MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 90a7d32599baf26d6cab07b9f35843a01ecd2d574539bcf64516768c501c9f45. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuasarRAT


Vendor detections: 13


Intelligence 13 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 90a7d32599baf26d6cab07b9f35843a01ecd2d574539bcf64516768c501c9f45
SHA3-384 hash: 088ea114e9459333af406ef1e218ed4fcc4c89648641b0f686c012bc3f969f09f50f4aa2e6ed864902c58b9dcfcff361
SHA1 hash: f4b51f56808225f52212f19fd3b6477d5f569b6f
MD5 hash: 8a4879bee1a9876983367c1228839637
humanhash: louisiana-delaware-november-enemy
File name:8a4879bee1a9876983367c1228839637.exe
Download: download sample
Signature QuasarRAT
Create hunting rule
File size:514'048 bytes
First seen:2022-08-09 18:27:13 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'452 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 12288:QTEgdfYKbghVdGgsomCxMCHElxHBTZccdO:lUwrPVssHC8cdO
Threatray 4'247 similar samples on MalwareBazaar
TLSH T1EFB46C4063E8862BE1BE5779E931142097F8F81BF367EB8F4500A2EA2D66742DD41773
TrID 53.9% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
12.2% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
9.6% (.SCR) Windows screen saver (13101/52/3)
7.7% (.EXE) Win64 Executable (generic) (10523/12/4)
4.8% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
Reporter abuse_ch
Tags:exe QuasarRAT RAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
328
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
8a4879bee1a9876983367c1228839637.exe
Verdict:
Malicious activity
Analysis date:
2022-08-09 18:38:18 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/d3873476-8659-473f-aac3-92ff686ba8af

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/297478/
Detection(s):
Win.Malware.Bulz-9823462-0
Create hunting rule

