MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 99a6c8e156dba4fda6e2b6ca0802cc08d49556b489e97618e565768329521413. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuasarRAT


Vendor detections: 8


Intelligence 8 IOCs YARA 11 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 99a6c8e156dba4fda6e2b6ca0802cc08d49556b489e97618e565768329521413
SHA3-384 hash: f190c01451c55f72a6ce9e1ced54e0f14b648096498aa53d7c3172311202c2a9f9155094c651f7c77a94ef125f6867f0
SHA1 hash: 69f26f77ee25f28e26bda5e72b303a58c336f6c8
MD5 hash: 378abe2f88b1a19c9cae6bbfad590299
humanhash: seven-winner-pasta-arkansas
File name:378abe2f88b1a19c9cae6bbfad590299.exe
Download: download sample
Signature QuasarRAT
Create hunting rule
File size:4'878'336 bytes
First seen:2020-12-02 08:40:02 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 5479775c1d012f10601477c1237fe7d4 (6 x QuasarRAT, 2 x BitRAT, 1 x RevCodeRAT)
ssdeep 98304:SvPpO8djQQ8J+301uygutWJGbg34r0JqHRwI0bXEIOA04cBoXX3:mOQZEuObkS0JqHPDIOc+y
Threatray 36 similar samples on MalwareBazaar
TLSH 3236236FE6B08837C0622938DC1FD69B5925BE132B685C862BF81D48BF3D65179352C3
Reporter abuse_ch
Tags:exe QuasarRAT RAT


Avatar
abuse_ch
QuasarRAT payload URL:
http://medicalcorp.ro/royal2/helper/gd/zt/jbrowserQ.exe

