MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 95cc530b09ac9303c73e4c781d90bde4d57121f8c037889e303c363c898310e5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

QuasarRAT

Vendor detections: 6

Intelligence 6 IOCs YARA 6 File information Comments

SHA256 hash:	95cc530b09ac9303c73e4c781d90bde4d57121f8c037889e303c363c898310e5
SHA3-384 hash:	45ac8412ddce8e494b58edd76878c4a296b22881db65488e13b6fb7885cf665af2dcad77b09f213e0edfd38b7e18f664
SHA1 hash:	ac1ad6fe17850be5a860e0eccdffdd4017d82023
MD5 hash:	e8771a57972cf377ed7a99ab9ad9e423
humanhash:	don-bluebird-nineteen-wolfram
File name:	95cc530b09ac9303c73e4c781d90bde4d57121f8c037889e303c363c898310e5
Download:	download sample
Signature	QuasarRAT Create hunting rule
File size:	514'048 bytes
First seen:	2020-11-10 10:58:11 UTC
Last seen:	2024-07-24 19:15:06 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	6144:VTEgdc0YWebGbXOsA6j1Rdhz7w3igxSKf5KFYxcEUeEHb8F9UealQVCGQNtA8BcE:VTEgdfYcA6fWbT4kz7vQQ6cd2
Threatray	17 similar samples on MalwareBazaar
TLSH	14B46B9027E88627E1AF67B9E8711410ABF5F417B267EB4F0940F1E92C66702DE42773
Reporter	seifreed
Tags:	QuasarRAT

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

Win.Packed.Downeks-6898097-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a file in the system32 subdirectories

Launching a process

Enabling the 'hidden' option for analyzed file

Creating a process from a recently created file

Creating a file

Enabling the 'hidden' option for recently created files

Creating a file in the %temp% directory

Running batch commands

Creating a process with a hidden window

Delayed writing of the file

Unauthorized injection to a recently created process

Enabling autorun by creating a file

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/95cc530b09ac9303c73e4c781d90bde4d57121f8c037889e303c363c898310e5/

Threat name:

ByteCode-MSIL.Trojan.Perseus

Status:

Malicious

First seen:

2020-11-10 11:00:09 UTC

AV detection:

36 of 48 (75.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=sxgfgcyjvsjqhrz6jr4b3ef54tkxcipyya3yrhrqhq3dzcmdcdsq._file

Verdict:

malicious

QuasarRAT

28781eb82584acf1dcfc5fb193e27152c5a57bed3a0c249f490759b5c1e84b9b

QuasarRAT

3a83d1211c8a9235a72f0dcea5c36ec53a99ed83340e35097e7f41773bc8fb3f

QuasarRAT

41c11b942c8abb394d9ee8b14bdd4edb229962db1b1efff70b36706dbf7f5fba

QuasarRAT

48d3e4804c326bea85228d97194d5b803b1226e892219328904e2c788b149e27

QuasarRAT

585e4146923404bbe11c2cf5a423e2650a5d133541e9baeacb64a4d675f6484d

QuasarRAT

a62e4e1d21bdc64eea17d8bbc4ab5e6c48dc57abbb470322c3357abdef15341f

QuasarRAT

ac4d3acc896cc3fd6e4ba14547572dfc0447f47f2c29c28a170db4b0169c6e2f

QuasarRAT

d3922882bfee49abb72584b9d5918f3787221fa40b7f552c98d7bc0e55833234

QuasarRAT

ee2e84f75b0b6043c2a2e3b84bdeabc0be4a4a1e4c6ec6a3ff255963b545425d

QuasarRAT

+ 7 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

8/10

Tags:

n/a

Link:

https://tria.ge/reports/201110-dpjkst27me/

Behaviour

Creates scheduled task(s)

Runs ping.exe

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Drops file in System32 directory

Executes dropped EXE

Unpacked files

SH256 hash:

95cc530b09ac9303c73e4c781d90bde4d57121f8c037889e303c363c898310e5

MD5 hash:

e8771a57972cf377ed7a99ab9ad9e423

SHA1 hash:

ac1ad6fe17850be5a860e0eccdffdd4017d82023

Link:

https://www.unpac.me/results/37f099c3-7d24-4bd3-b6c9-b2d8408c965d/

SH256 hash:

a4f0ad7abc9936f843a968cbd5ee1172902f27f79732003b2ab954e0149e789e

MD5 hash:

0e302fa847c72a82a89dde77a37f9963

SHA1 hash:

1291ac2857013c92d275b6708bb20b4c6007b6ce

Link:

https://www.unpac.me/results/37f099c3-7d24-4bd3-b6c9-b2d8408c965d/

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	CAP_HookExKeylogger Create hunting rule
Author:	Brian C. Bell -- @biebsmalwareguy
Reference:	https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar

Rule name:	Chrome_stealer_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Chrome in files like avemaria

Rule name:	Keylog_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Contains Keylog

Rule name:	MAL_QuasarRAT_May19_1 Create hunting rule
Author:	Florian Roth
Description:	Detects QuasarRAT malware
Reference:	https://blog.ensilo.com/uncovering-new-activity-by-apt10

Rule name:	Select_from_enumeration Create hunting rule
Author:	James_inthe_box
Description:	IP and port combo

Rule name:	Vermin_Keylogger_Jan18_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Vermin Keylogger
Reference:	https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample