MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 85ba700122e35a9457bc1d0fa4ae49123c99efe4906e764b26f83e6f15ff3dcf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuasarRAT


Vendor detections: 11


Intelligence 11 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 85ba700122e35a9457bc1d0fa4ae49123c99efe4906e764b26f83e6f15ff3dcf
SHA3-384 hash: de463e4a3e989d4976ffd553e1830f8a8880f8b50301b7c02198c91978dfcde7f719585636beec625b923830f6daee49
SHA1 hash: c4918993430e7e1fc753b728cb1834becf033ffc
MD5 hash: fbda14f36f42a728d9a4718a98e07075
humanhash: failed-oscar-july-nebraska
File name:85BA700122E35A9457BC1D0FA4AE49123C99EFE4906E7.exe
Download: download sample
Signature QuasarRAT
Create hunting rule
File size:3'216'036 bytes
First seen:2021-09-08 14:16:28 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c9adc83b45e363b21cd6b11b5da0501f (82 x ArkeiStealer, 60 x RecordBreaker, 46 x RedLineStealer)
ssdeep 49152:CAI+jjqddUJ06pidFfGuuA2prnELKGKizmRs41K0VXSBrb6jgB3DhH7tHPy:CAI+jWddUJ0Vl8TrELeiqLKGIC0B3G
Threatray 1'725 similar samples on MalwareBazaar
TLSH T121E5331AF1814076C1B30AB9C497D1B9F17EE9041B3855CFF3DA19A85EB32461BB13EA
dhash icon 41699696b28ad8e4 (1 x QuasarRAT)
Reporter abuse_ch
Tags:exe QuasarRAT RAT


Avatar
abuse_ch
QuasarRAT C2:
107.173.219.111:4782

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
107.173.219.111:4782 https://threatfox.abuse.ch/ioc/218044/

Intelligence

File Origin
# of uploads :
1
# of downloads :
163
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AsyncRat
Create hunting rule
Link:
https://www.capesandbox.com/analysis/186408/
Detection(s):
Win.Dropper.Nanocore-9189507-1
Create hunting rule

