cb2ced2
QuasarRAT
42141ee67236cf596950e3aeebc96b436471ab41d3740f56c4ee5b6029f3a38c
QuasarRAT
52309c4bfd0f4a78a05edff800c412760c488ef60f6709f6f9038dc1f315f17a
QuasarRAT
7ba2419d74a5a9c7ef362bf40d0e1563bd02fd16fada16c8da39cf178c6306be
QuasarRAT
898216543dfbe03ead8ae9e2963d972b1963da5e00addab93702a9ec1a4b216a
QuasarRAT
a73bae0022c8d7e7a0daf987bc193355748c960d3eba65059072687e8743c552
QuasarRAT
b3124db4cffc55f2d3ee216ea71ea422ad3d4d7ff025d068a4cc2261fa43e4b3
QuasarRAT
bc3ac3b8a31b50aa2f02bb5feeb470e40f345880e27f56aa4c18cb6429490bd9
QuasarRAT
bc57e420dec21d7e6a08748c9a531cbdbddf2251e656492521a4f16b692c23f5
QuasarRAT
+ 130 additional samples on MalwareBazaar
Result
Malware family:
quasar
Create hunting rule
Score:
  10/10
Tags:
family:quasar persistence spyware trojan
Link:
https://tria.ge/reports/210624-jzz6vkd6rj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Looks up external IP address via web service
Quasar Payload
Quasar RAT
Unpacked files
SH256 hash:
4e410ca863eb1240b5e61c20220ae1049ab1cecf5a64aec1edb4ed600967f470
MD5 hash:
2802a77d4302323f43b398e5ede4a8bf
SHA1 hash:
757b91beeeda80ae3022f90469dd4b09a5c0c5e2
Link:
https://www.unpac.me/results/85a1d196-0be6-4af1-81b3-002164703345/
SH256 hash:
783d5cb11a9afa94da2b3659abce084cca1bb9721e1c2607af845c21dc79ff96
MD5 hash:
90697c0425f9b35763bda9789ac0aff1
SHA1 hash:
5b479af7f82ebab318a072e4b64e7391f63a552f
Link:
https://www.unpac.me/results/85a1d196-0be6-4af1-81b3-002164703345/
SH256 hash:
ecd9efe0c01a9455a37c97b522dc59f3c0a898f15c2c202353dd09f913b78c79
MD5 hash:
8c949071e1590a35549379eb6bd49666
SHA1 hash:
16daaf1e38e7872c22c420d2785a7c64d7eed9d5
Link:
https://www.unpac.me/results/85a1d196-0be6-4af1-81b3-002164703345/
SH256 hash:
784ed80931d639300835a664cc07fa838cb984e3a910aa6568dfb9820e73cba3
MD5 hash:
75e7308aacb22402184d08ee9712f89b
SHA1 hash:
cd887577c2d7618cce98a85ea319c2b23cdd51ca
Link:
https://www.unpac.me/results/85a1d196-0be6-4af1-81b3-002164703345/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/784ed80931d639300835a664cc07fa838cb984e3a910aa6568dfb9820e73cba3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:MALWARE_Win_QuasarStealer
Create hunting rule
Author:ditekshen
Description:Detects Quasar infostealer
Rule name:MAL_QuasarRAT_May19_1
Create hunting rule
Author:Florian Roth
Description:Detects QuasarRAT malware
Reference:https://blog.ensilo.com/uncovering-new-activity-by-apt10
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Vermin_Keylogger_Jan18_1
Create hunting rule
Author:Florian Roth
Description:Detects Vermin Keylogger
Reference:https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

QuasarRAT

Executable exe 784ed80931d639300835a664cc07fa838cb984e3a910aa6568dfb9820e73cba3

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1394784/
Cape
Cape
https://www.capesandbox.com/analysis/168056/
  
URLhaus
https://urlhaus.abuse.ch/url/1395978/

Comments