MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a7712a9a042158f130b574fa3dd247e0736e9b03f612acb48e4dddd482da879c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuasarRAT


Vendor detections: 15


Intelligence 15 IOCs YARA 21 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a7712a9a042158f130b574fa3dd247e0736e9b03f612acb48e4dddd482da879c
SHA3-384 hash: e1433a99bd69d2a2f1618c732f3b4beb8f152115326b1b8522939d26c45f466ef9dc524faee6fd5007c8e26cd22030f2
SHA1 hash: a2d94485518b08760e0a09c3128d246cd65a96dc
MD5 hash: 4ea02a0dae627ff7275bbeb795d18745
humanhash: vegan-fifteen-lima-michigan
File name:4ea02a0dae627ff7275bbeb795d18745.exe
Download: download sample
Signature QuasarRAT
Create hunting rule
File size:1'515'890 bytes
First seen:2023-01-28 17:36:07 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 00be6e6c4f9e287672c8301b72bdabf3 (116 x RedLineStealer, 70 x AsyncRAT, 55 x AgentTesla)
ssdeep 24576:jNA3R5drXG1pqsXe4TzcNqajQqkvwMP/0XbmXO+BhZJnk7Ah4DYJcN1ErPbjgU57:O5W64ncNqoQqrMP/0Xb+PQAhSYJcN1E1
TLSH T179652301BAD684B2E2B22A351A39F725A9BD7D201F15DB6EA7C40C6DC9301817734FB7
TrID 89.0% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
3.5% (.EXE) Win64 Executable (generic) (10523/12/4)
2.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
1.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.5% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 36d3c9b6da6cb4d3 (1 x QuasarRAT)
Reporter abuse_ch
Tags:exe QuasarRAT RAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
250
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
quasar
Create hunting rule
ID:
1
File name:
4ea02a0dae627ff7275bbeb795d18745.exe
Verdict:
Malicious activity
Analysis date:
2023-01-28 17:40:17 UTC
Tags:
evasion trojan quasar
Link:
https://app.any.run/tasks/e737d834-de79-454f-b922-0a0268006a62