SecuriteInfo.com.PSW.Generic8.ISF.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Delayed reading of the file
Creating a file in the %temp% subdirectories
Creating a file in the %AppData% directory
Creating a file in the Program Files subdirectories
Deleting a recently created file
Creating a process from a recently created file
Sending a UDP request
Creating a file
Running batch commands
Creating a process with a hidden window
Launching a process
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Enabling autorun by creating a file
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a8feb537-711a-4be0-a725-ad4c6a1169d5
Result
Threat name:
AsyncRAT Quasar
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/847524
Signature
.NET source code contains potential unpacker
Antivirus detection for dropped file
Connects to many ports of the same IP (likely port scanning)
Drops PE files to the startup folder
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Powershell drops PE file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AsyncRAT
Yara detected Quasar RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 479961 Sample: 85BA700122E35A9457BC1D0FA4A... Startdate: 08/09/2021 Architecture: WINDOWS Score: 100 39 tools.keycdn.com 185.172.148.96, 443, 49747 PROINITYPROINITYDE Germany 2->39 41 pettbull.ddns.net 107.173.219.111, 4782, 49743, 6606 AS-COLOCROSSINGUS United States 2->41 43 3 other IPs or domains 2->43 49 Malicious sample detected (through community Yara rule) 2->49 51 Antivirus detection for dropped file 2->51 53 Multi AV Scanner detection for dropped file 2->53 55 11 other signatures 2->55 9 85BA700122E35A9457BC1D0FA4AE49123C99EFE4906E7.exe 14 11 2->9         started        signatures3 process4 file5 31 C:\Users\user\AppData\Roaming\Host.exe, PE32 9->31 dropped 33 C:\Users\user\AppData\Roaming\Host file.exe, PE32 9->33 dropped 35 C:\Users\user\AppData\Local\...\temp_0.tmp, Microsoft 9->35 dropped 37 2 other files (none is malicious) 9->37 dropped 12 Host.exe 1 9->12         started        15 Host file.exe 1 9->15         started        process6 signatures7 57 Antivirus detection for dropped file 12->57 59 Multi AV Scanner detection for dropped file 12->59 61 Machine Learning detection for dropped file 12->61 17 powershell.exe 14 12->17         started        21 Host.exe 6 12->21         started        23 powershell.exe 18 15->23         started        process8 file9 27 C:\Users\user\AppData\...\System32.exe, PE32 17->27 dropped 45 Drops PE files to the startup folder 17->45 47 Powershell drops PE file 17->47 25 conhost.exe 17->25         started        29 C:\Users\user\AppData\Roaming\System32.exe, PE32 21->29 dropped signatures10 process11
Detection:
asyncrat
Create hunting rule
Link:
https://mwdb.cert.pl/sample/85ba700122e35a9457bc1d0fa4ae49123c99efe4906e764b26f83e6f15ff3dcf/
Threat name:
Win32.Trojan.Strictor
Create hunting rule
Status:
Malicious
First seen:
2021-07-28 23:19:41 UTC
AV detection:
23 of 28 (82.14%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=qw5haajc4nnjiv54duh2jlsjci6jt37esbxhmszg7a7g6fp7hxhq._file
Verdict:
malicious
Label(s):
asyncrat
Create hunting rule
Similar samples:
06417db53e9b090c7a07192dbb6203ce15c832c0928d73ebbc9c8ebff05320ff
QuasarRAT
0b8a5cbe236a7057a2904f18480b85ce9b59b891c0a1a041516248d35760744d
QuasarRAT
1299373ec40fc1f3f16957338574a9ad51a94e62220cc8c08f1ad81dee443544
QuasarRAT
16fc0cec13d88da3d0a36e4c42e733db8f1e21cafc18fd813a25cd0bc835f35a
QuasarRAT
1b7d7515f98891cf08164a7469bb9c9f3133e7834cfe99d55094594ca330e982
QuasarRAT
213528a5164fcb5253010129aac3855b4b905c9c5a9514a2a2b9db7e2b592a73
QuasarRAT
438e8f8d626ca18bb5fbd3499cad058033b199c865badba6415e362d5b8dcd49
QuasarRAT
bcf7571a4d9b25fabdc2d6120b1b2d7bd8446ea2bc3a5da1d4127954920067de
QuasarRAT
ceddcfa72226e91f7435facafe6631d1385ca4d246d242d5136ac4e9462b8611
QuasarRAT
ecb8839117d73d33390c84f7f6e02f4970156ccb2da7b48083922f60625fa8be
QuasarRAT
+ 1'715 additional samples on MalwareBazaar
Result
Malware family:
quasar
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat family:quasar botnet:brave21 discovery rat spyware suricata trojan
Link:
https://tria.ge/reports/210908-rlpyjshggl/
Behaviour
Creates scheduled task(s)
Delays execution with timeout.exe
Modifies Internet Explorer settings
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Suspicious use of SetThreadContext
Checks installed software on the system
Looks up external IP address via web service
Drops startup file
Loads dropped DLL
Executes dropped EXE
Async RAT payload
AsyncRat
Quasar Payload
Quasar RAT
suricata: ET MALWARE Observed Malicious SSL Cert (Quasar CnC)
Malware Config
C2 Extraction:
pettbull.ddns.net:6606
pettbull.ddns.net:7707
pettbull.ddns.net:8808
pettbull.ddns.net:4782
Unpacked files
SH256 hash:
5e48439b3880bf5a680c89b5ed9322ec01190de21dfd8accb36ff5b2f14bba09
MD5 hash:
422495115000b9721c846824da8809b4
SHA1 hash:
6d36c3624bd45dd127061609ad9def8d02f096be
Link:
https://www.unpac.me/results/12eea63d-9f52-4878-a2a1-34d6b1531f7e/
SH256 hash:
2b5bc6490cf0996487071bfc34e435433ec7c6a3d911a414660e21c99ca11bd8
MD5 hash:
749cf12f596bdd9cc3524a3c79046239
SHA1 hash:
810b8a28cff0d73421859b9d85ca93735f4f4296
Detections:
win_asyncrat_w0
Create hunting rule
Link:
https://www.unpac.me/results/12eea63d-9f52-4878-a2a1-34d6b1531f7e/
SH256 hash:
bfa12a2456d40d6c32a1f4e35bd43c81f6f67466234faed8fec19397d0e6d808
MD5 hash:
7a7927bac28be846b2fd2a5d10ba0676
SHA1 hash:
67a7b8616fc8e7aa7bb7a6e2521548e67a7caa2d
Link:
https://www.unpac.me/results/12eea63d-9f52-4878-a2a1-34d6b1531f7e/
Parent samples :
fb110b1db7c02725d6cb0953cf153a2b5e158d358db136aece90ac06d79cb07d
80dd6d009a2b7ab7aa393d063048320db5ea3920a4fd9cca4a0a76f12183273f
SH256 hash:
85ba700122e35a9457bc1d0fa4ae49123c99efe4906e764b26f83e6f15ff3dcf
MD5 hash:
fbda14f36f42a728d9a4718a98e07075
SHA1 hash:
c4918993430e7e1fc753b728cb1834becf033ffc
Link:
https://www.unpac.me/results/12eea63d-9f52-4878-a2a1-34d6b1531f7e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/85ba700122e35a9457bc1d0fa4ae49123c99efe4906e764b26f83e6f15ff3dcf

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/186408/

Comments