MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7d634d0e72cf25b8a305b16a5ce905d772b98bbb2cd2af5cb848b6473ad94741. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuasarRAT


Vendor detections: 14


Intelligence 14 IOCs YARA 21 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7d634d0e72cf25b8a305b16a5ce905d772b98bbb2cd2af5cb848b6473ad94741
SHA3-384 hash: 6d924d6140e9037178d4721520ccb2b6b33ba4a2576e414d674c5db26febd7888d27877f79ed44c6775aa20810911f59
SHA1 hash: 1d6fa59860b0e9c46ebcfb88118247764e7f931d
MD5 hash: 1450546db9a8bb6e52842606f03b4ea4
humanhash: louisiana-bravo-winner-two
File name:1450546db9a8bb6e52842606f03b4ea4
Download: download sample
Signature QuasarRAT
Create hunting rule
File size:1'634'050 bytes
First seen:2023-01-26 07:50:13 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 00be6e6c4f9e287672c8301b72bdabf3 (116 x RedLineStealer, 70 x AsyncRAT, 55 x AgentTesla)
ssdeep 24576:0NA3R5drX4PYbkyDv/+NcI0inzuAi0/DJCOTybO8z9rREGRiV6O/ofDbqWaCnLeW:V5NfnPE5X1COTCRjEGw6sS/BnLejk5f
TLSH T121751251E791C4B5E4630A399836EE31587BBD381EB4996EA38C3974DF333826036E17
TrID 89.0% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
3.5% (.EXE) Win64 Executable (generic) (10523/12/4)
2.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
1.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.5% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 41410f0d03120000 (1 x QuasarRAT)
Reporter zbetcheckin
Tags:32 exe QuasarRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
240
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
1450546db9a8bb6e52842606f03b4ea4
Verdict:
Malicious activity
Analysis date:
2023-01-26 07:56:56 UTC
Tags:
evasion trojan
Link:
https://app.any.run/tasks/8d5ad5a6-321d-4a93-a14a-6814021fbb2d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
QuasarRAT
Create hunting rule
Link:
https://www.capesandbox.com/analysis/357022/
Detection(s):
SecuriteInfo.com.Troj.NanoCo_TZ.22029.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %AppData% directory
Running batch commands
Creating a process from a recently created file
Launching a process
Sending a custom TCP request
Launching a service
Creating a file
Changing a file
Delayed writing of the file
Launching the default Windows debugger (dwwin.exe)
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/63174/overview
Behaviour
MalwareBazaar
MeasuringTime
EvasionQueryPerformanceCounter
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware overlay packed setupapi.dll shdocvw.dll shell32.dll
Link:
https://www.filescan.io/uploads/63d230e82b351a3d0ea8fe53/reports/43f0cada-6208-4de7-bcde-094540972444/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/805d31f7-5055-43b8-b6de-c98955663f43
Result
Threat name:
Quasar
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1159347
Signature
.NET source code references suspicious native API functions
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Snort IDS alert for network traffic
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
Yara detected Quasar RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 792083 Sample: p3TPW34SPc.exe Startdate: 26/01/2023 Architecture: WINDOWS Score: 100 68 Snort IDS alert for network traffic 2->68 70 Malicious sample detected (through community Yara rule) 2->70 72 Antivirus detection for URL or domain 2->72 74 6 other signatures 2->74 13 p3TPW34SPc.exe 9 2->13         started        16 afgfzgr.exe 2->16         started        process3 file4 56 C:\Users\user\AppData\...