MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 84becd454a058c325e514ac677c33b1493833b35d8b566a2275a9542bea4ca03. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuasarRAT


Vendor detections: 7


Intelligence 7 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 84becd454a058c325e514ac677c33b1493833b35d8b566a2275a9542bea4ca03
SHA3-384 hash: e503f6aab605388af25bd76294bbc0437e51ad792e989e15936828dbc950e4fc96941832299d0abd63d96ce5f85d6e60
SHA1 hash: 63336fd24662de5fbab086866bb3f33446fa41a2
MD5 hash: 804520cff10e79af63d8f8cdee2697fe
humanhash: fifteen-blue-quiet-lima
File name:SecuriteInfo.com.Trojan.GenericKD.46539420.31445.29594
Download: download sample
Signature QuasarRAT
Create hunting rule
File size:10'932'224 bytes
First seen:2021-11-01 13:12:48 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c8cd6bfe5371c3640fbf6bbba4cf6a5b (1 x QuasarRAT)
ssdeep 196608:R1FYL2IHPEucW955GSYaYEWi1DkmX2TR2lTrHldQqYZi/7aDk:xGzH6W955GF+jm2rF4T
Threatray 8 similar samples on MalwareBazaar
TLSH T128B623FE624C334CC41E8D705423FD08F1B6660D52F9C9EEB9DABAC06FA64259912F46
Reporter SecuriteInfoCom
Tags:exe QuasarRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
95
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
C5miH6bwZ3Ulv_1.exe
Verdict:
No threats detected
Analysis date:
2021-07-16 07:41:22 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/bf4b2594-b338-4b26-8cf1-c9bb2511eef5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/201088/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.46539420.31445.29594.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Connection attempt
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/617ffa80db358dd15ee33ef1/reports/3f20fedd-725e-4d25-b707-59f4e5087e6c/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4bd17fdf-5252-47a9-9853-604ed084a51f
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/880456
Signature
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
Queries memory information (via WMI often done to detect virtual machines)
Queries temperature or sensor information (via WMI often done to detect virtual machines)
Tries to detect debuggers (CloseHandle check)
Tries to detect virtualization through RDTSC time measurements
Tries to evade analysis by execution special instruction which cause usermode exception
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 512888 Sample: SecuriteInfo.com.Trojan.Gen... Startdate: 01/11/2021 Architecture: WINDOWS Score: 96 45 Multi AV Scanner detection for dropped file 2->45 47 Multi AV Scanner detection for submitted file 2->47 49 Machine Learning detection for sample 2->49 51 2 other signatures 2->51 8 SecuriteInfo.com.Trojan.GenericKD.46539420.31445.exe 1 28 2->8         started        process3 dnsIp4 37 51.79.119.221, 13371, 49775, 49781 OVHFR Canada 8->37 39 51.79.119.228, 13371, 49773, 49780 OVHFR Canada 8->39 41 3 other IPs or domains 8->41 33 C:\...\D8B2DDE07AAE42C0823E-AFFDA269F959.tmp, PE32+ 8->33 dropped 59 Multi AV Scanner detection for dropped file 8->59 61 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 8->61 63 Machine Learning detection for dropped file 8->63 65 6 other signatures 8->65 13 SecuriteInfo.com.Trojan.GenericKD.46539420.31445.exe 15 8->13         started        file5 signatures6 process7 dnsIp8 43 cdn.discordapp.com 162.159.135.233, 443, 49776 CLOUDFLARENETUS United States 13->43 35 C:\Users\user\AppData\...\loader.prod[1].exe, PE32+ 13->35 dropped 17 SecuriteInfo.com.Trojan.GenericKD.46539420.31445.exe 15 13->17         started        20 conhost.exe 13->20         started        file9 process10 file11 27 SecuriteInfo.com.T...1445.exe_tmp (copy), PE32+ 17->27 dropped 29 SecuriteInfo.com.T....46539420.31445.exe, PE32+ 17->29 dropped 31 C:\Users\user\AppData\Local\Temp\stuff2.tmp, PE32+ 17->31 dropped 22 SecuriteInfo.com.Trojan.GenericKD.46539420.31445.exe 1 26 17->22         started        25 conhost.exe 17->25         started        process12 signatures13 53 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 22->53 55 Tries to detect debuggers (CloseHandle check) 22->55 57 Hides threads from debuggers 22->57
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/84becd454a058c325e514ac677c33b1493833b35d8b566a2275a9542bea4ca03/
Threat name:
Win64.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-05-07 00:07:00 UTC
AV detection:
18 of 45 (40.00%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
46e01b9491f7ed9a2408278c7dd4b6a3b6c7f9a780f1d07531a1c23bf76f9992
QuasarRAT
5ea0e7b1e594dd2fad47eb3761976558291987c54ec03ce30bb29cb72389f7c5
QuasarRAT
61a70fdae6040d08c4f66f5d5ba95aba1987cda5e4715903696c3139a33d8e05
QuasarRAT
a5cff8be9bcf62d52112968e176e33103c2589f7fad004023543a041adfa9578
QuasarRAT
ac085734d51ca988db79b3078badc4ce24481eee7ef68db8811b1a98d2b3980c
QuasarRAT
bc06c918fab5afbb61d15611dedadbc9012cf9e4979e9d3f261a9046c306bb87
QuasarRAT
cdf2ed21f6bda94bdebd880cb3e45005de2e714d8f1311f3d38684f103be2f00
QuasarRAT
eb639e9d45ed4d4cf911195b7ef53d61897dd8f826c542ae411854ddec3aea87
QuasarRAT
Result
Malware family:
n/a
Score:
  8/10
Tags:
upx
Link:
https://tria.ge/reports/211101-qf3rsahhf3/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Deletes itself
Downloads MZ/PE file
Executes dropped EXE
UPX packed file
Unpacked files
SH256 hash:
84becd454a058c325e514ac677c33b1493833b35d8b566a2275a9542bea4ca03
MD5 hash:
804520cff10e79af63d8f8cdee2697fe
SHA1 hash:
63336fd24662de5fbab086866bb3f33446fa41a2
Link:
https://www.unpac.me/results/f0f16397-3279-4022-8003-c4b659f86060/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.14
Link:
https://yomi.yoroi.company/submissions/84becd454a058c325e514ac677c33b1493833b35d8b566a2275a9542bea4ca03

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:IPPort_combo_mem
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del
Rule name:Select_from_enumeration
Create hunting rule
Author:James_inthe_box
Description:IP and port combo

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

QuasarRAT

Executable exe 84becd454a058c325e514ac677c33b1493833b35d8b566a2275a9542bea4ca03

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1735275/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/201088/

Comments