MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 898216543dfbe03ead8ae9e2963d972b1963da5e00addab93702a9ec1a4b216a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuasarRAT


Vendor detections: 8


Intelligence 8 IOCs 1 YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 898216543dfbe03ead8ae9e2963d972b1963da5e00addab93702a9ec1a4b216a
SHA3-384 hash: 94aea8075e3250738e6df3284e730a8565d72cde6e20b37242c39aa4d8d197026ab429c87355c32d8c915739cf180e2c
SHA1 hash: f7a9335dac3834b5f42e0eaab4b2442d9915fd62
MD5 hash: efd0a1f6c70a1d26cbb5cf4d2bcc9222
humanhash: fruit-eight-december-jig
File name:efd0a1f6c70a1d26cbb5cf4d2bcc9222
Download: download sample
Signature QuasarRAT
Create hunting rule
File size:1'513'984 bytes
First seen:2021-06-24 12:37:50 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'614 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 24576:X63Cw+Gxs4h+AAO8jbUGapm+huD8ClDVc8HpKnR2lYmJLRW6ZUG:QCR+sW+AAOSbvm7uD8ylpKaYmJU6W
Threatray 112 similar samples on MalwareBazaar
TLSH 55651233718AC16DC633C538A602E528FD576E532DF2990E67D03BBD1976260BA34F92
Reporter zbetcheckin
Tags:32 exe QuasarRAT

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
195.133.40.84:9521 https://threatfox.abuse.ch/ioc/153256/

Intelligence

File Origin
# of uploads :
1
# of downloads :
124
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
efd0a1f6c70a1d26cbb5cf4d2bcc9222
Verdict:
Suspicious activity
Analysis date:
2021-06-24 12:44:39 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/98a282d7-268c-41be-afb8-cabdfe822d9b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/168029/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.37132855.20590.31066.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f84eb650-7b6b-42a9-ad48-e5a55597dbe1
Result
Threat name:
Quasar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/807462
Signature
C2 URLs / IPs found in malware configuration
Creates an undocumented autostart registry key
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected Quasar RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/898216543dfbe03ead8ae9e2963d972b1963da5e00addab93702a9ec1a4b216a/
Threat name:
ByteCode-MSIL.Trojan.Perseus
Create hunting rule
Status:
Malicious
First seen:
2021-06-21 19:47:34 UTC
File Type:
PE (.Net Exe)
Extracted files:
31
AV detection:
23 of 46 (50.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rgbbmvb57pqd5lmk5hrjmpmxfmmwhws6acw5vojxaku6ygslefva._file
Verdict:
suspicious
Similar samples:
0993337058dcc57bb0451776eb23ae1bb1fc7199f390fdb78ddb753482e276e2
QuasarRAT
1d0e8150809cb78fb1cf2cad89dc63b884ef4459e93ce4fbb4676ff705bb2679
QuasarRAT
52309c4bfd0f4a78a05edff800c412760c488ef60f6709f6f9038dc1f315f17a
QuasarRAT
5752c23fde5267870a7e7487767566c82e60a9bf93eb2e6b63976649abe8505d
QuasarRAT
9c2be0c1c80a7f7c5de355be5d52ea7f1b023ca29fcf33a753c41c13bbdb8ef9
QuasarRAT
b74d77c359b3eea168c342dda78f18f8afaf6379763ca8221e91ebdf1673d4f0
QuasarRAT
bc3ac3b8a31b50aa2f02bb5feeb470e40f345880e27f56aa4c18cb6429490bd9
QuasarRAT
bc57e420dec21d7e6a08748c9a531cbdbddf2251e656492521a4f16b692c23f5
QuasarRAT
db30e7a45705a8bf2071bd51b70157cace17faaf34aef2bcbd3266fa0ecce874
QuasarRAT
f94934b7aa314b6b2ca25bfd06090f70e37eb99af3a84cd9c02b222d9fbcbe7a
QuasarRAT
+ 102 additional samples on MalwareBazaar
Result
Malware family:
quasar
Create hunting rule
Score:
  10/10
Tags:
family:quasar botnet:matic spyware trojan
Link:
https://tria.ge/reports/210624-hvbla3hkzn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Quasar Payload
Quasar RAT
Malware Config
C2 Extraction:
127.0.0.1:9521
195.133.40.84:9521
nwocbautemxpq.ratkings.net:9521
Unpacked files
SH256 hash:
e73661a764cc091dc0bfcb954265bc575beb72486b51140ba608a2519f96f413
MD5 hash:
01ed6bf7c62efb9b0a8fd9410ddc8ecc
SHA1 hash:
a62f01b0c2ef4b0a5d9c846f41264f4a4e4fa32c
Link:
https://www.unpac.me/results/8ba9513c-33df-4d72-a2f2-7b8bb25beb68/
SH256 hash:
1c94ea2ad63dbc3914d3c4dbc1c85bcb650386c3d33d61990536e27c825b2bb2
MD5 hash:
4417f30f7eef439aed8936eddc495bfe
SHA1 hash:
4d7fccd9b6957744a2edeab6b06980dc144d841a
Link:
https://www.unpac.me/results/8ba9513c-33df-4d72-a2f2-7b8bb25beb68/
SH256 hash:
3e42b7042e49eb4cc68fd8b74134090409c8321714fb2dfd2cf7d651b36002a8
MD5 hash:
3c428ce863a5f01e56e0fc47f684dd8f
SHA1 hash:
1a4b6c7914ce7ab9b6752eb7eb498fc522e3d635
Link:
https://www.unpac.me/results/8ba9513c-33df-4d72-a2f2-7b8bb25beb68/
SH256 hash:
898216543dfbe03ead8ae9e2963d972b1963da5e00addab93702a9ec1a4b216a
MD5 hash:
efd0a1f6c70a1d26cbb5cf4d2bcc9222
SHA1 hash:
f7a9335dac3834b5f42e0eaab4b2442d9915fd62
Link:
https://www.unpac.me/results/8ba9513c-33df-4d72-a2f2-7b8bb25beb68/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/898216543dfbe03ead8ae9e2963d972b1963da5e00addab93702a9ec1a4b216a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

QuasarRAT

Executable exe 898216543dfbe03ead8ae9e2963d972b1963da5e00addab93702a9ec1a4b216a

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1394625/
Cape
Cape
https://www.capesandbox.com/analysis/168029/

Comments