MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9f999d5b44ff7bd243bc33f8a89f504c95d6b21eef26b7b80a49715471ff43d3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

QuasarRAT

Vendor detections: 5

Intelligence 5 IOCs YARA 4 File information Comments

SHA256 hash:	9f999d5b44ff7bd243bc33f8a89f504c95d6b21eef26b7b80a49715471ff43d3
SHA3-384 hash:	651306fe53811cb776318a02691abe10360a0fa58ab1cb46afb8adce88b62fc6188d770c136d1743548ea6a2aaaf536b
SHA1 hash:	b902fa2ab0200818f8c9c5caf7bb3b1950368ab8
MD5 hash:	9cd4f57a4369aab516c52fd395c0b5cb
humanhash:	spring-carbon-cold-leopard
File name:	SI PU5675 239615.exe
Download:	download sample
Signature	QuasarRAT Create hunting rule
File size:	933'888 bytes
First seen:	2020-09-09 13:49:09 UTC
Last seen:	2020-09-09 14:45:15 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'748 x AgentTesla, 19'642 x Formbook, 12'245 x SnakeKeylogger)
ssdeep	24576:IAQ+Zp4ag1nrGJ9YTBfubuelNxHNCsne0D5:7r4aarmK03tCIeU
Threatray	36 similar samples on MalwareBazaar
TLSH	CF1523D03BAE4731C8ECCBBCD96C72110B30A558D412F78FAAC8E2F656453B6654A376
Reporter	James_inthe_box
Tags:	exe QuasarRAT

Intelligence

File Origin

# of uploads :

# of downloads :

104

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/58173/

Detection(s):

SecuriteInfo.com.Trojan.Siggen10.14423.168.14456.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Creating a window

Unauthorized injection to a recently created process

Creating a file

DNS request

Sending an HTTP GET request

Using the Windows Management Instrumentation requests

Reading critical registry keys

Setting a global event handler for the keyboard

Result

Threat name:

Unknown

Detection:

malicious

Classification:

n/a

Score:

60 / 100

Link:

https://www.joesandbox.com/analysis/462064

Signature

Antivirus / Scanner detection for submitted sample

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Behaviour

Behavior Graph:

n/a

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/9f999d5b44ff7bd243bc33f8a89f504c95d6b21eef26b7b80a49715471ff43d3/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2020-09-09 08:43:55 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

24 of 29 (82.76%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=t6mz2w2e7555eq54gp4krh2qjsk5nmq654tlpoakjfyvi4p7ipjq._file

Verdict:

unknown

QuasarRAT

234b2c300af5e4ac2001332e07c2e54bd48dac174cf8b5d0c486a3cc6076043c

QuasarRAT

669c338b6022e64b567ca5975b33f2ca26ec77e3b85d3dcb5b8d2002417333d9

QuasarRAT

8bd39d451b99909467edb3df6618762071da426ee580108882e300cf8b21b0cb

QuasarRAT

9b19c9209b2ae45df8c1d9d9f9b4e00f3d6c9edfb4ff64578d06a5a3f0a099e2

QuasarRAT

9fb2e0b5f09a7d3d66195fbaa6e7055cba4331ca2563305fc32104c82a978aa9

QuasarRAT

ab7cc003aa4d6807236dcd8983804a44a460a462c0e6d4ef70b3030f8ab6b366

QuasarRAT

c0c4c97332bfb8b5254c089e82c05d0a7d171747b72f991f7e3bdb2ed74856d0

QuasarRAT

d7b0da0e8ccc1474692b0d96320de2254fa2b033bf3c00a9d10dad95aed383ad

QuasarRAT

dd652810ff0fc0288768ac20d5fcc76f7bc517c3ed8b066a18340a8b69c69c3a

QuasarRAT

+ 26 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

spyware

Link:

https://tria.ge/reports/200909-qxm3zd2aka/

Behaviour

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Modifies data under HKEY_USERS

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Drops file in Windows directory

Suspicious use of SetThreadContext

Looks up external IP address via web service

Checks computer location settings

Reads user/profile data of web browsers

Checks computer location settings

Reads user/profile data of web browsers

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.45

Link:

https://yomi.yoroi.company/submissions/9f999d5b44ff7bd243bc33f8a89f504c95d6b21eef26b7b80a49715471ff43d3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	CAP_HookExKeylogger Create hunting rule
Author:	Brian C. Bell -- @biebsmalwareguy
Reference:	https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar

Rule name:	masslogger_gcch Create hunting rule
Author:	govcert_ch

Rule name:	Quasar_RAT_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Quasar RAT
Reference:	https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf

Rule name:	win_masslogger_w0 Create hunting rule
Author:	govcert_ch

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/58173/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample