MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 82f2580bd4f645cd640020730404c2e0be6f75ada5f912b8abcdc5a1d78c8e5e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuasarRAT


Vendor detections: 11


Intelligence 11 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 82f2580bd4f645cd640020730404c2e0be6f75ada5f912b8abcdc5a1d78c8e5e
SHA3-384 hash: eb5b53cc7758662ebc3380ae05896456b99fd3b29300e2ba1636e95d150812b691aecdd5d0ca0413c22e4ff74775ac05
SHA1 hash: b0f5b575825d25bfeb19ff0c8aba315acc3852e5
MD5 hash: 0d10337299c1c3ce2acfbe3f60e8e6dc
humanhash: michigan-beryllium-zulu-michigan
File name:82f2580bd4f645cd640020730404c2e0be6f75ada5f912b8abcdc5a1d78c8e5e
Download: download sample
Signature QuasarRAT
Create hunting rule
File size:762'880 bytes
First seen:2021-09-09 11:59:30 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'797 x AgentTesla, 19'706 x Formbook, 12'278 x SnakeKeylogger)
ssdeep 12288:VjHTWJoJMgyrnr00EcEvpPdddUiIp7XFzKzmfXkHSlYhXX:1HiJ3f7Mt+FHfk9
Threatray 360 similar samples on MalwareBazaar
TLSH T1D7F4D03237B4BBA4FB7DD7781862554093F8A6179B52CF1D3C9B808E0A25ED443A2637
Reporter JAMESWT_WT
Tags:exe QuasarRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
150
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
82f2580bd4f645cd640020730404c2e0be6f75ada5f912b8abcdc5a1d78c8e5e
Verdict:
Malicious activity
Analysis date:
2021-09-09 12:22:35 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/c53497f0-b793-48ac-b47a-f9704dd775ec

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
QuasarStealer
Create hunting rule
Link:
https://www.capesandbox.com/analysis/186655/
Detection(s):
SecuriteInfo.com.Trojan.Inject4.16385.23289.20907.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Sending a custom TCP request
Creating a window
Launching a process
Unauthorized injection to a recently created process
Creating a file
DNS request
Connection attempt
Setting a keyboard event handler
Using the Windows Management Instrumentation requests
Enabling autorun by creating a file
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/007b547a-2530-433e-b9ff-5a7c88f73df9
Result
Threat name:
Quasar
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/848052
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Drops PE files to the startup folder
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Powershell drops PE file
Uses dynamic DNS services
Yara detected Quasar RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 480483 Sample: bcaaMd556r Startdate: 09/09/2021 Architecture: WINDOWS Score: 100 33 pettbull.ddns.net 2->33 37 Malicious sample detected (through community Yara rule) 2->37 39 Antivirus detection for dropped file 2->39 41 Antivirus / Scanner detection for submitted sample 2->41 43 6 other signatures 2->43 8 bcaaMd556r.exe 1 2->8         started        12 System32.exe 1 2->12         started        signatures3 process4 file5 29 C:\Users\user\AppData\...\bcaaMd556r.exe.log, ASCII 8->29 dropped 45 Injects a PE file into a foreign processes 8->45 14 powershell.exe 15 8->14         started        18 bcaaMd556r.exe 4 8->18         started        21 bcaaMd556r.exe 8->21         started        23 System32.exe 2 12->23         started        25 System32.exe 12->25         started        signatures6 process7 dnsIp8 31 C:\Users\user\AppData\...\System32.exe, PE32 14->31 dropped 47 Drops PE files to the startup folder 14->47 49 Powershell drops PE file 14->49 27 conhost.exe 14->27         started        35 pettbull.ddns.net 198.23.212.148, 4782, 49741, 49742 AS-COLOCROSSINGUS United States 18->35 51 Hides that the sample has been downloaded from the Internet (zone.identifier) 18->51 53 Installs a global keyboard hook 18->53 file9 signatures10 process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/82f2580bd4f645cd640020730404c2e0be6f75ada5f912b8abcdc5a1d78c8e5e/
Threat name:
Win32.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2021-09-08 01:22:28 UTC
File Type:
PE (.Net Exe)
Extracted files:
77
AV detection:
17 of 28 (60.71%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qlzfqc6u6zc42zaaebzqibgc4c7g65nnux4rfoflzxc2dv4mrzpa._file
Verdict:
malicious
Similar samples:
2c5d00f71931d80367ccae6bdd752ec56ab7647cc5312a0c7ddd24308ff9cc8e
QuasarRAT
585e4146923404bbe11c2cf5a423e2650a5d133541e9baeacb64a4d675f6484d
QuasarRAT
71b507a5d2ef28b951d65ba5a737c75e6e0ecdda454e7c70a40bd37b083ce9bd
QuasarRAT
8be3c7231a1d547531c3e669d380fd00b5b3e773da201b34bed04810062329c0
QuasarRAT
a792be03af23fe52b708d22df6cadeb3374bb5500416a862eee57ea56db20fd5
QuasarRAT
b26c95976936054915610598a19dabb10dd52f47b9edbdbadc079d2e91717814
QuasarRAT
b4401e082c3eb9275a7be41c333f1d7ee13894dff4f794dc3544f8397990e35e
QuasarRAT
d3a5310046716a79439b26f59b1cd70e4220fbb3d4161c8cd57806be2b56be43
QuasarRAT
e8ca0270e68c2f29f8e9f6a77fe630a93b08c04573bde4956690f8943e6d10e8
QuasarRAT
ea04e1c9f1de856c0a0023309410a758b26bdff39e4afbfe329a9b6a805cf23e
QuasarRAT
+ 350 additional samples on MalwareBazaar
Result
Malware family:
quasar
Create hunting rule
Score:
  10/10
Tags:
family:quasar botnet:brave21 spyware suricata trojan
Link:
https://tria.ge/reports/210909-n6c8psbcfl/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Drops startup file
Quasar Payload
Quasar RAT
suricata: ET MALWARE Observed Malicious SSL Cert (Quasar CnC)
Malware Config
C2 Extraction:
pettbull.ddns.net:4782
Unpacked files
SH256 hash:
fd56a07f2da75c84337cbf94e0acafc09fb909cfb187a0ae214827ce2c4708bb
MD5 hash:
d93c5f59ddc41313bf36f106a2f1fe17
SHA1 hash:
97c5cd9d0689c1cd74685bc979122a13eba3fcc9
Link:
https://www.unpac.me/results/ef5b0f7a-e867-4fc3-8c04-0afe474613d5/
SH256 hash:
96eea292e3831e02cf7a5890c5dd0d487cf4a9371ce753c24b8fffd09d96075c
MD5 hash:
f1e3f82766db126aa03fc87b2e5c7dfd
SHA1 hash:
32b781503113c6ae745904acb1a50eb3e02aed78
Link:
https://www.unpac.me/results/ef5b0f7a-e867-4fc3-8c04-0afe474613d5/
SH256 hash:
82f2580bd4f645cd640020730404c2e0be6f75ada5f912b8abcdc5a1d78c8e5e
MD5 hash:
0d10337299c1c3ce2acfbe3f60e8e6dc
SHA1 hash:
b0f5b575825d25bfeb19ff0c8aba315acc3852e5
Link:
https://www.unpac.me/results/ef5b0f7a-e867-4fc3-8c04-0afe474613d5/
Malware family:
QuasarRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/82f2580bd4f6/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/82f2580bd4f645cd640020730404c2e0be6f75ada5f912b8abcdc5a1d78c8e5e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/186655/

Comments