MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7c87b7eba362a0977455c82ea09d8172084306587c36827a52030bf0bcd9c93d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuasarRAT


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7c87b7eba362a0977455c82ea09d8172084306587c36827a52030bf0bcd9c93d
SHA3-384 hash: 13be49e5f16a9db1a94a21f6d57a71f9deeec642ac635249783e84d963b020e80e194c23ac22437f40796b45c7627a48
SHA1 hash: ae9fcf6b74f2f90b4bb53d1c7d425769f7b936ae
MD5 hash: 169db05f04eefdbd0b77349cf6321004
humanhash: fruit-arkansas-oregon-eight
File name:7c87b7eba362a0977455c82ea09d8172084306587c36827a52030bf0bcd9c93d
Download: download sample
Signature QuasarRAT
Create hunting rule
File size:1'865'728 bytes
First seen:2022-03-23 10:30:44 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'609 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 24576:3QZyfxexCfsvZB2yw97D0VBYnXiJ8PXgaoehJM2PWX:gZIJfsvj2yw97D02gaoehJXP0
Threatray 809 similar samples on MalwareBazaar
TLSH T15E850137C632BCC54FDE3601D6E91D6A159825A6C3B71E64DB0D2DFE38A2741EF10A88
Reporter JAMESWT_WT
Tags:exe QuasarRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
200
Origin country :
n/a
Vendor Threat Intelligence
Detection:
QuasarStealer
Create hunting rule
Link:
https://www.capesandbox.com/analysis/256253/
Detection(s):
SecuriteInfo.com.Generic-EXE.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Launching a process
Creating a file
Сreating synchronization primitives
Creating a process from a recently created file
Creating a window
Searching for the window
Creating a file in the %AppData% subdirectories
Unauthorized injection to a recently created process
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
obfuscated obfuscated overlay packed packed
Link:
https://www.filescan.io/uploads/623af6ffb94fb38cb4d85ed5/reports/a9a49f05-ec81-480e-9d8e-65c71cfeb645/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Quasar
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/962612
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Detected unpacking (overwrites its own PE header)
Drops PE files with benign system names
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Powershell drops PE file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Sigma detected: File Created with System Process Name
Sigma detected: Schedule system process
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious Svchost Process
Sigma detected: System File Execution Location Anomaly
Suspicious powershell command line found
System process connects to network (likely due to code injection or exploit)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Quasar RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 595095 Sample: 0V2CIoSzzM Startdate: 23/03/2022 Architecture: WINDOWS Score: 100 52 Found malware configuration 2->52 54 Malicious sample detected (through community Yara rule) 2->54 56 Antivirus detection for URL or domain 2->56 58 9 other signatures 2->58 10 0V2CIoSzzM.exe 6 2->10         started        14 xxx.exe 2 2->14         started        process3 file4 42 C:\Users\user\AppData\...\0V2CIoSzzM.exe.log, ASCII 10->42 dropped 68 Detected unpacking (overwrites its own PE header) 10->68 70 Suspicious powershell command line found 10->70 72 Bypasses PowerShell execution policy 10->72 16 powershell.exe 19 10->16         started        20 conhost.exe 10->20         started        74 Hides that the sample has been downloaded from the Internet (zone.identifier) 14->74 signatures5 process6 file7 38 C:\Users\user\AppData\xxx.exe, PE32 16->38 dropped 50 Powershell drops PE file 16->50 22 xxx.exe 5 16->22         started        signatures8 process9 file10 40 C:\Users\user\AppData\Roaming\...\svchost.exe, PE32 22->40 dropped 60 Antivirus detection for dropped file 22->60 62 Detected unpacking (overwrites its own PE header) 22->62 64 Machine Learning detection for dropped file 22->64 66 3 other signatures 22->66 26 svchost.exe 2 22->26         started        30 schtasks.exe 1 22->30         started        signatures11 process12 dnsIp13 44 tools.keycdn.com 185.172.148.96, 443, 49761 PROINITYPROINITYDE Germany 26->44 46 windowsdefenderinc.duckdns.org 85.202.169.69, 49759, 6666 GUDAEV-ASRU Netherlands 26->46 48 2 other IPs or domains 26->48 76 Antivirus detection for dropped file 26->76 78 System process connects to network (likely due to code injection or exploit) 26->78 80 Detected unpacking (overwrites its own PE header) 26->80 82 4 other signatures 26->82 32 schtasks.exe 26->32         started        34 conhost.exe 30->34         started        signatures14 process15 process16 36 conhost.exe 32->36         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7c87b7eba362a0977455c82ea09d8172084306587c36827a52030bf0bcd9c93d/
Threat name:
ByteCode-MSIL.Trojan.Quasar
Create hunting rule
Status:
Malicious
First seen:
2022-03-12 14:39:07 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
22 of 42 (52.38%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=psd3p25dmkqjo5cvzaxkbhmboieegbsypq3ie6ssamf7bpgzze6q._file
Verdict:
malicious
Similar samples:
2acbe411d9169a8ea08c2f54cec03901956e3a1a5c80a0153ebe09792961b549
QuasarRAT
965a8d621907f2a2c04e8ca84801f448c68e133491b26d5336c851059db5b3ec
QuasarRAT
b352b773440958a40d189376f980b7808568221e61911c7bbbaeb7cb12a89fc5
QuasarRAT
d26ba4768bef5a8e4424b6c90b74b0c22129f9df94022b5f84850c22b289b7e7
QuasarRAT
d328076556526a90907af4a328621d490307be0ff3ff79b14ed8a9c978f9440f
QuasarRAT
da6d10f762f019e36f8a2f8547bb4fa33ec67d508db580b6c5b156a1e1dc576a
QuasarRAT
+ 799 additional samples on MalwareBazaar
Result
Malware family:
quasar
Create hunting rule
Score:
  10/10
Tags:
family:quasar botnet:new spyware suricata trojan
Link:
https://tria.ge/reports/220323-mkdrnsgggm/
Behaviour
Creates scheduled task(s)
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Looks up external IP address via web service
Executes dropped EXE
Quasar Payload
Quasar RAT
suricata: ET MALWARE Observed Malicious SSL Cert (Quasar CnC)
Malware Config
C2 Extraction:
windowsdefenderinc.duckdns.org:6666
Unpacked files
SH256 hash:
7c87b7eba362a0977455c82ea09d8172084306587c36827a52030bf0bcd9c93d
MD5 hash:
169db05f04eefdbd0b77349cf6321004
SHA1 hash:
ae9fcf6b74f2f90b4bb53d1c7d425769f7b936ae
Link:
https://www.unpac.me/results/7ccd38c6-7a34-4e12-aba8-ed6a19694f1e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.50
Link:
https://yomi.yoroi.company/submissions/7c87b7eba362a0977455c82ea09d8172084306587c36827a52030bf0bcd9c93d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ClamAV_Emotet_String_Aggregate
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/256253/

Comments