MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a7d8154bb436ed2e91516ab13e82aaee5f76e9af2d16d6ce62758aa3c17f0b3e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuasarRAT


Vendor detections: 13


Intelligence 13 IOCs YARA 10 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a7d8154bb436ed2e91516ab13e82aaee5f76e9af2d16d6ce62758aa3c17f0b3e
SHA3-384 hash: 0fdd957ecd5d61317106b7f223b6f9f8d5f78501f7ed088edb20fdb172f822a9b53c8bbd20c6abe53c53def50f59ad91
SHA1 hash: 3f6e78c1d0789bc1c194f569eaabd92e6699496e
MD5 hash: 4db130891e3112bdcb25aae206c8d324
humanhash: hydrogen-twenty-four-quebec
File name:4db130891e3112bdcb25aae206c8d324.exe
Download: download sample
Signature QuasarRAT
Create hunting rule
File size:556'544 bytes
First seen:2021-08-17 13:28:18 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 6144:0uPIHzXADn3gObC/yAkdu8f7HJpUUdUbB1tdAsWLfMcN5hdK:0xynHdp5ytqJf3N9K
Threatray 101 similar samples on MalwareBazaar
TLSH T142C449122BE8CA1BE1BE6771E4B004249BF5F116B666D78F1A8461F91C63B41ED013BF
Reporter abuse_ch
Tags:exe QuasarRAT RAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
106
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
TrustedInstaller.exe
Verdict:
Malicious activity
Analysis date:
2021-08-11 09:30:25 UTC
Tags:
evasion trojan rat quasar
Link:
https://app.any.run/tasks/2e5371c9-c4f5-4ce7-ab81-da3c1957c3ec

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
QuasarRAT
Create hunting rule
Link:
https://www.capesandbox.com/analysis/179972/
Detection(s):
Win.Packed.Downeks-6898097-0
Create hunting rule

Win.Packed.Passwordstealera-9792228-0
Create hunting rule

Win.Tool.Quasar-6791498-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Deleting a recently created file
Creating a file in the %AppData% subdirectories
Using the Windows Management Instrumentation requests
DNS request
Connection attempt
Sending an HTTP GET request
Creating a file in the Windows subdirectories
Launching a process
Enabling the 'hidden' option for recently created files
Creating a process from a recently created file
Creating a file
Replacing files
Sending a UDP request
Setting a keyboard event handler
Sending a custom TCP request
Creating a window
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Quasar RAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8a9a2c29-018e-4898-94b8-02b0dc484676
Result
Threat name:
Quasar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/834541
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Drops executables to the windows directory (C:\Windows) and starts them
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Quasar RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 467055 Sample: SB928N3n07.exe Startdate: 17/08/2021 Architecture: WINDOWS Score: 100 47 Found malware configuration 2->47 49 Malicious sample detected (through community Yara rule) 2->49 51 Antivirus / Scanner detection for submitted sample 2->51 53 4 other signatures 2->53 8 SB928N3n07.exe 15 24 2->8         started        13 SB928N3n07.exe 25 2->13         started        process3 dnsIp4 31 ip-api.com 208.95.112.1, 49700, 49704, 80 TUT-ASUS United States 8->31 33 192.168.2.1 unknown unknown 8->33 27 C:\Windows\SysWOW64\...\TrustedInstaller.exe, PE32 8->27 dropped 29 C:\Users\user\AppData\...\SB928N3n07.exe.log, ASCII 8->29 dropped 55 May check the online IP address of the machine 8->55 57 Drops executables to the windows directory (C:\Windows) and starts them 8->57 59 Uses schtasks.exe or at.exe to add and modify task schedules 8->59 61 Hides that the sample has been downloaded from the Internet (zone.identifier) 8->61 15 TrustedInstaller.exe 14 19 8->15         started        19 schtasks.exe 1 8->19         started        file5 signatures6 process7 dnsIp8 35 51.254.31.10, 1718, 49705 OVHFR France 15->35 37 ip-api.com 15->37 39 Antivirus detection for dropped file 15->39 41 Multi AV Scanner detection for dropped file 15->41 43 May check the online IP address of the machine 15->43 45 4 other signatures 15->45 21 schtasks.exe 1 15->21         started        23 conhost.exe 19->23         started        signatures9 process10 process11 25 conhost.exe 21->25         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a7d8154bb436ed2e91516ab13e82aaee5f76e9af2d16d6ce62758aa3c17f0b3e/
Threat name:
ByteCode-MSIL.Trojan.Quasar
Create hunting rule
Status:
Malicious
First seen:
2021-08-11 20:02:44 UTC
AV detection:
34 of 47 (72.34%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=u7mbks5ug3ws5ekrnkyt5avk5zpxn2npfulnnttcowfkhql7bm7a._file
Verdict:
malicious
Similar samples:
18271c11925b94e6310672889885575ab4786e36a4c404e478accf3cb24172be
QuasarRAT
470504f2d7822a47bb84c008289192d825998af6f8249e3a8352d1338fa1de21
QuasarRAT
79c88080262db1ffc03376d9a98fe8ba71508b03c4f2a28af50f53b8aa235bf9
QuasarRAT
7c309d0854288645b6bd91fdfc4ccfe0446c60dfd2548a1bfebdead096de4be1
QuasarRAT
9760105f3177384c19086dee036cdc67916d744f4a1e7064ecfd906e252dba69
QuasarRAT
a725bb8800499239e18eb3973b4c4371214e8da4efb12108ac42957a3819572b
QuasarRAT
cf6b35a3db282f36cb1f6a32c4c4d15185c21960ec672e0716de24b40df8f48b
QuasarRAT
efcf11b8408b3caf79f2aa775890f6708f115524a9be648d4324b44551078473
QuasarRAT
f0fafa9e7eea1e45981257151dd56207ac78ae6110bc39da004bd468bcbb79b4
QuasarRAT
+ 91 additional samples on MalwareBazaar
Result
Malware family:
quasar
Create hunting rule
Score:
  10/10
Tags:
family:quasar persistence spyware trojan
Link:
https://tria.ge/reports/210817-gvdv9l28ea/
Behaviour
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Drops file in System32 directory
Adds Run key to start application
Looks up external IP address via web service
Loads dropped DLL
Executes dropped EXE
Quasar RAT
Unpacked files
SH256 hash:
a7d8154bb436ed2e91516ab13e82aaee5f76e9af2d16d6ce62758aa3c17f0b3e
MD5 hash:
4db130891e3112bdcb25aae206c8d324
SHA1 hash:
3f6e78c1d0789bc1c194f569eaabd92e6699496e
Link:
https://www.unpac.me/results/f36cd4d8-781a-4144-9145-02fba5dfa106/
Malware family:
QuasarRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/a7d8154bb436/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a7d8154bb436ed2e91516ab13e82aaee5f76e9af2d16d6ce62758aa3c17f0b3e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CN_disclosed_20180208_KeyLogger_1
Create hunting rule
Author:Florian Roth
Description:Detects malware from disclosed CN malware set
Reference:https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details
Rule name:INDICATOR_SUSPICIOUS_GENInfoStealer
Create hunting rule
Author:ditekSHen
Description:Detects executables containing common artifcats observed in infostealers
Rule name:MALWARE_Win_QuasarRAT
Create hunting rule
Author:ditekSHen
Description:QuasarRAT payload
Rule name:MAL_QuasarRAT_May19_1
Create hunting rule
Author:Florian Roth
Description:Detects QuasarRAT malware
Reference:https://blog.ensilo.com/uncovering-new-activity-by-apt10
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Quasar
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect QuasarRAT in memory
Rule name:Quasar_RAT_1
Create hunting rule
Author:Florian Roth
Description:Detects Quasar RAT
Reference:https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Vermin_Keylogger_Jan18_1
Create hunting rule
Author:Florian Roth
Description:Detects Vermin Keylogger
Reference:https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/179972/

Comments