MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9b629ce7607ee755d467e058cf51187d2ca5c095d5dc5708826f9c47b06c3c07. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuasarRAT


Vendor detections: 4


Intelligence 4 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9b629ce7607ee755d467e058cf51187d2ca5c095d5dc5708826f9c47b06c3c07
SHA3-384 hash: dd18334134c18efc5c42254b6ab12406d5030f10e7c524c78e1e2fdd82233e5c7099537232ff97d912a44d4ebe4ed900
SHA1 hash: 4160aee5e392077060c471b0437dbda92833bfe8
MD5 hash: ec12c30c3b512cbe092fcfd4bb146fb1
humanhash: cup-virginia-mike-speaker
File name:SecuriteInfo.com.Gen.Variant.Razy.624632.22428.20501
Download: download sample
Signature QuasarRAT
Create hunting rule
File size:1'581'056 bytes
First seen:2020-04-07 21:42:24 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash bf5a4aa99e5b160f8521cadd6bfe73b8 (434 x RedLineStealer, 31 x AgentTesla, 12 x DCRat)
ssdeep 49152:akQTAdggp3AEDSIi7/ZLOVrn0EsHma8n1j8:aadBp3ADt7/Zy10Etaq14
Threatray 195 similar samples on MalwareBazaar
TLSH 417523237660D2B7D1B6A03145E9CBA46A3E31328766D5E7BB8827BB1F501F193342CD
Reporter SecuriteInfoCom
Tags:QuasarRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
101
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/579/
Detection(s):
SecuriteInfo.com.Gen.Variant.Razy.624632.22428.20501.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Mbt
Create hunting rule
Status:
Malicious
First seen:
2020-04-06 17:50:04 UTC
File Type:
PE (Exe)
AV detection:
27 of 31 (87.10%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=tnrjzz3ap3tvlvdh4bmm6uiypuwklqev2xofocecn6oepmdmhqdq._file
Verdict:
malicious
Similar samples:
09862d16ba8e513ce4cc3c98d2fc0c86247a7d42394209b3eb590ef6ddf80494
QuasarRAT
1b13660c52adcccc1cef45f137a3373f5615500a609c61a9872e5ed4336e629a
QuasarRAT
1e2773c36054c3392f3e220d4c22cce63f31750c2ee6707198e4d15648f11897
QuasarRAT
245deb1693e39d6340bcd2e8c9d8f5e78e4906e359172b150a066eb1678987f5
QuasarRAT
29790388ca244a8fd3bb2448a59e45fba4dc715fec7a0bf09a7f6d4df79ef9a9
QuasarRAT
3a5943219f8400531a411b909b666337ba4f232d19e003a0128e0d699106f04f
QuasarRAT
3c90e174ff5097d991e0b99001a4e64e0c9e312df0ec03cee51380148974920e
QuasarRAT
6b85fd7249ceaf4a88f71ad1becb27b9c9a17b1c1bd2cb75f25cdc7b1318785a
QuasarRAT
79c2240abb05bcad2847f6fe50ae69f6a3cbdeea82bdc659e75f85eb59f442f9
QuasarRAT
8b1cbfd7ebbd072782a2748d614c53c2084159ef8ccc8f11247c539923ff44a9
QuasarRAT
+ 185 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

QuasarRAT

Executable exe 9b629ce7607ee755d467e058cf51187d2ca5c095d5dc5708826f9c47b06c3c07

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/336210/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/579/
Cape
Cape
https://www.capesandbox.com/analysis/578/
Cape
Cape
https://www.capesandbox.com/analysis/577/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::GetStartupInfoA
KERNEL32.dll::GetCommandLineA
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleA
KERNEL32.dll::WriteConsoleW
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleCP
KERNEL32.dll::GetConsoleMode
KERNEL32.dll::GetConsoleOutputCP
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateFileA

Comments