MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 91ebe59cde57d7f4b32203db128abccf46fcbb02da1b072edf3d21601c9a5556. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuasarRAT


Vendor detections: 11


Intelligence 11 IOCs 1 YARA 10 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 91ebe59cde57d7f4b32203db128abccf46fcbb02da1b072edf3d21601c9a5556
SHA3-384 hash: b039dc5a90f816b44efd136f0de69c05c7df2d65a3b817ca6328f4e5abaf35dc817120ef48d3bd8a02dd9141bcaf5288
SHA1 hash: 2a5c12f4d1ea76e168b46634031115ef2e440560
MD5 hash: 9fd715184736db9e80c55ad49fb2368d
humanhash: oven-ohio-venus-chicken
File name:91EBE59CDE57D7F4B32203DB128ABCCF46FCBB02DA1B0.exe
Download: download sample
Signature QuasarRAT
Create hunting rule
File size:8'775'168 bytes
First seen:2022-09-22 22:00:49 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 9096a11a487ecf63af12a8c80797466b (1 x QuasarRAT)
ssdeep 196608:bJQaPHrQqXs140qMhu8369sV+HLz9SKUeNdDhHidVUoyLfBr9K21AOwuI9eq24+3:bJQaPHrQqXs140qMhu8369sV+HLz9SKh
Threatray 130 similar samples on MalwareBazaar
TLSH T1C696E09AF23861D8C427D0BD8527D607E3B038450760DBEBA6D14B462F67BE59E3EB01
TrID 83.7% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
7.0% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
4.4% (.EXE) Win64 Executable (generic) (10523/12/4)
2.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
0.8% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter abuse_ch
Tags:exe QuasarRAT RAT


Avatar
abuse_ch
QuasarRAT C2:
27.72.56.186:9782

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
27.72.56.186:9782 https://threatfox.abuse.ch/ioc/851183/

Intelligence

File Origin
# of uploads :
1
# of downloads :
402
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
91EBE59CDE57D7F4B32203DB128ABCCF46FCBB02DA1B0.exe
Verdict:
No threats detected
Analysis date:
2022-09-22 22:01:53 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/eb4a341b-07cc-4cf4-9bbd-cacbe43c8cbe

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/312461/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
Creating a file in the %AppData% subdirectories
Launching a process
Enabling autorun by creating a file
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/38502/overview
Behaviour
MalwareBazaar
MeasuringTime
SystemUptime
EvasionQueryPerformanceCounter
EvasionGetTickCount
CheckCmdLine
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
80%
Tags:
anti-vm asyncrat dllhost.exe greyware packed quasar regsvr32.exe shell32.dll
Link:
https://www.filescan.io/uploads/632cdb24e64c53f047fe70cf/reports/674f79a2-1a62-49d9-a7c8-aa82f81b9e90/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1d62b4c1-7642-4144-a857-fc3ad0887ca0
Result
Threat name:
Quasar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1075071
Signature
Hides that the sample has been downloaded from the Internet (zone.identifier)
Installs a global keyboard hook
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Quasar RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 707613 Sample: sf82hcVPNc.exe Startdate: 22/09/2022 Architecture: WINDOWS Score: 100 36 Snort IDS alert for network traffic 2->36 38 Malicious sample detected (through community Yara rule) 2->38 40 Multi AV Scanner detection for submitted file 2->40 42 Yara detected Quasar RAT 2->42 8 sf82hcVPNc.exe 5 2->8         started        12 sf82hcVPNc.exe 2 2->12         started        process3 file4 26 C:\Users\user\AppData\Roaming\...\svhost.exe, PE32+ 8->26 dropped 28 C:\Users\user\AppData\...\sf82hcVPNc.exe.log, ASCII 8->28 dropped 44 Uses schtasks.exe or at.exe to add and modify task schedules 8->44 46 Tries to detect virtualization through RDTSC time measurements 8->46 48 Hides that the sample has been downloaded from the Internet (zone.identifier) 8->48 14 svhost.exe 14 2 8->14         started        18 schtasks.exe 1 8->18         started        signatures5 process6 dnsIp7 30 27.72.56.186, 49713, 9782 VIETEL-AS-APViettelGroupVN Viet Nam 14->30 32 tools.keycdn.com 185.172.148.96, 443, 49715 PROINITYPROINITYDE Germany 14->32 34 2 other IPs or domains 14->34 50 Multi AV Scanner detection for dropped file 14->50 52 May check the online IP address of the machine 14->52 54 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 14->54 56 3 other signatures 14->56 20 schtasks.exe 1 14->20         started        22 conhost.exe 18->22         started        signatures8 process9 process10 24 conhost.exe 20->24         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/91ebe59cde57d7f4b32203db128abccf46fcbb02da1b072edf3d21601c9a5556/
Threat name:
ByteCode-MSIL.Trojan.Quasar
Create hunting rule
Status:
Malicious
First seen:
2022-08-14 12:44:00 UTC
File Type:
PE+ (Exe)
Extracted files:
5
AV detection:
21 of 25 (84.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=shv6lhg6k7l7jmzcapnrfcv4z5dpzoyc3inqolw7huqwahe2kvla._file
Verdict:
unknown
Similar samples:
2421c5815103b12aefee6faecb1ebbe910c6a17c7ed68f0d7bb2064ec4e97291
QuasarRAT
3c435e50212630a138e86e643c1455843e0e87541022f0041931d7ef6253d784
QuasarRAT
3e6f7f9456ae9906e40da831c58f9b78a2eee8af2682cac7a9abf1a854142aa0
QuasarRAT
51037666d1982db93e3123e88594d409805d3f1d970e9f926dcadb99f77f50f6
QuasarRAT
7f7ebad193f76acfd76deebe1f9614da18537896e0e6b04d7873cd486f0cf4fd
QuasarRAT
899718beec2df6d768081954dabec9407c79a51c807b80d69e1a4ff7cdea2629
QuasarRAT
8e570e32acb99abfd0daf62cff13a09eb694ebfa633a365d224aefc6449f97de
QuasarRAT
9a45c640e91c9140c994f9e9ca5cfaea2f11000f988d538482356aa385ece7ba
QuasarRAT
d5b1a96dc7d4007a9228abee105cd77305827ed28aac77932e7c416c888c9d30
QuasarRAT
+ 120 additional samples on MalwareBazaar
Result
Malware family:
quasar
Create hunting rule
Score:
  10/10
Tags:
family:quasar spyware trojan
Link:
https://tria.ge/reports/220922-1w7qsagbfq/
Behaviour
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Looks up external IP address via web service
Loads dropped DLL
Executes dropped EXE
Quasar RAT
Quasar payload
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/011950f1-c384-426d-8a58-e6cc29ec3b45
Unpacked files
SH256 hash:
91ebe59cde57d7f4b32203db128abccf46fcbb02da1b072edf3d21601c9a5556
MD5 hash:
9fd715184736db9e80c55ad49fb2368d
SHA1 hash:
2a5c12f4d1ea76e168b46634031115ef2e440560
Link:
https://www.unpac.me/results/81c47e47-8af1-45e0-8308-80ac3f0868d6/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/91ebe59cde57/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/91ebe59cde57d7f4b32203db128abccf46fcbb02da1b072edf3d21601c9a5556

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_DNGuard
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with DNGuard
Rule name:INDICATOR_EXE_Packed_VMProtect
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with VMProtect.
Rule name:MALWARE_Win_QuasarStealer
Create hunting rule
Author:ditekshen
Description:Detects Quasar infostealer
Rule name:MAL_QuasarRAT_May19_1
Create hunting rule
Author:Florian Roth
Description:Detects QuasarRAT malware
Reference:https://blog.ensilo.com/uncovering-new-activity-by-apt10
Rule name:MAL_QuasarRAT_May19_1_RID2E1E
Create hunting rule
Author:Florian Roth
Description:Detects QuasarRAT malware
Reference:https://blog.ensilo.com/uncovering-new-activity-by-apt10
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:RansomwareTest4
Create hunting rule
Author:Daoyuan Wu
Description:Test Ransomware YARA rules
Rule name:RansomwareTest5
Create hunting rule
Author:Daoyuan Wu
Description:Test Ransomware YARA rules
Rule name:RansomwareTest6
Create hunting rule
Author:Daoyuan Wu
Description:Test Ransomware YARA rules
Rule name:RansomwareTest7
Create hunting rule
Author:Daoyuan Wu
Description:Test Ransomware YARA rules

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/312461/

Comments