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
QuasarRAT
Create hunting rule
Link:
https://www.capesandbox.com/analysis/357784/
Detection(s):
SecuriteInfo.com.Troj.NanoCo_TZ.22029.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %AppData% directory
Running batch commands
Creating a process from a recently created file
Launching a process
Launching a service
Creating a file
Changing a file
Delayed writing of the file
Using the Windows Management Instrumentation requests
DNS request
Sending an HTTP GET request
Creating a file in the %AppData% subdirectories
Enabling the 'hidden' option for recently created files
Launching the default Windows debugger (dwwin.exe)
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun by creating a file
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/63681/overview
Behaviour
MalwareBazaar
MeasuringTime
EvasionQueryPerformanceCounter
Verdict:
No Threat
Threat level:
  2/10
Confidence:
80%
Tags:
greyware overlay packed setupapi.dll shdocvw.dll shell32.dll
Link:
https://www.filescan.io/uploads/63d55d3e447edb203a01ae59/reports/4c0691f1-43fe-42a3-b45a-4f3ce72c33be/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/21d712ad-b175-446f-a3c7-9444019d6443
Result
Threat name:
Quasar
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1160832
Signature
.NET source code references suspicious native API functions
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
Yara detected Quasar RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 793569 Sample: LhWQCnZEr8.exe Startdate: 28/01/2023 Architecture: WINDOWS Score: 100 73 Snort IDS alert for network traffic 2->73 75 Multi AV Scanner detection for domain / URL 2->75 77 Malicious sample detected (through community Yara rule) 2->77 79 7 other signatures 2->79 13 LhWQCnZEr8.exe 9 2->13         started        16 oijsgn.exe 2->16         started        process3 file4 61 C:\Users\user\AppData\...\oijsgn.sfx.exe, PE32 13->61 dropped 18 cmd.exe 1 13->18         started        20 oijsgn.exe 16->20         started        process5 process6 22 oijsgn.sfx.exe 7 18->22         started        26 conhost.exe 18->26         started        28 WerFault.exe 20->28         started        file7 59 C:\Users\user\AppData\Roaming\oijsgn.exe, PE32 22->59 dropped 91 Multi AV Scanner detection for dropped file 22->91 30 oijsgn.exe 1 22->30         started        signatures8 process9 signatures10 95 Multi AV Scanner detection for dropped file 30->95 97 May check the online IP address of the machine 30->97 99 Machine Learning detection for dropped file 30->99 101 2 other signatures 30->101 33 oijsgn.exe 15 4 30->33         started        process11 dnsIp12 63 ip-api.com 208.95.112.1, 49713, 49714, 80 TUT-ASUS United States 33->63 65 192.168.2.1 unknown unknown 33->65 57 C:\Users\user\AppData\Roaming\cji\hvi.exe, PE32 33->57 dropped 81 Hides that the sample has been downloaded from the Internet (zone.identifier) 33->81 38 hvi.exe 1 33->38         started        41 schtasks.exe 1 33->41         started        file13 signatures14 process15 signatures16 83 Multi AV Scanner detection for dropped file 38->83 85 May check the online IP address of the machine 38->85 87 Machine Learning detection for dropped file 38->87 89 Injects a PE file into a foreign processes 38->89 43 hvi.exe 2 38->43         started        47 conhost.exe 41->47         started        process17 dnsIp18 67 dnuocc.com 195.133.40.200, 49715, 49716, 49717 SPD-NETTR Russian Federation 43->67 69 www.dnuocc.com 43->69 71 ip-api.com 43->71 93 Hides that the sample has been downloaded from the Internet (zone.identifier) 43->93 49 schtasks.exe 43->49         started        51 MpCmdRun.exe 47->51         started        signatures19 process20 process21 53 conhost.exe 49->53         started        55 conhost.exe 51->55         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a7712a9a042158f130b574fa3dd247e0736e9b03f612acb48e4dddd482da879c/
Threat name:
ByteCode-MSIL.Trojan.Cryptos
Create hunting rule
Status:
Malicious
First seen:
2023-01-28 17:26:00 UTC
File Type:
PE (Exe)
Extracted files:
15
AV detection:
17 of 26 (65.38%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=u5ysvgqeefmpcmfvot5d3ush4bzw5gyd6yjkzneojxo5jaw2q6oa._file
Verdict:
malicious
Result
Malware family:
quasar
Create hunting rule
Score:
  10/10
Tags:
family:quasar botnet:owl2 spyware trojan
Link:
https://tria.ge/reports/230128-v65fhsgh8y/
Behaviour
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Looks up external IP address via web service
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Quasar RAT
Quasar payload
Malware Config
C2 Extraction:
dnuocc.com:64594
www.dnuocc.com:64594
dnuocc.com:64588
Unpacked files
SH256 hash:
648d08aa68fd606acd4e02f5249c2c9a38b0924f2a6b776ffeae65c79be25683
