MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a323a9891c15a533b2356c710a9610dcd764931b2122404d1278952d6a2611e1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

QuasarRAT

Vendor detections: 11

Intelligence 11 IOCs YARA 12 File information Comments

SHA256 hash:	a323a9891c15a533b2356c710a9610dcd764931b2122404d1278952d6a2611e1
SHA3-384 hash:	a784838486b69be5100980f03c3e1054976c2107f6bc1c7badf3d84e71648d5fca3debae9b5ca6fbe60ca988e53d7761
SHA1 hash:	efadf32a52f1b6bfde9ab82bd4ac5cd1598d8a8f
MD5 hash:	0fb77a7f91ccadcee16b1f264b0a53df
humanhash:	enemy-skylark-double-jupiter
File name:	a323a9891c15a533b2356c710a9610dcd764931b2122404d1278952d6a2611e1
Download:	download sample
Signature	QuasarRAT Create hunting rule
File size:	1'092'608 bytes
First seen:	2021-08-30 06:19:32 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'603 x Formbook, 12'241 x SnakeKeylogger)
ssdeep	12288:kARNJ6j3LBFsSfNJwZH3Uw2oQb+9BXNwQlsljyFVRelCuXjV+apo+gO0aoUWqnDi:bLJ+FFsSFJg9LuuqnDonB1
Threatray	210 similar samples on MalwareBazaar
TLSH	T1C63588242DEF202AB373AE7DDBE4759AD95EB6A32707585D106203C60713D82DDC2A3D
Reporter	JAMESWT_WT
Tags:	exe QuasarRAT

Intelligence

File Origin

# of uploads :

# of downloads :

112

Origin country :

n/a

Vendor Threat Intelligence

Detection:

QuasarRAT

Link:

https://www.capesandbox.com/analysis/183520/

Detection(s):

SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Unauthorized injection to a recently created process

Creating a file

Launching a process

Creating a window

Sending a UDP request

Malware family:

Quasar RAT

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/3a10b5f4-f6a2-4e6e-affc-191b24d2bd64

Result

Threat name:

Quasar

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/841281

Signature

.NET source code contains potential unpacker

.NET source code contains very large strings

Antivirus / Scanner detection for submitted sample

C2 URLs / IPs found in malware configuration

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected Quasar RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/a323a9891c15a533b2356c710a9610dcd764931b2122404d1278952d6a2611e1/

Threat name:

ByteCode-MSIL.Trojan.Quasar

Status:

Malicious

First seen:

2021-08-25 23:53:00 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

27 of 46 (58.70%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=umr2tci4cwsthmrvnryqvfqq3tlwjey3eereatispcks22rgchqq._file

Verdict:

malicious

QuasarRAT

25a419f3b2963cf24fda8824b538b67dc73fd2e4d32e73cd5bfdf935c61769dd

QuasarRAT

26cb425375a7613736c367866d0b79b8b7d8845437ec88e87bc83146445f892e

QuasarRAT

2df82d12b3e4627ffb2f7c0e6c8371f23c4beabb935f93b2c88389953fc07027

QuasarRAT

40ac8e128b78d30d49accda865a6ca90a23cf7b7e5f31042c7df55a9fe1b5af4

QuasarRAT

b29a1b48648aacf2fe60861692bd0991cf226956ea986b687972667496e1d7d7

QuasarRAT

b3d36e86a478b5223968e34ca51bff54002eb9b1a01ef26d8b657d49dd4dd831

QuasarRAT

d6031bb15fd16cac9b514985035e18f08f0beaaa0542a66274467cb66e76a8fd

QuasarRAT

e2d6b8bc603260f1a7564a044523d230c31c8d873deabb579cae90b88f1b92b9

QuasarRAT

e99398f753e61710eaea626dc778a19fc47a34f103b5ff1daaa0d7ad7f6432c4

QuasarRAT

+ 200 additional samples on MalwareBazaar

Result

Malware family:

quasar

Score:

10/10

Tags:

family:quasar botnet:office04 spyware trojan

Link:

https://tria.ge/reports/210830-t6jtmlvp9j/

Behaviour

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Suspicious use of SetThreadContext

Quasar Payload

Quasar RAT

Malware Config

C2 Extraction:

10.8.31.138:28394

Unpacked files

SH256 hash:

13a093e9bc1df2130c9f6573812fb723531aaabe2395c0d6c3d312830eee12f2

MD5 hash:

f501899878d8cdfe58994ee8bcbb39dd

SHA1 hash:

a5b56be7ea643092e339d51d23a1337b9f6c367b

Link:

https://www.unpac.me/results/fb10e3ae-fe0e-49ae-9054-f0f9428a5e22/

SH256 hash:

691fb82c3f78a49086c6f61747195cde07448d2c03cc91b1889b407c50183c98

MD5 hash:

0f2c0e9e783f4f06a09e4e65653aa950

SHA1 hash:

55f721bdd5cc1614771e339b1a9d4829e8fb5908

Link:

https://www.unpac.me/results/fb10e3ae-fe0e-49ae-9054-f0f9428a5e22/

SH256 hash:

a323a9891c15a533b2356c710a9610dcd764931b2122404d1278952d6a2611e1

MD5 hash:

0fb77a7f91ccadcee16b1f264b0a53df

SHA1 hash:

efadf32a52f1b6bfde9ab82bd4ac5cd1598d8a8f

Link:

https://www.unpac.me/results/fb10e3ae-fe0e-49ae-9054-f0f9428a5e22/

Malware family:

QuasarRAT

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/a323a9891c15/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/a323a9891c15a533b2356c710a9610dcd764931b2122404d1278952d6a2611e1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	CN_disclosed_20180208_KeyLogger_1 Create hunting rule
Author:	Florian Roth
Description:	Detects malware from disclosed CN malware set
Reference:	https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details

Rule name:	INDICATOR_SUSPICIOUS_GENInfoStealer Create hunting rule
Author:	ditekSHen
Description:	Detects executables containing common artifcats observed in infostealers

Rule name:	MALWARE_Win_QuasarRAT Create hunting rule
Author:	ditekSHen
Description:	QuasarRAT payload

Rule name:	MAL_QuasarRAT_May19_1 Create hunting rule
Author:	Florian Roth
Description:	Detects QuasarRAT malware
Reference:	https://blog.ensilo.com/uncovering-new-activity-by-apt10

Rule name:	pe_imphash Create hunting rule

Rule name:	pe_imphash Create hunting rule

Rule name:	Quasar Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect QuasarRAT in memory

Rule name:	Quasar_RAT_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Quasar RAT
Reference:	https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf

Rule name:	Quasar_RAT_2 Create hunting rule
Author:	Florian Roth
Description:	Detects Quasar RAT
Reference:	https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Vermin_Keylogger_Jan18_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Vermin Keylogger
Reference:	https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/

Rule name:	xRAT_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Patchwork malware
Reference:	https://goo.gl/Pg3P4W

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/183520/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample