MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7ba2419d74a5a9c7ef362bf40d0e1563bd02fd16fada16c8da39cf178c6306be. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuasarRAT


Vendor detections: 10


Intelligence 10 IOCs 1 YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7ba2419d74a5a9c7ef362bf40d0e1563bd02fd16fada16c8da39cf178c6306be
SHA3-384 hash: dd3e4ae17d2920fcceb06e97fe8d6121624c890b1f08b6c26c27134c93ab72dc25b70ff82f70ed6d302ae41560376108
SHA1 hash: dbaffa440634ce2503fba0b54731c19bd6cc77d5
MD5 hash: 4057325c09951e44b67ff0613a47bd97
humanhash: robert-kitten-oxygen-juliet
File name:4057325C09951E44B67FF0613A47BD97.exe
Download: download sample
Signature QuasarRAT
Create hunting rule
File size:701'952 bytes
First seen:2021-06-23 18:16:17 UTC
Last seen:2021-06-23 18:46:32 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:QUxnxkSnOIflLzvoSgKcDKOG0HYjYwKQ25CpZhHs2U:Bxxxfl3dINEkdLgBs2U
Threatray 145 similar samples on MalwareBazaar
TLSH C8E44B61AE9FD9DEC22FE13F90059C46689FCF020AA352D58B423E74B3B11239D656D3
Reporter abuse_ch
Tags:exe QuasarRAT RAT


Avatar
abuse_ch
QuasarRAT C2:
91.109.188.6:5490

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
91.109.188.6:5490 https://threatfox.abuse.ch/ioc/152861/

Intelligence

File Origin
# of uploads :
2
# of downloads :
117
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
4057325C09951E44B67FF0613A47BD97.exe
Verdict:
Suspicious activity
Analysis date:
2021-06-23 18:22:02 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/d1eb7a86-932f-4100-a0ca-0baef1ae37e6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.Inject4.12853.14639.26556.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Quasar RAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9e59f7fd-f26e-484d-9773-ad9d20040e81
Result
Threat name:
Quasar
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/806783
Signature
.NET source code references suspicious native API functions
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Writes to foreign memory regions
Yara detected Quasar RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 439194 Sample: ww9bGQQ4ur.exe Startdate: 23/06/2021 Architecture: WINDOWS Score: 100 94 societyf500.ddns.net 2->94 96 tools.keycdn.com 2->96 98 3 other IPs or domains 2->98 130 Multi AV Scanner detection for domain / URL 2->130 132 Malicious sample detected (through community Yara rule) 2->132 134 Multi AV Scanner detection for submitted file 2->134 136 6 other signatures 2->136 13 NVA.exe 5 2->13         started        17 ww9bGQQ4ur.exe 1 7 2->17         started        19 NVA.exe 2->19         started        signatures3 process4 file5 82 C:\Users\user\AppData\Local\Temp82VA.exe, PE32 13->82 dropped 84 C:\Users\user\...84VA.exe:Zone.Identifier, ASCII 13->84 dropped 156 Multi AV Scanner detection for dropped file 13->156 158 Machine Learning detection for dropped file 13->158 160 Writes to foreign memory regions 13->160 21 NVA.exe 14 4 13->21         started        86 C:\Users\user\AppData\...\ww9bGQQ4ur.exe, PE32 17->86 dropped 88 C:\Users\...\ww9bGQQ4ur.exe:Zone.Identifier, ASCII 17->88 dropped 90 C:\Users\user\...90VA.exe:Zone.Identifier, ASCII 17->90 dropped 92 C:\Users\user\AppData\...\ww9bGQQ4ur.exe.log, ASCII 17->92 dropped 162 Injects a PE file into a foreign processes 17->162 25 ww9bGQQ4ur.exe 15 2 17->25         started        27 NVA.exe 19->27         started        29 NVA.exe 19->29         started        signatures6 process7 dnsIp8 140 Multi AV Scanner detection for dropped file 21->140 142 May check the online IP address of the machine 21->142 144 Machine Learning detection for dropped file 21->144 31 cmd.exe 21->31         started        100 societyf500.ddns.net 91.109.188.6, 49713, 49721, 49722 IELOIELOMainNetworkFR France 25->100 102 tools.keycdn.com 185.172.148.96, 443, 49717, 49724 PROINITYPROINITYDE Germany 25->102 110 4 other IPs or domains 25->110 146 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 25->146 104 54.243.175.83, 443, 49725, 49728 AMAZON-AESUS United States 27->104 106 nagano-19599.herokussl.com 27->106 108 api.ipify.org 27->108 148 Hides that the sample has been downloaded from the Internet (zone.identifier) 27->148 34 cmd.exe 27->34         started        36 cmd.exe 29->36         started        signatures9 process10 signatures11 164 Uses ping.exe to sleep 31->164 166 Uses ping.exe to check the status of other devices and networks 31->166 38 NVA.exe 31->38         started        41 conhost.exe 31->41         started        43 chcp.com 31->43         started        45 PING.EXE 31->45         started        47 NVA.exe 34->47         started        49 conhost.exe 34->49         started        51 chcp.com 34->51         started        53 PING.EXE 34->53         started        55 3 other processes 36->55 process12 signatures13 150 Injects a PE file into a foreign processes 38->150 57 NVA.exe 38->57         started        61 NVA.exe 47->61         started        process14 dnsIp15 112 societyf500.ddns.net 57->112 114 tools.keycdn.com 57->114 120 3 other IPs or domains 57->120 152 Hides that the sample has been downloaded from the Internet (zone.identifier) 57->152 63 cmd.exe 57->63         started        116 societyf500.ddns.net 61->116 118 tools.keycdn.com 61->118 122 3 other IPs or domains 61->122 signatures16 process17 signatures18 168 Uses ping.exe to sleep 63->168 66 NVA.exe 63->66         started        70 conhost.exe 63->70         started        72 chcp.com 63->72         started        74 PING.EXE 63->74         started        process19 file20 80 C:\Users\user\AppData\Local80VA.exe, PE32 66->80 dropped 138 Injects a PE file into a foreign processes 66->138 76 NVA.exe 66->76         started        signatures21 process22 dnsIp23 124 societyf500.ddns.net 76->124 126 50.19.92.227, 443, 49742 AMAZON-AESUS United States 76->126 128 4 other IPs or domains 76->128 154 Hides that the sample has been downloaded from the Internet (zone.identifier) 76->154 signatures24
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7ba2419d74a5a9c7ef362bf40d0e1563bd02fd16fada16c8da39cf178c6306be/
Threat name:
ByteCode-MSIL.Trojan.Quasar
Create hunting rule
Status:
Malicious
First seen:
2021-06-20 13:29:56 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=poredhluuwu4p3zwfp2a2dqvmo6qf7iw7lnbnsg2hhhrpddda27a._file
Verdict:
malicious
Similar samples:
0993337058dcc57bb0451776eb23ae1bb1fc7199f390fdb78ddb753482e276e2
QuasarRAT
323e1e5ac21cc87735d602fc125a76941651d8715fc171f503635758337a89bb
QuasarRAT
52309c4bfd0f4a78a05edff800c412760c488ef60f6709f6f9038dc1f315f17a
QuasarRAT
a73bae0022c8d7e7a0daf987bc193355748c960d3eba65059072687e8743c552
QuasarRAT
b3124db4cffc55f2d3ee216ea71ea422ad3d4d7ff025d068a4cc2261fa43e4b3
QuasarRAT
b74d77c359b3eea168c342dda78f18f8afaf6379763ca8221e91ebdf1673d4f0
QuasarRAT
bc57e420dec21d7e6a08748c9a531cbdbddf2251e656492521a4f16b692c23f5
QuasarRAT
d9f4e53838a43981dee675993924484cd508c1d6fe40d619694e313e9d1e6569
QuasarRAT
e89ac7128c7460388550f814595e09ab596db0f6f6c0588eb6efdac0e3302637
QuasarRAT
fc87713edf4f4aa23cf04040a4f47604550b4ca2da324c0c3daf4fdcac6fa17f
QuasarRAT
+ 135 additional samples on MalwareBazaar
Result
Malware family:
quasar
Create hunting rule
Score:
  10/10
Tags:
family:quasar persistence spyware trojan
Link:
https://tria.ge/reports/210623-vprafhc6ra/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Looks up external IP address via web service
Quasar Payload
Quasar RAT
Unpacked files
SH256 hash:
824f45aa00074fb4ab0af0dc4e062c4ec200de9e6e38f805eb33d13135b50d4e
MD5 hash:
d662f86718fdb180379652df88517e47
SHA1 hash:
c90c06f97f357b65115ae19c96a5ae330eaff5ee
Link:
https://www.unpac.me/results/2107e970-5ed4-4be3-89fe-0c8edbddb54f/
SH256 hash:
2cbbc8adf84919bd4ca5af7eb0656706bc64370020f99c9c54897ea5c5ab7028
MD5 hash:
cea63deeacc700248090ed1a219f7663
SHA1 hash:
b3a6458c99cb09ecd6193703521c8f297b7bc87b
Link:
https://www.unpac.me/results/2107e970-5ed4-4be3-89fe-0c8edbddb54f/
SH256 hash:
5cb877b0a089601b97937e6afb8f0e2baa4a15728e5fe102bff2563572a38169
MD5 hash:
fe4ef85418ac9e898f71a94ef42bcd15
SHA1 hash:
390d4465e12f54507bee5e50d2850843f137e129
Link:
https://www.unpac.me/results/2107e970-5ed4-4be3-89fe-0c8edbddb54f/
SH256 hash:
7ba2419d74a5a9c7ef362bf40d0e1563bd02fd16fada16c8da39cf178c6306be
MD5 hash:
4057325c09951e44b67ff0613a47bd97
SHA1 hash:
dbaffa440634ce2503fba0b54731c19bd6cc77d5
Link:
https://www.unpac.me/results/2107e970-5ed4-4be3-89fe-0c8edbddb54f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7ba2419d74a5a9c7ef362bf40d0e1563bd02fd16fada16c8da39cf178c6306be

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:MALWARE_Win_QuasarStealer
Create hunting rule
Author:ditekshen
Description:Detects Quasar infostealer
Rule name:MAL_QuasarRAT_May19_1
Create hunting rule
Author:Florian Roth
Description:Detects QuasarRAT malware
Reference:https://blog.ensilo.com/uncovering-new-activity-by-apt10
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Vermin_Keylogger_Jan18_1
Create hunting rule
Author:Florian Roth
Description:Detects Vermin Keylogger
Reference:https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

QuasarRAT

Executable exe 7ba2419d74a5a9c7ef362bf40d0e1563bd02fd16fada16c8da39cf178c6306be

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1392911/
  
Delivery method
Distributed via web download

Comments