\afgfzgr.sfx.exe, PE32 13->56 dropped 19 cmd.exe 1 13->19         started        66 Injects a PE file into a foreign processes 16->66 21 afgfzgr.exe 16->21         started        signatures5 process6 process7 23 afgfzgr.sfx.exe 7 19->23         started        27 conhost.exe 19->27         started        file8 54 C:\Users\user\AppData\Roaming\afgfzgr.exe, PE32 23->54 dropped 86 Multi AV Scanner detection for dropped file 23->86 29 afgfzgr.exe 1 23->29         started        signatures9 process10 signatures11 90 May check the online IP address of the machine 29->90 92 Machine Learning detection for dropped file 29->92 94 Uses schtasks.exe or at.exe to add and modify task schedules 29->94 96 Injects a PE file into a foreign processes 29->96 32 afgfzgr.exe 15 4 29->32         started        process12 dnsIp13 58 ip-api.com 208.95.112.1, 49712, 49713, 80 TUT-ASUS United States 32->58 52 C:\Users\user\AppData\Roaming\cvi\ati.exe, PE32 32->52 dropped 76 Hides that the sample has been downloaded from the Internet (zone.identifier) 32->76 37 ati.exe 1 32->37         started        40 schtasks.exe 1 32->40         started        file14 signatures15 process16 signatures17 78 May check the online IP address of the machine 37->78 80 Machine Learning detection for dropped file 37->80 82 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 37->82 84 Injects a PE file into a foreign processes 37->84 42 ati.exe 14 2 37->42         started        46 conhost.exe 40->46         started        process18 dnsIp19 60 dnuocc.com 195.133.40.200, 49714, 49717, 49718 SPD-NETTR Russian Federation 42->60 62 www.dnuocc.com 42->62 64 ip-api.com 42->64 88 Hides that the sample has been downloaded from the Internet (zone.identifier) 42->88 48 schtasks.exe 42->48         started        signatures20 process21 process22 50 conhost.exe 48->50         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7d634d0e72cf25b8a305b16a5ce905d772b98bbb2cd2af5cb848b6473ad94741/
Threat name:
ByteCode-MSIL.Trojan.Hesv
Create hunting rule
Status:
Malicious
First seen:
2023-01-26 07:51:09 UTC
File Type:
PE (Exe)
Extracted files:
23
AV detection:
18 of 26 (69.23%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pvru2dtsz4s3riyfwfvfz2if25zltc53ftjk6xfyjc3eoowzi5aq._file
Verdict:
malicious
Result
Malware family:
quasar
Create hunting rule
Score:
  10/10
Tags:
family:quasar botnet:owl spyware trojan
Link:
https://tria.ge/reports/230126-jptf5sda52/
Behaviour
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Looks up external IP address via web service
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Quasar RAT
Quasar payload
Malware Config
C2 Extraction:
dnuocc.com:64594
www.dnuocc.com:64594
dnuocc.com:64588
Unpacked files
SH256 hash:
2539eda9f95f979714d3c6586c0df922a36edcf1807096b4cf23c312321cadec
MD5 hash:
0861dc3aa17f997694cf8dd0d74f9f4a
SHA1 hash:
7741e991ff9b6fff25e48cf56f25d57dd612743e
Link:
https://www.unpac.me/results/6389f0ce-39ea-4375-8606-f072b529f89a/
SH256 hash:
c0e7c478e752637063a1ed5bcf8c1eab48b719e9d4d202e339d88a1b6d6acf2d
MD5 hash:
87f700d54a68316ea85033c1c280b240
SHA1 hash:
a9e922dcc02d6d951e25a146be68d024dbba8a2d
Link:
https://www.unpac.me/results/6389f0ce-39ea-4375-8606-f072b529f89a/
SH256 hash:
be4d45e3cf92e73da4364f1c127e811e5f6abe46f07f753d9e6d21a6d171ad99
MD5 hash:
992b7509efeaf7e83ef88d7d7902b7ce
SHA1 hash:
83503b28be6dd07995be52e45aa63dad3b38181c
Link:
https://www.unpac.me/results/6389f0ce-39ea-4375-8606-f072b529f89a/
SH256 hash:
83bf8a72ad34ecd4c7c6f18d57252d6230fb6add88741b91fddc7d1305a0c63a
MD5 hash:
19041098289b5dd5ac0f2828b09c015a
SHA1 hash:
23952a2efbaf28c77c12dbaafa53c9202d753988
Link:
https://www.unpac.me/results/6389f0ce-39ea-4375-8606-f072b529f89a/
SH256 hash:
7d634d0e72cf25b8a305b16a5ce905d772b98bbb2cd2af5cb848b6473ad94741
MD5 hash:
1450546db9a8bb6e52842606f03b4ea4
SHA1 hash:
1d6fa59860b0e9c46ebcfb88118247764e7f931d
Link:
https://www.unpac.me/results/6389f0ce-39ea-4375-8606-f072b529f89a/
Malware family:
xRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/7d634d0e72cf/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7d634d0e72cf25b8a305b16a5ce905d772b98bbb2cd2af5cb848b6473ad94741

