MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 88862ca221d9e5f6c871c460a53a0f90ceebaa5a20d8c45b8ec6a9413592f38d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuasarRAT


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 88862ca221d9e5f6c871c460a53a0f90ceebaa5a20d8c45b8ec6a9413592f38d
SHA3-384 hash: 3a267cfcfad18b266659da9561384856feca06e426f0c79f3a1d0df5feb500aa254641691444193aa828aa042e9883a7
SHA1 hash: f79968fe80958bbb9a5e2c8ff8c05d3e13893388
MD5 hash: 868c705061720f5e9bf6aef521968113
humanhash: johnny-butter-potato-lima
File name:88862ca221d9e5f6c871c460a53a0f90ceebaa5a20d8c45b8ec6a9413592f38d
Download: download sample
Signature QuasarRAT
Create hunting rule
File size:658'432 bytes
First seen:2020-07-29 13:52:53 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:Vn8ja8da4ahQ+12FgUWFZB/9iYQ0AR3aiZ:Vn8ja80RhpgJWnOYQJF
Threatray 60 similar samples on MalwareBazaar
TLSH 7DE4F1A56E2B9A70D7F7467F93ED50D4CE15B833B782A22B02809773A837DD24D12C46
Reporter JAMESWT_WT
Tags:QuasarRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
89
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Launching a process
Creating a file
Running batch commands
Creating a process with a hidden window
Launching the process to change network settings
Creating a window
Reading critical registry keys
Using the Windows Management Instrumentation requests
Sending an HTTP GET request
Sending a custom TCP request
Deleting a recently created file
Stealing user critical data
Unauthorized injection to a system process
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/402632
Signature
.NET source code contains potential unpacker
Contains functionality to hide user accounts
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Sigma detected: Capture Wi-Fi password
Tries to harvest and steal WLAN passwords
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file access)
Uses netsh to modify the Windows network and firewall settings
Uses the Telegram API (likely for C&C communication)
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 253665 Sample: i1xrYLN3Is Startdate: 29/07/2020 Architecture: WINDOWS Score: 100 30 g.msn.com 2->30 32 asf-ris-prod-neurope.northeurope.cloudapp.azure.com 2->32 40 Malicious sample detected (through community Yara rule) 2->40 42 Sigma detected: Capture Wi-Fi password 2->42 44 Yara detected AntiVM_3 2->44 46 8 other signatures 2->46 9 i1xrYLN3Is.exe 5 2->9         started        signatures3 process4 file5 28 C:\Users\user\AppData\...\i1xrYLN3Is.exe.log, ASCII 9->28 dropped 12 MSBuild.exe 15 12 9->12         started        16 cmd.exe 1 9->16         started        process6 dnsIp7 34 ip-api.com 208.95.112.1, 49724, 80 TUT-ASUS United States 12->34 36 api.telegram.org 149.154.167.220, 443, 49726 TELEGRAMRU United Kingdom 12->36 38 192.168.2.1 unknown unknown 12->38 48 Tries to steal Mail credentials (via file access) 12->48 50 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 12->50 52 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 12->52 54 3 other signatures 12->54 18 netsh.exe 3 12->18         started        20 WerFault.exe 23 9 12->20         started        22 conhost.exe 16->22         started        24 choice.exe 1 16->24         started        signatures8 process9 process10 26 conhost.exe 18->26         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/88862ca221d9e5f6c871c460a53a0f90ceebaa5a20d8c45b8ec6a9413592f38d/
Threat name:
ByteCode-MSIL.Trojan.Perseus
Create hunting rule
Status:
Malicious
First seen:
2020-07-28 02:45:03 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=rcdczirb3hs7nsdryrqkkoqpsdhoxks2edmmiw4oy2uucnms6ogq._file
Verdict:
unknown
Similar samples:
0437a3b7c497908d0dc489a1b21cf395b76eedae8f1a1b473ecbb5f02e892bf9
QuasarRAT
10b2e74fdeacd4b00b7687eca2f1bfe0c30901561453ae6c1b9549406b29615e
QuasarRAT
204d3c9b626e4bbac7012901f30592bf7408c66edb80ce1dda55f6d9421cb7f8
QuasarRAT
5073dae4db5d373083392acc876b2cee4a9c0a06001be580dd5fbca8f6124f68
QuasarRAT
50b73c4132c9240c404a85b5d2843436fe8d5022a7104b5faeab827f558c52e4
QuasarRAT
c1e6c2059e61bc54c31696c04fca0b366fdd9d0ac84d7db2ad545ddf2b4b18f0
QuasarRAT
c4bf94d97d6bf5016e92e0e7f81760ebf5f995ee895bdf2a632bccdcaffc849b
QuasarRAT
c8c3bc6c01dee147be04e3fbaeb5ff72fbee21e676ba04b7326738e692cec9d0
QuasarRAT
ccdf6799e7fceaa24cdaaf41ba79fdafaf04a2a8e64dd9bf40cf3ddce9345adf
QuasarRAT
f902d33ba5996db886cd1f33e62759cd13605c1c825e3214032f92c4fed730b8
QuasarRAT
+ 50 additional samples on MalwareBazaar
Result
Malware family:
babax
Create hunting rule
Score:
  10/10
Tags:
discovery spyware stealer family:babax persistence
Link:
https://tria.ge/reports/200729-hk7ww97a66/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Program crash
Suspicious use of SetThreadContext
Modifies service
Looks up external IP address via web service
Checks installed software on the system
Accesses cryptocurrency wallets, possible credential harvesting
Deletes itself
Reads user/profile data of web browsers
Babax
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/88862ca221d9e5f6c871c460a53a0f90ceebaa5a20d8c45b8ec6a9413592f38d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Quasar_RAT_1
Create hunting rule
Author:Florian Roth
Description:Detects Quasar RAT
Reference:https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/34933/

Comments