MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9f788e07cb6b288c2650fa817d823425dbdfec3476a4683718ba2f351e9fa8b3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuasarRAT


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9f788e07cb6b288c2650fa817d823425dbdfec3476a4683718ba2f351e9fa8b3
SHA3-384 hash: 7e270478296fca26d3b6eca4c4c9410062380b22b4dcfdaf165982ef24dbdffa51cc14df7bf3cfa83a44879693b38896
SHA1 hash: 72f34daee6c6698b0b9114606a0a655bbd67b7f8
MD5 hash: 415109dfdbabe14f33006a965311095d
humanhash: jig-twenty-fruit-carpet
File name:file.exe
Download: download sample
Signature QuasarRAT
Create hunting rule
File size:4'521'472 bytes
First seen:2023-05-22 08:18:11 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 98304:7mWIu/4ALu2Cy2n5D4vqwfuEgjl4tMVrXDcUGPF9L0IU6:KWiAL+nK9gjl4tMJIUGdGt
Threatray 148 similar samples on MalwareBazaar
TLSH T18426338DA0247BE4C7206A3EE083B7F753195DED6D43DBCBA28D31945FA0FA71254286
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 1064e4d8c4f8f8c4 (1 x Chaos, 1 x QuasarRAT)
Reporter abuse_ch
Tags:exe QuasarRAT RAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
267
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
quasar
Create hunting rule
ID:
1
File name:
file.exe
Verdict:
Malicious activity
Analysis date:
2023-05-22 08:19:17 UTC
Tags:
rat quasar trojan asyncrat
Link:
https://app.any.run/tasks/f69f7786-f92c-423a-a8d4-ecd02ce29d27

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Packed.Seraph-9994131-0
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
Launching a process
Sending a UDP request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated packed packed quasar
Link:
https://www.filescan.io/uploads/646b2577cea49ad0fc89b68f/reports/862b5d54-12c2-48dc-98ec-7633704de513/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/9f788e07cb6b288c2650fa817d823425dbdfec3476a4683718ba2f351e9fa8b3
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/ab2dd6c9-e25b-4ae4-afc3-5b9c1c82b727
Result
Threat name:
Quasar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1240226
Signature
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Encrypted powershell cmdline option found
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Uses ipconfig to lookup or modify the Windows network settings
Writes to foreign memory regions
Yara detected Generic Downloader
Yara detected Quasar RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 873228 Sample: file.exe Startdate: 23/05/2023 Architecture: WINDOWS Score: 100 57 Snort IDS alert for network traffic 2->57 59 Found malware configuration 2->59 61 Malicious sample detected (through community Yara rule) 2->61 63 8 other signatures 2->63 7 file.exe 1 6 2->7         started        11 service.exe 2 2->11         started        13 service.exe 2->13         started        process3 file4 39 C:\Users\user\AppData\Local\...\service.exe, PE32 7->39 dropped 41 C:\Users\user\...\service.exe:Zone.Identifier, ASCII 7->41 dropped 43 C:\Users\user\AppData\Local\...\file.exe.log, ASCII 7->43 dropped 65 Encrypted powershell cmdline option found 7->65 67 Writes to foreign memory regions 7->67 69 Injects a PE file into a foreign processes 7->69 15 aspnet_compiler.exe 15 2 7->15         started        19 cmd.exe 1 7->19         started        21 cmd.exe 1 7->21         started        23 2 other processes 7->23 71 Machine Learning detection for dropped file 11->71 signatures5 process6 dnsIp7 45 microsoftbackup.duckdns.org 95.214.27.146, 47600, 49696 CMCSUS Germany 15->45 47 ipwho.is 195.201.57.90, 443, 49698 HETZNER-ASDE Germany 15->47 49 Hides that the sample has been downloaded from the Internet (zone.identifier) 15->49 51 Installs a global keyboard hook 15->51 53 Encrypted powershell cmdline option found 19->53 55 Uses ipconfig to lookup or modify the Windows network settings 19->55 25 conhost.exe 19->25         started        27 ipconfig.exe 1 19->27         started        29 powershell.exe 21 21->29         started        31 conhost.exe 21->31         started        33 conhost.exe 23->33         started        35 conhost.exe 23->35         started        37 ipconfig.exe 1 23->37         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9f788e07cb6b288c2650fa817d823425dbdfec3476a4683718ba2f351e9fa8b3/
Threat name:
Win32.Trojan.Casdet
Create hunting rule
Status:
Malicious
First seen:
2023-05-22 01:26:07 UTC
File Type:
PE (.Net Exe)
Extracted files:
2
AV detection:
16 of 23 (69.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=t54i4b6lnmuiyjsq7kax3aruexn573buo2sgqnyyxixtkhu7vczq._file
Verdict:
malicious
Similar samples:
28229a2ce2ed4265f4389b7228fb0065ef8656502ca833ef77fe2927a9f85fd8
QuasarRAT
4a23db5ce6616e586397a0ac25de51cc1450f4217009715f8ac809b20d377b39
QuasarRAT
6529401bd18baaa7666ac93568a0f729eb5ac129ad7df7156fc48f3e1d697609
QuasarRAT
6bbfe6d2ca7241e70b06e47f8866d1256de832141b6e5fb6a2019e2f7099d263
QuasarRAT
a7a5ce7c3c6fe4c23529f1254a71b8772327e3b68f1adceff98d7c2fb9af0315
QuasarRAT
d6d76fa5c46ce88e8def28ab03889c00078284de39865f0b00b6b5dce603ce16
QuasarRAT
e3dc423684976ae02183ff7156153303f75d3961decb3215213faa46d0926c69
QuasarRAT
e57f004cdd5d2da92e0429a1fdba612f17852781f389dc855c217341e28dc35b
QuasarRAT
+ 138 additional samples on MalwareBazaar
Result
Malware family:
quasar
Create hunting rule
Score:
  10/10
Tags:
family:quasar botnet:office04 persistence spyware trojan
Link:
https://tria.ge/reports/230522-j7vf6afa53/
Behaviour
Gathers network information
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Quasar RAT
Quasar payload
Malware Config
C2 Extraction:
microsoftbackup.duckdns.org:47600
Unpacked files
SH256 hash:
9f788e07cb6b288c2650fa817d823425dbdfec3476a4683718ba2f351e9fa8b3
MD5 hash:
415109dfdbabe14f33006a965311095d
SHA1 hash:
72f34daee6c6698b0b9114606a0a655bbd67b7f8
Link:
https://www.unpac.me/results/1e3f002a-7ed3-4a94-899b-21f80a0f4ad6/
Malware family:
QuasarRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/9f788e07cb6b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.98
Link:
https://yomi.yoroi.company/submissions/9f788e07cb6b288c2650fa817d823425dbdfec3476a4683718ba2f351e9fa8b3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with SmartAssembly
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

QuasarRAT

Executable exe 9f788e07cb6b288c2650fa817d823425dbdfec3476a4683718ba2f351e9fa8b3

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2638493/
  
Delivery method
Distributed via web download

Comments