MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 89c232f52d508d2f9a407a678d8e42d39444440a211dec807a9f74a6a7df0465. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuasarRAT


Vendor detections: 15


Intelligence 15 IOCs YARA 27 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 89c232f52d508d2f9a407a678d8e42d39444440a211dec807a9f74a6a7df0465
SHA3-384 hash: ddc095112ce3c91e180a2f204a65fda25065e42050e74157108b7afd17eb5b7a3ab85aa455cccc25c2fb423942909b02
SHA1 hash: 7f3cfcc28df12840547a4dc3c8d43c4976b78281
MD5 hash: 821a06a17d265c49b95d0bee2da8a0be
humanhash: georgia-golf-solar-cup
File name:Odeme.belgesi.exe
Download: download sample
Signature QuasarRAT
Create hunting rule
File size:1'316'633 bytes
First seen:2024-02-05 14:42:45 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 00be6e6c4f9e287672c8301b72bdabf3 (116 x RedLineStealer, 70 x AsyncRAT, 55 x AgentTesla)
ssdeep 24576:ZNA3R5drXPexWDdLgBJuYgLhknebSjXCRTbyBXOesUCpmoqEZ4G9po6BovUg7:c5mcLX1LJeAuBXOe5Sm3En9Jg7
TLSH T1DB552302FAD284B2E9732A324525AB10A5BCBD301E34D96FB3D44D6DDE70541EA31BB7
TrID 89.0% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
3.5% (.EXE) Win64 Executable (generic) (10523/12/4)
2.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
1.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.5% (.EXE) Win32 Executable (generic) (4504/4/1)
File icon (PE):PE icon
dhash icon 163226286a2a352a (7 x XenoRAT, 2 x QuasarRAT, 1 x AveMariaRAT)
Reporter abuse_ch
Tags:exe geo QuasarRAT RAT TUR

Intelligence

File Origin
# of uploads :
1
# of downloads :
317
Origin country :
NL NL
Vendor Threat Intelligence
Detection:
QuasarRAT
Create hunting rule
Link:
https://www.capesandbox.com/analysis/474740/
Detection(s):
Win.Dropper.QuasarRAT-10014892-0
Create hunting rule

