MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7df219e7374d578a6a2b37fda787bcb7031ef1a9596c5af34b7c3d6c87dff20d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuasarRAT


Vendor detections: 14


Intelligence 14 IOCs YARA 21 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7df219e7374d578a6a2b37fda787bcb7031ef1a9596c5af34b7c3d6c87dff20d
SHA3-384 hash: 72906520405cd09c59b19e273250888569db421675c43fd9e412a67915e0b7c35aa5c72b02763921568bc3c8555c0918
SHA1 hash: b1dd1574ed5b52f003c38e7ffb818e70060bc8b6
MD5 hash: e502b06eae10addf8bc12a7c931c52e2
humanhash: summer-nuts-tango-september
File name:siparis_odeme.exe
Download: download sample
Signature QuasarRAT
Create hunting rule
File size:1'550'102 bytes
First seen:2023-02-27 11:11:46 UTC
Last seen:2023-02-27 20:39:31 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 00be6e6c4f9e287672c8301b72bdabf3 (116 x RedLineStealer, 70 x AsyncRAT, 55 x AgentTesla)
ssdeep 24576:wNA3R5drXuDymTCR/6l4+9dXrn8Y9RXdazwuWRcme5XzhlalbvOx4Wco6+:p5MTO6S+jXrn8YLX4wu+wOl7OxEo6+
Threatray 443 similar samples on MalwareBazaar
TLSH T13E752201F6C684B1E6322D351829AB71B9BE7D201E30EB6EA7C4792DDA311C19135FB7
TrID 89.0% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
3.5% (.EXE) Win64 Executable (generic) (10523/12/4)
2.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
1.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.5% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 0c0c0d0d0d090000 (1 x QuasarRAT)
Reporter TeamDreier
Tags:exe QuasarRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
231
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
siparis_odeme.exe
Verdict:
Malicious activity
Analysis date:
2023-02-27 11:52:40 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/83e637c6-a50d-4ed0-88a6-35564e7c384e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
QuasarRAT
Create hunting rule
Link:
https://www.capesandbox.com/analysis/370238/
Detection(s):
SecuriteInfo.com.Troj.NanoCo_TZ.22029.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %AppData% directory
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware overlay packed quasar setupapi.dll shdocvw.dll shell32.dll
Link:
https://www.filescan.io/uploads/63fc901081c7f31327fa3fb6/reports/b0fd51d4-d91d-4af4-b912-a72bbd3205a4/overview
Verdict:
Malicious
Labled as:
Trojan.Uztuby
Link:
https://www.hybrid-analysis.com/sample/7df219e7374d578a6a2b37fda787bcb7031ef1a9596c5af34b7c3d6c87dff20d
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/53cbd1ed-7a96-4cfe-bf69-e3865c1fa106
Result
Threat name:
Quasar
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1183163
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
Yara detected Quasar RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 815992 Sample: siparis_odeme.exe Startdate: 27/02/2023 Architecture: WINDOWS Score: 100 77 Snort IDS alert for network traffic 2->77 79 Multi AV Scanner detection for domain / URL 2->79 81 Malicious sample detected (through community Yara rule) 2->81 83 6 other signatures 2->83 11 siparis_odeme.exe 9 2->11         started        14 jihxnkgjd.exe 2->14         started        process3 file4 65 C:\Users\user\AppData\...\jihxnkgjd.sfx.exe, PE32 11->65 dropped 17 cmd.exe 1 11->17         started        103 Injects a PE file into a foreign processes 14->103 19 jihxnkgjd.exe 14->19         started        21 jihxnkgjd.exe 14->21         started        23 jihxnkgjd.exe 14->23         started        25 jihxnkgjd.exe 14->25         started        signatures5 process6 process7 27 jihxnkgjd.sfx.exe 7 17->27         started        31 cit.exe 17->31         started        34 conhost.exe 17->34         started        38 3 other processes 17->38 36 WerFault.exe 19->36         started        dnsIp8 67 C:\Users\user\AppData\Roaming\jihxnkgjd.exe, PE32 27->67 dropped 99 Multi AV Scanner detection for dropped file 27->99 40 jihxnkgjd.exe 1 27->40         started        73 camgreetgroop.sytes.net 185.254.37.238, 49716, 49717, 49718 NETERRA-ASBG Germany 31->73 75 ip-api.com 31->75 101 Hides that the sample has been downloaded from the Internet (zone.identifier) 31->101 43 schtasks.exe 31->43         started        file9 signatures10 process11 signatures12 85 May check the online IP address of the machine 40->85 87 Machine Learning detection for dropped file 40->87 89 Uses schtasks.exe or at.exe to add and modify task schedules 40->89 91 Injects a PE file into a foreign processes 40->91 45 jihxnkgjd.exe 15 4 40->45         started        50 jihxnkgjd.exe 2 40->50         started        52 jihxnkgjd.exe 2 40->52         started        54 jihxnkgjd.exe 2 40->54         started        56 conhost.exe 43->56         started        process13 dnsIp14 71 ip-api.com 208.95.112.1, 49712, 49715, 80 TUT-ASUS United States 45->71 69 C:\Users\user\AppData\Roaming\rvi\cit.exe, PE32 45->69 dropped 105 Hides that the sample has been downloaded from the Internet (zone.identifier) 45->105 58 cit.exe 45->58         started        61 schtasks.exe 45->61         started        file15 signatures16 process17 signatures18 93 May check the online IP address of the machine 58->93 95 Machine Learning detection for dropped file 58->95 97 Injects a PE file into a foreign processes 58->97 63 conhost.exe 61->63         started        process19
Detection:
quasar
Create hunting rule
Link:
https://mwdb.cert.pl/sample/7df219e7374d578a6a2b37fda787bcb7031ef1a9596c5af34b7c3d6c87dff20d/
Threat name:
Win32.Trojan.Quasar
Create hunting rule
Status:
Malicious
First seen:
2023-02-27 03:48:12 UTC
File Type:
PE (Exe)
Extracted files:
23
AV detection:
20 of 25 (80.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=pxzbtzzxjvlyu2rlg762pb54w4br54njlfwfv42lpq6wzb676igq._file
Verdict:
malicious
Similar samples:
051851a940f92112ddf290124d2cea4acd2d0d1f2522c8e942faef9ed6fff244
QuasarRAT
3d76f59c4dceb13546eb9c72a7c0f03fd335093583d326de9a314f3dbd5a77cc
QuasarRAT
3f90a9aae3458c7e6184edd089ecb8937e29d5a52649f9ef8a1502313932de27
QuasarRAT
56f687fc32387fdf0eb276cdcafa9d7b7d60c2b5c7954100477b490906acf053
QuasarRAT
60cc9c3bdd9a4317b29e7b28c1ecdda262630c52174fbf133b08a6cc1c982747
QuasarRAT
a468152606ab1d34d46df8854edfb1a22d69db029de1174ea0fb8690356fc27d
QuasarRAT
+ 433 additional samples on MalwareBazaar
Result
Malware family:
quasar
Create hunting rule
Score:
  10/10
Tags:
family:quasar botnet:hwl spyware trojan
Link:
https://tria.ge/reports/230227-nav4msdd46/
Behaviour
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Looks up external IP address via web service
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Quasar RAT
Quasar payload
Malware Config
C2 Extraction:
camgreetgroop.sytes.net:64578
Unpacked files
SH256 hash:
1ad70bd61311d211e7c585070ec310c71aceabb5b80a6f0875a4a86ac0ca8e20
MD5 hash:
51ad5aec43d6b39b3c2b0a7b45c1167f
SHA1 hash:
ca43e84e859da2c4d592ece6b4d17f11723e29b6
Link:
https://www.unpac.me/results/40a7ba4e-4239-4fe9-ad3a-b445d2663e52/
SH256 hash:
45bb655c1c067721a887c01bef2d86089051c1bd480d6adb0195453fff3ddc24
MD5 hash:
d089f215cca4158d677480cde15affa8
SHA1 hash:
7bc0a5e1c57a74b2548e23612c40ade25cc4190b
Link:
https://www.unpac.me/results/40a7ba4e-4239-4fe9-ad3a-b445d2663e52/
SH256 hash:
e169c9267ce7d9754e62607b76d57ac292125fbf9c279f8f0fb953bcdc96bfe1
MD5 hash:
7a5a98d272b000de67d3b2534c285ed3
SHA1 hash:
29f04d74070095226459e3b84b0b5b775c688614
Link:
https://www.unpac.me/results/40a7ba4e-4239-4fe9-ad3a-b445d2663e52/
SH256 hash:
7df219e7374d578a6a2b37fda787bcb7031ef1a9596c5af34b7c3d6c87dff20d
MD5 hash:
e502b06eae10addf8bc12a7c931c52e2
SHA1 hash:
b1dd1574ed5b52f003c38e7ffb818e70060bc8b6
Link:
https://www.unpac.me/results/40a7ba4e-4239-4fe9-ad3a-b445d2663e52/
Malware family:
xRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/7df219e7374d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7df219e7374d578a6a2b37fda787bcb7031ef1a9596c5af34b7c3d6c87dff20d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CN_disclosed_20180208_KeyLogger_1
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects malware from disclosed CN malware set
Reference:https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details
Rule name:CN_disclosed_20180208_KeyLogger_1_RID3227
Create hunting rule
Author:Florian Roth
Description:Detects malware from disclosed CN malware set
Reference:https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details
Rule name:INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
Author:ditekSHen
Description:Detects Windows executables referencing non-Windows User-Agents
Rule name:INDICATOR_SUSPICIOUS_GENInfoStealer
Create hunting rule
Author:ditekSHen
Description:Detects executables containing common artifcats observed in infostealers
Rule name:malware_Quasar_strings
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect QuasarRAT in memory
Rule name:MALWARE_Win_QuasarRAT
Create hunting rule
Author:ditekSHen
Description:QuasarRAT payload
Rule name:MAL_QuasarRAT_May19_1
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects QuasarRAT malware
Reference:https://blog.ensilo.com/uncovering-new-activity-by-apt10
Rule name:MAL_QuasarRAT_May19_1_RID2E1E
Create hunting rule
Author:Florian Roth
Description:Detects QuasarRAT malware
Reference:https://blog.ensilo.com/uncovering-new-activity-by-apt10
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:pe_imphash
Create hunting rule
Rule name:Quasar_RAT_1
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects Quasar RAT
Reference:https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
Rule name:Quasar_RAT_1_RID2B54
Create hunting rule
Author:Florian Roth
Description:Detects Quasar RAT
Reference:https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
Rule name:Quasar_RAT_2
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects Quasar RAT
Reference:https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
Rule name:Quasar_RAT_2_RID2B55
Create hunting rule
Author:Florian Roth
Description:Detects Quasar RAT
Reference:https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
Rule name:sfx_pdb
Create hunting rule
Author:@razvialex
Description:Detect interesting files containing sfx with pdb paths.
Rule name:sfx_pdb_winrar_restrict
Create hunting rule
Author:@razvialex
Description:Detect interesting files containing sfx with pdb paths.
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Vermin_Keylogger_Jan18_1
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects Vermin Keylogger
Reference:https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/
Rule name:Windows_Trojan_Quasarrat_e52df647
Create hunting rule
Author:Elastic Security
Rule name:xRAT_1
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects Patchwork malware
Reference:https://goo.gl/Pg3P4W
Rule name:xRAT_1_RID2900
Create hunting rule
Author:Florian Roth
Description:Detects Patchwork malware
Reference:https://goo.gl/Pg3P4W

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

QuasarRAT

Executable exe 7df219e7374d578a6a2b37fda787bcb7031ef1a9596c5af34b7c3d6c87dff20d

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/370238/

Comments