QuasarRAT C2:
185.157.161.109:1972

Intelligence

File Origin
# of uploads :
1
# of downloads :
152
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/106344/
Detection(s):
SecuriteInfo.com.BackDoor.Quasar.124.18597.2139.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Launching a process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/553336
Signature
Allocates memory in foreign processes
Contains functionality to hide a thread from the debugger
Contains functionality to inject code into remote processes
Creates files in alternative data streams (ADS)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops VBS files to the startup folder
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Queues an APC in another process (thread injection)
Sigma detected: Drops script at startup location
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 325765 Sample: onoRei8a9R.exe Startdate: 02/12/2020 Architecture: WINDOWS Score: 100 39 Sigma detected: Drops script at startup location 2->39 41 Machine Learning detection for sample 2->41 8 onoRei8a9R.exe 2->8         started        11 wscript.exe 1 2->11         started        process3 dnsIp4 53 Writes to foreign memory regions 8->53 55 Allocates memory in foreign processes 8->55 57 Queues an APC in another process (thread injection) 8->57 14 notepad.exe 5 8->14         started        37 192.168.2.1 unknown unknown 11->37 18 ropl.exe 11->18         started        signatures5 process6 file7 29 C:\Users\user\AppData\Roaming\ercv\ropl.exe, PE32 14->29 dropped 31 C:\Users\user\...\ropl.exe:Zone.Identifier, ASCII 14->31 dropped 33 C:\Users\user\AppData\Roaming\...\nmjk.vbs, ASCII 14->33 dropped 61 Creates files in alternative data streams (ADS) 14->61 63 Drops VBS files to the startup folder 14->63 20 ropl.exe 14->20         started        65 Maps a DLL or memory area into another process 18->65 23 ropl.exe 18->23         started        signatures8 process9 signatures10 43 Detected unpacking (changes PE section rights) 20->43 45 Detected unpacking (overwrites its own PE header) 20->45 47 Machine Learning detection for dropped file 20->47 51 3 other signatures 20->51 25 ropl.exe 1 20->25         started        49 Hides threads from debuggers 23->49 process11 dnsIp12 35 185.157.161.109, 1973, 49714, 49715 OBE-EUROPEObenetworkEuropeSE Sweden 25->35 59 Hides threads from debuggers 25->59 signatures13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/99a6c8e156dba4fda6e2b6ca0802cc08d49556b489e97618e565768329521413/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-12-02 08:40:10 UTC
AV detection:
22 of 28 (78.57%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=tgtmrykw3osp3jxcw3faqawmbdkjkvvurhuxmghfmv3igkkscqjq._file
Verdict:
malicious
Similar samples:
04c27b0ff1c12b58c1520db0ffc14e7ced2f5adae24e08a3ff66fcc1723676cf
QuasarRAT
092223938bed5fec479602f4bf2cb0fd28dd628e8754714047b0b7939cd2e298
QuasarRAT
0cf6c64800271784234f89dd95925d58075254e5756946de94f447b6defee4fc
QuasarRAT
40512789548e02bb2db55e51975a733d342279a76c7ecdf78b9e238329591200
QuasarRAT
723e6b54cd996205412396bbfba18171a8e4e7297dd2492b35ec198e122849cb
QuasarRAT
78fc1b0ad5b1bf8392a5e1a6dde5dab2fbee2f2fbb833c3c4ba85ace7e9c35e5
QuasarRAT
83db3e008537b9da1f048cf2a36931238afcdabf35ecbeedecd808ea6bee3bf3
QuasarRAT
b7823b23e2ef21045e77a01f2f34f86f387a607f4c1d949571c01c1fcdfd7fa1
QuasarRAT
cd857ee1ccdff34a0cd65732a18bc3a99d53e388423dcff0a73ca0307dcb1f7a
QuasarRAT
ef67b30b7ae1fd2b27a17f1e0172954912c78c541f7cb162ff003a9b42f128c4
QuasarRAT
+ 26 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/201202-6av3yz9p8j/
Behaviour
NTFS ADS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Drops startup file
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
99a6c8e156dba4fda6e2b6ca0802cc08d49556b489e97618e565768329521413
MD5 hash:
378abe2f88b1a19c9cae6bbfad590299
SHA1 hash:
69f26f77ee25f28e26bda5e72b303a58c336f6c8
Link:
https://www.unpac.me/results/e9d78248-3e58-466c-b4d8-41d6b6726a60/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/99a6c8e156dba4fda6e2b6ca0802cc08d49556b489e97618e565768329521413

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Chrome_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Chrome in files like avemaria
Rule name:CN_disclosed_20180208_KeyLogger_1
Create hunting rule
Author:Florian Roth
Description:Detects malware from disclosed CN malware set
Reference:https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:MAL_QuasarRAT_May19_1
Create hunting rule
Author:Florian Roth
Description:Detects QuasarRAT malware
Reference:https://blog.ensilo.com/uncovering-new-activity-by-apt10
Rule name:MSILStealer
Create hunting rule
Author:https://github.com/hwvs
Description:Detects strings from C#/VB Stealers and QuasarRat
Reference:https://github.com/quasar/QuasarRAT
Rule name:Quasar
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect QuasarRAT in memory
Rule name:Quasar_RAT_1
Create hunting rule
Author:Florian Roth
Description:Detects Quasar RAT
Reference:https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
Rule name:Quasar_RAT_2
Create hunting rule
Author:Florian Roth
Description:Detects Quasar RAT
Reference:https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
Rule name:Select_from_enumeration
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:Vermin_Keylogger_Jan18_1
Create hunting rule
Author:Florian Roth
Description:Detects Vermin Keylogger
Reference:https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/
Rule name:xRAT_1
Create hunting rule
Author:Florian Roth
Description:Detects Patchwork malware
Reference:https://goo.gl/Pg3P4W

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

QuasarRAT

Executable exe 99a6c8e156dba4fda6e2b6ca0802cc08d49556b489e97618e565768329521413

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/869725/
  
URLhaus
https://urlhaus.abuse.ch/url/869726/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/106344/

Comments