SecuriteInfo.com.Troj.NanoCo_TZ.22029.UNOFFICIAL
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
89%
Tags:
fingerprint installer lolbin overlay packed quasar setupapi sfx shdocvw shell32
Link:
https://www.filescan.io/uploads/65c0f4067251d2ad7dc85f3e/reports/404af8c6-53a0-41a3-bbb6-f566bd0a4e05/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/89c232f52d508d2f9a407a678d8e42d39444440a211dec807a9f74a6a7df0465
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Quasar RAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/041f9e36-4de9-4481-8f26-3662d6fbe71a
Result
Threat name:
Quasar
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1386858
Signature
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Detected Quasar RAT
Detected unpacking (changes PE section rights)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
PE file has nameless sections
Snort IDS alert for network traffic
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
Yara detected Quasar RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1386858 Sample: Odeme.belgesi.exe Startdate: 05/02/2024 Architecture: WINDOWS Score: 100 104 rippenhothelp.viewdns.net 2->104 106 rippenhothelp.sytes.net 2->106 108 ip-api.com 2->108 124 Snort IDS alert for network traffic 2->124 126 Found malware configuration 2->126 128 Malicious sample detected (through community Yara rule) 2->128 130 7 other signatures 2->130 15 Odeme.belgesi.exe 9 2->15         started        18 dfgdsbs.exe 2->18         started        signatures3 process4 file5 102 C:\Users\user\AppData\...\dfgdsbs.sfx.exe, PE32 15->102 dropped 20 cmd.exe 1 15->20         started        23 dfgdsbs.exe 18->23         started        25 dfgdsbs.exe 18->25         started        process6 signatures7 134 Uses ping.exe to sleep 20->134 136 Uses ping.exe to check the status of other devices and networks 20->136 27 dfgdsbs.sfx.exe 8 20->27         started        30 conhost.exe 20->30         started        138 Detected Quasar RAT 23->138 process8 file9 100 C:\Users\user\AppData\Local\...\dfgdsbs.exe, PE32 27->100 dropped 32 dfgdsbs.exe 1 27->32         started        process10 signatures11 114 Antivirus detection for dropped file 32->114 116 Detected unpacking (changes PE section rights) 32->116 118 Machine Learning detection for dropped file 32->118 120 2 other signatures 32->120 35 dfgdsbs.exe 15 4 32->35         started        40 dfgdsbs.exe 2 32->40         started        42 MpCmdRun.exe 32->42         started        process12 dnsIp13 110 ip-api.com 208.95.112.1, 49734, 49735, 49738 TUT-ASUS United States 35->110 94 C:\Users\user\AppData\Roaming\cres\cres.exe, PE32 35->94 dropped 140 Detected Quasar RAT 35->140 142 Hides that the sample has been downloaded from the Internet (zone.identifier) 35->142 44 cres.exe 1 35->44         started        47 schtasks.exe 1 35->47         started        49 conhost.exe 42->49         started        file14 signatures15 process16 signatures17 148 Antivirus detection for dropped file 44->148 150 Machine Learning detection for dropped file 44->150 152 Injects a PE file into a foreign processes 44->152 51 cres.exe 44->51         started        56 cres.exe 44->56         started        58 cres.exe 44->58         started        60 cres.exe 44->60         started        62 conhost.exe 47->62         started        process18 dnsIp19 112 rippenhothelp.viewdns.net 94.156.68.155, 49736, 49739, 49750 TERASYST-ASBG Bulgaria 51->112 96 C:\Users\user\AppData\...\gE2vR7yTtvtc.bat, DOS 51->96 dropped 144 Detected Quasar RAT 51->144 146 Hides that the sample has been downloaded from the Internet (zone.identifier) 51->146 64 cmd.exe 51->64         started        67 schtasks.exe 51->67         started        98 C:\Users\user\AppData\...\8ksXjlWybprM.bat, DOS 56->98 dropped 69 cmd.exe 56->69         started        71 schtasks.exe 56->71         started        file20 signatures21 process22 signatures23 122 Uses ping.exe to sleep 64->122 73 cres.exe 64->73         started        75 conhost.exe 64->75         started        77 chcp.com 64->77         started        79 PING.EXE 64->79         started        81 conhost.exe 67->81         started        83 cres.exe 69->83         started        86 conhost.exe 69->86         started        90 2 other processes 69->90 88 conhost.exe 71->88         started        process24 signatures25 92 cres.exe 73->92         started        132 Injects a PE file into a foreign processes 83->132 process26
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/89c232f52d508d2f9a407a678d8e42d39444440a211dec807a9f74a6a7df0465
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/89c232f52d508d2f9a407a678d8e42d39444440a211dec807a9f74a6a7df0465/
Threat name:
Win32.Backdoor.QuasarRAT
Create hunting rule
Status:
Malicious
First seen:
2024-02-05 15:12:15 UTC
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=rhbdf5jnkcgs7gsapjty3dsc2okeirakeeo6zad2t52knj67arsq._file
Verdict:
malicious
Result
Malware family:
quasar
Create hunting rule
Score:
  10/10
Tags:
family:quasar botnet:pvp spyware trojan
Link:
https://tria.ge/reports/240205-r3lmfsccaj/
Behaviour
Creates scheduled task(s)
Runs ping.exe
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Looks up external IP address via web service
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Quasar RAT
Quasar payload
Malware Config
C2 Extraction:
rippenhothelp.viewdns.net:64597
rippenhothelp.sytes.net:64597
Unpacked files
SH256 hash:
abefd32bc2c9944a93b8f5101f57977fde9e5e982f10ce4259fbc13d76216bad
MD5 hash:
435fc66b49f4fc0cd81f4585982f5e2c
SHA1 hash:
f75c56d9adb22c7dceedf1ed46c23cb7a073395d
Detections:
INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Link:
https://www.unpac.me/results/180fdcef-ee9a-44be-9cfb-0ff300496ded/
SH256 hash:
7945480a226a8fbb3dd59e1be3c6163907f15e5da048128c327096d154100196
MD5 hash:
b042b6bceeaf3e00ce085688719d1197
SHA1 hash:
e450136edd3a7d549daadb503f7a1d1d54119ef3
Detections:
QuasarRAT
Create hunting rule
malware_windows_xrat_quasarrat
Create hunting rule
CN_disclosed_20180208_KeyLogger_1
Create hunting rule
cn_utf8_windows_terminal
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
Quasar_RAT_2
Create hunting rule
Quasar
Create hunting rule
Vermin_Keylogger_Jan18_1
Create hunting rule
MAL_QuasarRAT_May19_1
Create hunting rule
MALWARE_Win_QuasarRAT
Create hunting rule
INDICATOR_SUSPICIOUS_GENInfoStealer
Create hunting rule
Quasar_RAT_1
Create hunting rule
xRAT_1
Create hunting rule
win_quasarrat_j1
Create hunting rule
Link:
https://www.unpac.me/results/180fdcef-ee9a-44be-9cfb-0ff300496ded/
SH256 hash:
0b3b563cdec0e58560370736f6478814ebd70481c8eb95ff20b18aa7ea4ac613
MD5 hash:
c8922aab588d747a888e0d246ec09746
SHA1 hash:
9cb5777a239c36caeb5272d4b3a2ea6f2fb6a854
Link:
https://www.unpac.me/results/180fdcef-ee9a-44be-9cfb-0ff300496ded/
SH256 hash:
89c232f52d508d2f9a407a678d8e42d39444440a211dec807a9f74a6a7df0465
MD5 hash:
821a06a17d265c49b95d0bee2da8a0be
SHA1 hash:
7f3cfcc28df12840547a4dc3c8d43c4976b78281
Link:
https://www.unpac.me/results/180fdcef-ee9a-44be-9cfb-0ff300496ded/
Malware family:
QuasarRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/89c232f52d50/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/89c232f52d508d2f9a407a678d8e42d39444440a211dec807a9f74a6a7df0465