MD5 hash:
caec955ef547c85bbaf6f7f8589cc5b2
SHA1 hash:
84bd78b10176ad5627dda11a79433bf08d847e07
Link:
https://www.unpac.me/results/066fc92c-0551-4307-9572-f8b87747b9d6/
SH256 hash:
be4c2cdc6852ad9f64ad94674d2cbab53d72a81e8c5f04e295c4610144e5d330
MD5 hash:
aa8046b2c9a572f9793151dc61a79f6b
SHA1 hash:
38144c9e7fe48aae0bbce1135b0c3beed342ec53
Link:
https://www.unpac.me/results/066fc92c-0551-4307-9572-f8b87747b9d6/
SH256 hash:
fdb7865b933ca403988dfa5e9b5bc1a7b119d4ba015f984799f2ab9c9c05fe41
MD5 hash:
3ceb8483c59c15269da3fa43af0bc23b
SHA1 hash:
08061538e850699c04d405a2f038d3d532d17f69
Link:
https://www.unpac.me/results/066fc92c-0551-4307-9572-f8b87747b9d6/
SH256 hash:
9f70d78d058a88b223c2d34cc932e0195cbfe0d05510ce00f8879b55bb22fc6c
MD5 hash:
ba001f92e15882e1b70ce67aba45ba60
SHA1 hash:
073493f2ccb90b3f93d44dd35067890349efc3e0
Link:
https://www.unpac.me/results/066fc92c-0551-4307-9572-f8b87747b9d6/
SH256 hash:
a7712a9a042158f130b574fa3dd247e0736e9b03f612acb48e4dddd482da879c
MD5 hash:
4ea02a0dae627ff7275bbeb795d18745
SHA1 hash:
a2d94485518b08760e0a09c3128d246cd65a96dc
Link:
https://www.unpac.me/results/066fc92c-0551-4307-9572-f8b87747b9d6/
Malware family:
xRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a7712a9a0421/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a7712a9a042158f130b574fa3dd247e0736e9b03f612acb48e4dddd482da879c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CN_disclosed_20180208_KeyLogger_1
Create hunting rule
Author:Florian Roth
Description:Detects malware from disclosed CN malware set
Reference:https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details
Rule name:CN_disclosed_20180208_KeyLogger_1_RID3227
Create hunting rule
Author:Florian Roth
Description:Detects malware from disclosed CN malware set
Reference:https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details
Rule name:INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
Author:ditekSHen
Description:Detects Windows executables referencing non-Windows User-Agents
Rule name:INDICATOR_SUSPICIOUS_GENInfoStealer
Create hunting rule
Author:ditekSHen
Description:Detects executables containing common artifcats observed in infostealers
Rule name:malware_Quasar_strings
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect QuasarRAT in memory
Rule name:MALWARE_Win_QuasarRAT
Create hunting rule
Author:ditekSHen
Description:QuasarRAT payload
Rule name:MAL_QuasarRAT_May19_1
Create hunting rule
Author:Florian Roth
Description:Detects QuasarRAT malware
Reference:https://blog.ensilo.com/uncovering-new-activity-by-apt10
Rule name:MAL_QuasarRAT_May19_1_RID2E1E
Create hunting rule
Author:Florian Roth
Description:Detects QuasarRAT malware
Reference:https://blog.ensilo.com/uncovering-new-activity-by-apt10
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:pe_imphash
Create hunting rule
Rule name:Quasar_RAT_1
Create hunting rule
Author:Florian Roth
Description:Detects Quasar RAT
Reference:https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
Rule name:Quasar_RAT_1_RID2B54
Create hunting rule
Author:Florian Roth
Description:Detects Quasar RAT
Reference:https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
Rule name:Quasar_RAT_2
Create hunting rule
Author:Florian Roth
Description:Detects Quasar RAT
Reference:https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
Rule name:Quasar_RAT_2_RID2B55
Create hunting rule
Author:Florian Roth
Description:Detects Quasar RAT
Reference:https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
Rule name:sfx_pdb
Create hunting rule
Author:@razvialex
Description:Detect interesting files containing sfx with pdb paths.
Rule name:sfx_pdb_winrar_restrict
Create hunting rule
Author:@razvialex
Description:Detect interesting files containing sfx with pdb paths.
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Vermin_Keylogger_Jan18_1
Create hunting rule
Author:Florian Roth
Description:Detects Vermin Keylogger
Reference:https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/
Rule name:Windows_Trojan_Quasarrat_e52df647
Create hunting rule
Author:Elastic Security
Rule name:xRAT_1
Create hunting rule
Author:Florian Roth
Description:Detects Patchwork malware
Reference:https://goo.gl/Pg3P4W
Rule name:xRAT_1_RID2900
Create hunting rule
Author:Florian Roth
Description:Detects Patchwork malware
Reference:https://goo.gl/Pg3P4W

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

QuasarRAT

Executable exe a7712a9a042158f130b574fa3dd247e0736e9b03f612acb48e4dddd482da879c

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2520394/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2520068/
  
URLhaus
https://urlhaus.abuse.ch/url/2520069/
Cape
Cape
https://www.capesandbox.com/analysis/357784/

Comments