Win.Malware.Generic-9883082-0
Create hunting rule

Win.Malware.Generic-9883083-0
Create hunting rule

ditekSHen.MALWARE.Win.Trojan.QuasarStealer.UNOFFICIAL
Create hunting rule

Win.Packed.Downeks-6898097-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Setting a keyboard event handler
DNS request
Creating a file in the %temp% directory
Running batch commands
Creating a process with a hidden window
Creating a file
Launching a process
Sending a custom TCP request
Unauthorized injection to a recently created process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm greyware keylogger packed quasarrat rat shell32.dll stealer vermin
Link:
https://www.filescan.io/uploads/62f2a7c2e4e65a67c499aeab/reports/45485b56-3d2a-4bf4-9cae-c1948ec1c6b0/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/330ffc23-bb10-4d2e-a4db-90108a117770
Result
Threat name:
AsyncRAT, Quasar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1048760
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Installs a global keyboard hook
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Uses dynamic DNS services
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected AsyncRAT
Yara detected Generic Downloader
Yara detected Quasar RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 681252 Sample: LTwPa18DHH.exe Startdate: 09/08/2022 Architecture: WINDOWS Score: 100 79 xeirz.ddns.net 2->79 99 Multi AV Scanner detection for domain / URL 2->99 101 Malicious sample detected (through community Yara rule) 2->101 103 Antivirus detection for URL or domain 2->103 105 8 other signatures 2->105 15 LTwPa18DHH.exe 5 2->15         started        signatures3 process4 dnsIp5 87 xeirz.ddns.net 15->87 75 C:\Users\user\AppData\...\LTwPa18DHH.exe.log, ASCII 15->75 dropped 89 Hides that the sample has been downloaded from the Internet (zone.identifier) 15->89 91 Installs a global keyboard hook 15->91 20 cmd.exe 1 15->20         started        file6 signatures7 process8 signatures9 107 Uses ping.exe to sleep 20->107 109 Uses ping.exe to check the status of other devices and networks 20->109 23 LTwPa18DHH.exe 4 20->23         started        27 conhost.exe 20->27         started        29 PING.EXE 1 20->29         started        31 chcp.com 1 20->31         started        process10 dnsIp11 83 xeirz.ddns.net 23->83 115 Hides that the sample has been downloaded from the Internet (zone.identifier) 23->115 117 Installs a global keyboard hook 23->117 33 cmd.exe 1 23->33         started        signatures12 process13 signatures14 93 Uses ping.exe to sleep 33->93 36 LTwPa18DHH.exe 4 33->36         started        40 conhost.exe 33->40         started        42 PING.EXE 1 33->42         started        44 chcp.com 1 33->44         started        process15 dnsIp16 81 xeirz.ddns.net 36->81 111 Hides that the sample has been downloaded from the Internet (zone.identifier) 36->111 113 Installs a global keyboard hook 36->113 46 cmd.exe 1 36->46         started        signatures17 process18 signatures19 123 Uses ping.exe to sleep 46->123 49 LTwPa18DHH.exe 4 46->49         started        53 conhost.exe 46->53         started        55 PING.EXE 1 46->55         started        57 chcp.com 1 46->57         started        process20 dnsIp21 77 xeirz.ddns.net 49->77 95 Hides that the sample has been downloaded from the Internet (zone.identifier) 49->95 97 Installs a global keyboard hook 49->97 59 cmd.exe 49->59         started        signatures22 process23 signatures24 121 Uses ping.exe to sleep 59->121 62 LTwPa18DHH.exe 59->62         started        66 conhost.exe 59->66         started        68 chcp.com 59->68         started        70 PING.EXE 59->70         started        process25 dnsIp26 85 xeirz.ddns.net 62->85 125 Hides that the sample has been downloaded from the Internet (zone.identifier) 62->125 127 Installs a global keyboard hook 62->127 72 cmd.exe 62->72         started        signatures27 process28 signatures29 119 Uses ping.exe to sleep 72->119
Detection:
quasar
Create hunting rule
Link:
https://mwdb.cert.pl/sample/90a7d32599baf26d6cab07b9f35843a01ecd2d574539bcf64516768c501c9f45/
Threat name:
ByteCode-MSIL.Trojan.Quasar
Create hunting rule
Status:
Malicious
First seen:
2022-08-09 18:28:09 UTC
File Type:
PE (.Net Exe)
Extracted files:
2
AV detection:
25 of 26 (96.15%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=sct5gjmzxlzg23fla647gwcduapm2lkxiu43z5sfcz3iyua4t5cq._file
Verdict:
malicious
Similar samples:
054498f9520c77728c723a72e1657dd9371090e8c9ac67b53e888e5c0d03afed
QuasarRAT
494e50277e9added0f90ee0791c2ac21c54c18ab0b0b9820c66fa7cf437497ce
QuasarRAT
711348ec1fb1f2a06aa394618b3dde8e91b29ba6b0097d545429521ad54326f1
QuasarRAT
9f5ff17f83e1324e818db69e26d1f9adb3b4c1c0d31e3768ef1a6fdf1239726e
QuasarRAT
b3562016293d5dad923e804f2439ce6d216d88cc3e8f8ce6d3e3bb1288f3089d
QuasarRAT
bb91ab5b5db4ac2b50ff6ee4309b304d9e41e00c1d162a0daa8071bed04dd2ba
QuasarRAT
c43676781fca6b654af09543db51c110a90669ab8ebc3e3958f97457674f21ab
QuasarRAT
e80fa82616da921b5f368edb0dea27f5a5ade7a3eb55ca89b32438c1900d7d34
QuasarRAT
+ 4'237 additional samples on MalwareBazaar
Result
Malware family:
quasar
Create hunting rule
Score:
  10/10
Tags:
family:quasar botnet:dolevz spyware trojan
Link:
https://tria.ge/reports/220809-w4bk4aecdl/
Behaviour
Runs ping.exe
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Quasar RAT
Quasar payload
Malware Config
C2 Extraction:
xeirz.ddns.net:1604
Unpacked files
SH256 hash:
90a7d32599baf26d6cab07b9f35843a01ecd2d574539bcf64516768c501c9f45
MD5 hash:
8a4879bee1a9876983367c1228839637
SHA1 hash:
f4b51f56808225f52212f19fd3b6477d5f569b6f
Link:
https://www.unpac.me/results/b0e0c501-c7bc-45ed-a3d3-14657dea49d7/
Malware family:
xRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/90a7d32599ba/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/90a7d32599baf26d6cab07b9f35843a01ecd2d574539bcf64516768c501c9f45

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
Author:ditekSHen
Description:Detects Windows executables referencing non-Windows User-Agents
Rule name:INDICATOR_SUSPICIOUS_GENInfoStealer
Create hunting rule
Author:ditekSHen
Description:Detects executables containing common artifcats observed in infostealers
Rule name:MALWARE_Win_QuasarStealer
Create hunting rule
Author:ditekshen
Description:Detects Quasar infostealer
Rule name:MAL_QuasarRAT_May19_1
Create hunting rule
Author:Florian Roth
Description:Detects QuasarRAT malware
Reference:https://blog.ensilo.com/uncovering-new-activity-by-apt10
Rule name:MAL_QuasarRAT_May19_1_RID2E1E
Create hunting rule
Author:Florian Roth
Description:Detects QuasarRAT malware
Reference:https://blog.ensilo.com/uncovering-new-activity-by-apt10
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Vermin_Keylogger_Jan18_1
Create hunting rule
Author:Florian Roth
Description:Detects Vermin Keylogger
Reference:https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

QuasarRAT

Executable exe 90a7d32599baf26d6cab07b9f35843a01ecd2d574539bcf64516768c501c9f45

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2270579/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/297478/

Comments