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CN_disclosed_20180208_KeyLogger_1
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects malware from disclosed CN malware set
Reference:https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details
Rule name:CN_disclosed_20180208_KeyLogger_1_RID3227
Create hunting rule
Author:Florian Roth
Description:Detects malware from disclosed CN malware set
Reference:https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod
Rule name:INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
Author:ditekSHen
Description:Detects Windows executables referencing non-Windows User-Agents
Rule name:INDICATOR_SUSPICIOUS_GENInfoStealer
Create hunting rule
Author:ditekSHen
Description:Detects executables containing common artifacts observed in infostealers
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:malware_Quasar_strings
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect QuasarRAT in memory
Rule name:MALWARE_Win_QuasarRAT
Create hunting rule
Author:ditekSHen
Description:QuasarRAT payload
Rule name:MAL_QuasarRAT_May19_1
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects QuasarRAT malware
Reference:https://blog.ensilo.com/uncovering-new-activity-by-apt10
Rule name:MAL_QuasarRAT_May19_1_RID2E1E
Create hunting rule
Author:Florian Roth
Description:Detects QuasarRAT malware
Reference:https://blog.ensilo.com/uncovering-new-activity-by-apt10
Rule name:Multifamily_RAT_Detection
Create hunting rule
Author:Lucas Acha (http://www.lukeacha.com)
Description:Generic Detection for multiple RAT families, PUPs, Packers and suspicious executables
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Quasar_RAT_1
Create hunting rule
Author:@SOCRadar
Description:Detects Quasar RAT
Rule name:Quasar_RAT_1_RID2B54
Create hunting rule
Author:Florian Roth
Description:Detects Quasar RAT
Reference:https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
Rule name:Quasar_RAT_2
Create hunting rule
Description:Detects Quasar RAT
Rule name:Quasar_RAT_2_RID2B55
Create hunting rule
Author:Florian Roth
Description:Detects Quasar RAT
Reference:https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SelfExtractingRAR
Create hunting rule
Author:Xavier Mertens
Description:Detects an SFX archive with automatic script execution
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Vermin_Keylogger_Jan18_1
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects Vermin Keylogger
Reference:https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/
Rule name:Windows_Trojan_Quasarrat_e52df647
Create hunting rule
Author:Elastic Security
Rule name:xRAT_1
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects Patchwork malware
Reference:https://goo.gl/Pg3P4W
Rule name:xRAT_1_RID2900
Create hunting rule
Author:Florian Roth
Description:Detects Patchwork malware
Reference:https://goo.gl/Pg3P4W

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

QuasarRAT

Executable exe 89c232f52d508d2f9a407a678d8e42d39444440a211dec807a9f74a6a7df0465

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/474740/

Comments