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CN_disclosed_20180208_KeyLogger_1
Create hunting rule
Author:Florian Roth
Description:Detects malware from disclosed CN malware set
Reference:https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details
Rule name:CN_disclosed_20180208_KeyLogger_1_RID3227
Create hunting rule
Author:Florian Roth
Description:Detects malware from disclosed CN malware set
Reference:https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details
Rule name:INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
Author:ditekSHen
Description:Detects Windows executables referencing non-Windows User-Agents
Rule name:INDICATOR_SUSPICIOUS_GENInfoStealer
Create hunting rule
Author:ditekSHen
Description:Detects executables containing common artifcats observed in infostealers
Rule name:malware_Quasar_strings
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect QuasarRAT in memory
Rule name:MALWARE_Win_QuasarRAT
Create hunting rule
Author:ditekSHen
Description:QuasarRAT payload
Rule name:MAL_QuasarRAT_May19_1
Create hunting rule
Author:Florian Roth
Description:Detects QuasarRAT malware
Reference:https://blog.ensilo.com/uncovering-new-activity-by-apt10
Rule name:MAL_QuasarRAT_May19_1_RID2E1E
Create hunting rule
Author:Florian Roth
Description:Detects QuasarRAT malware
Reference:https://blog.ensilo.com/uncovering-new-activity-by-apt10
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:pe_imphash
Create hunting rule
Rule name:Quasar_RAT_1
Create hunting rule
Author:Florian Roth
Description:Detects Quasar RAT
Reference:https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
Rule name:Quasar_RAT_1_RID2B54
Create hunting rule
Author:Florian Roth
Description:Detects Quasar RAT
Reference:https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
Rule name:Quasar_RAT_2
Create hunting rule
Author:Florian Roth
Description:Detects Quasar RAT
Reference:https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
Rule name:Quasar_RAT_2_RID2B55
Create hunting rule
Author:Florian Roth
Description:Detects Quasar RAT
Reference:https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
Rule name:sfx_pdb
Create hunting rule
Author:@razvialex
Description:Detect interesting files containing sfx with pdb paths.
Rule name:sfx_pdb_winrar_restrict
Create hunting rule
Author:@razvialex
Description:Detect interesting files containing sfx with pdb paths.
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Vermin_Keylogger_Jan18_1
Create hunting rule
Author:Florian Roth
Description:Detects Vermin Keylogger
Reference:https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/
Rule name:Windows_Trojan_Quasarrat_e52df647
Create hunting rule
Author:Elastic Security
Rule name:xRAT_1
Create hunting rule
Author:Florian Roth
Description:Detects Patchwork malware
Reference:https://goo.gl/Pg3P4W
Rule name:xRAT_1_RID2900
Create hunting rule
Author:Florian Roth
Description:Detects Patchwork malware
Reference:https://goo.gl/Pg3P4W

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

QuasarRAT

Executable exe 7d634d0e72cf25b8a305b16a5ce905d772b98bbb2cd2af5cb848b6473ad94741

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2518820/
Cape
Cape
https://www.capesandbox.com/analysis/357022/

Comments


Avatar
zbet commented on 2023-01-26 07:50:16 UTC

url : hxxps://www.js-hurling.com/webcpconents/generateddxgf.exe