MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9760105f3177384c19086dee036cdc67916d744f4a1e7064ecfd906e252dba69. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

QuasarRAT

Vendor detections: 5

Intelligence 5 IOCs YARA 3 File information Comments

SHA256 hash:	9760105f3177384c19086dee036cdc67916d744f4a1e7064ecfd906e252dba69
SHA3-384 hash:	09ab096d2aaa34095ca6ce5a15ab637434c9b050a8e6e73b8efd502ef841760b033d21538f2380b1485ff40c93b33c80
SHA1 hash:	2e4683e90b7f045fe4ff84510a6a1e1cd5be24d5
MD5 hash:	1f333b46303568ad29a04523d6dbcf54
humanhash:	mike-fish-may-don
File name:	Client-built.bin
Download:	download sample
Signature	QuasarRAT Create hunting rule
File size:	615'936 bytes
First seen:	2020-07-07 06:23:15 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	6144:qTEgdc0YmX7IxUpGREWKndnmuqqvh5EtqW+yw4iUcEeOb8F9i0AJzPqPfcTR3U:qTEgdfYnxUHdnpA4vywwOpbazEcdU
Threatray	33 similar samples on MalwareBazaar
TLSH	B0D4178123B8C51BE16E57B9E8B1C4F167F4EC06E666E70F55C0BEAB38767018D406A3
Reporter	JAMESWT_WT
Tags:	Quasar QuasarRAT

Intelligence

File Origin

# of uploads :

# of downloads :

136

Origin country :

n/a

Vendor Threat Intelligence

Gathering data

Detection(s):

Win.Packed.Downeks-6898097-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a file in the %AppData% subdirectories

Launching a process

Creating a process from a recently created file

Setting a keyboard event handler

DNS request

Sending a custom TCP request

Enabling autorun with Startup directory

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/9760105f3177384c19086dee036cdc67916d744f4a1e7064ecfd906e252dba69/

Threat name:

ByteCode-MSIL.Trojan.Perseus

Status:

Malicious

First seen:

2020-07-07 06:25:05 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

26 of 29 (89.66%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=s5qbaxzro44eygiinxxag3g4m6iw25cpjiphazhm7wig4jjnxjuq._file

Verdict:

malicious

QuasarRAT

1aabe4a4ce09025edf03501ea5cce117d4315f4baa19c0110e1c779ae2bd9ad3

QuasarRAT

1d0e8150809cb78fb1cf2cad89dc63b884ef4459e93ce4fbb4676ff705bb2679

QuasarRAT

29790388ca244a8fd3bb2448a59e45fba4dc715fec7a0bf09a7f6d4df79ef9a9

QuasarRAT

3a83d1211c8a9235a72f0dcea5c36ec53a99ed83340e35097e7f41773bc8fb3f

QuasarRAT

585e4146923404bbe11c2cf5a423e2650a5d133541e9baeacb64a4d675f6484d

QuasarRAT

5ba0344c196d2605e844a2b15cff5c93412d58e9ca5c8446c468fa768604242d

QuasarRAT

79c2240abb05bcad2847f6fe50ae69f6a3cbdeea82bdc659e75f85eb59f442f9

QuasarRAT

ac4d3acc896cc3fd6e4ba14547572dfc0447f47f2c29c28a170db4b0169c6e2f

QuasarRAT

d3922882bfee49abb72584b9d5918f3787221fa40b7f552c98d7bc0e55833234

QuasarRAT

+ 23 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

8/10

Tags:

n/a

Link:

https://tria.ge/reports/200707-9vrfszp2d6/

Behaviour

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Creates scheduled task(s)

Executes dropped EXE

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	CAP_HookExKeylogger Create hunting rule
Author:	Brian C. Bell -- @biebsmalwareguy
Reference:	https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar

Rule name:	MAL_QuasarRAT_May19_1 Create hunting rule
Author:	Florian Roth
Description:	Detects QuasarRAT malware
Reference:	https://blog.ensilo.com/uncovering-new-activity-by-apt10

Rule name:	Vermin_Keylogger_Jan18_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Vermin Keylogger
Reference:	https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/21856/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample