MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 8890e3a0436c06a1c1d723352fd159a75e492cf3007f727f38183bbb8b79828e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
QuasarRAT
Vendor detections: 7
| SHA256 hash: | 8890e3a0436c06a1c1d723352fd159a75e492cf3007f727f38183bbb8b79828e |
|---|---|
| SHA3-384 hash: | 554d9e78ef73e2e6aad3d145aaa479f050d14c88b397c395981bc634904ccff1c82d1ff0b42aab0d57151ab513cd3ab3 |
| SHA1 hash: | c4208e5d550e3280cf4b8d051c6160a3a579fcbd |
| MD5 hash: | c3a129b161a23e485f989edab9e6ea42 |
| humanhash: | stairway-ack-robert-hot |
| File name: | Dhl paket.exe |
| Download: | download sample |
| Signature | QuasarRAT |
| File size: | 3'988'024 bytes |
| First seen: | 2021-01-05 20:55:25 UTC |
| Last seen: | 2021-01-05 22:46:52 UTC |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger) |
| ssdeep | 12288:eethYCX9Y5C3+krA8aBYeht9JXbHYRpVHcfSUgqfvsvEui8h9w1F1WrMyFpPswQL:cEw |
| Threatray | 35 similar samples on MalwareBazaar |
| TLSH | FD060B156FE3254EF2F3E07612B19AD6AF38FA7A72405E1D825D2A550C03F862F83D16 |
| Reporter |  neoxmorpheus1 |
| Tags: | QuasarRAT |
Intelligence
File Origin
# of uploads :
2
# of downloads :
191
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Dhl paket.exe
Verdict:
Malicious activity
Analysis date:
2021-01-05 20:58:16 UTC
Tags:
trojan rat quasar
Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Detection(s):
Result
Verdict:
Malware
Maliciousness:
Behaviour
Creating a window
Creating a file
Creating a file in the %AppData% subdirectories
Creating a process from a recently created file
Setting a keyboard event handler
DNS request
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Sending a UDP request
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Sending a TCP request to an infection source
Result
Threat name:
Quasar
Detection:
malicious
Classification:
troj.spyw.evad
Score:
80 / 100
Signature
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Yara detected Quasar RAT
Behaviour
Behavior Graph:
Threat name:
ByteCode-MSIL.Trojan.Generic
Status:
Suspicious
First seen:
2021-01-05 20:56:03 UTC
AV detection:
10 of 28 (35.71%)
Threat level:
5/5
Detection(s):
Suspicious file
Verdict:
malicious
Similar samples:
+ 25 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
8/10
Tags:
n/a
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Suspicious use of SetThreadContext
Executes dropped EXE
Unpacked files
SH256 hash:
8890e3a0436c06a1c1d723352fd159a75e492cf3007f727f38183bbb8b79828e
MD5 hash:
c3a129b161a23e485f989edab9e6ea42
SHA1 hash:
c4208e5d550e3280cf4b8d051c6160a3a579fcbd
SH256 hash:
7fe5f523603f6ac6c4f78e7452f397903c81a6313ea869ee61526b5f7fe6d142
MD5 hash:
1cb8e2d892ab5d9044eb492557f78fd2
SHA1 hash:
864cd37d74af3c1768d849e49202d8a12c148edd
SH256 hash:
cbecdce344cfcccb375ae3e2a7858f03c71f238f4d461f31292cba839b18eb6f
MD5 hash:
a29422c7d90731ab0f7a09d0083874d0
SHA1 hash:
c73857c09830b5bc4cf8ac577d9510fc5d9d8d02
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
YARA Signatures
MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.
| Rule name: | CAP_HookExKeylogger |
|---|---|
| Author: | Brian C. Bell -- @biebsmalwareguy |
| Reference: | https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar |
| Rule name: | Chrome_stealer_bin_mem |
|---|---|
| Author: | James_inthe_box |
| Description: | Chrome in files like avemaria |
| Rule name: | INDICATOR_SUSPICIOUS_GENInfoStealer |
|---|---|
| Author: | ditekSHen |
| Description: | Detects executables containing common artifcats observed in infostealers |
| Rule name: | Keylog_bin_mem |
|---|---|
| Author: | James_inthe_box |
| Description: | Contains Keylog |
| Rule name: | MALWARE_Win_QuasarStealer |
|---|---|
| Author: | ditekshen |
| Description: | Detects Quasar infostealer |
| Rule name: | MAL_QuasarRAT_May19_1 |
|---|---|
| Author: | Florian Roth |
| Description: | Detects QuasarRAT malware |
| Reference: | https://blog.ensilo.com/uncovering-new-activity-by-apt10 |
| Rule name: | Select_from_enumeration |
|---|---|
| Author: | James_inthe_box |
| Description: | IP and port combo |
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.