MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a8f0dbc38f4fa81b8dc71d6a69df4a5a9963ad57de7c491a61044dbe42f586e5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

QuasarRAT

Vendor detections: 8

Intelligence 8 IOCs YARA 1 File information Comments

SHA256 hash:	a8f0dbc38f4fa81b8dc71d6a69df4a5a9963ad57de7c491a61044dbe42f586e5
SHA3-384 hash:	b976e8be75d94bb068fdee0bbdc9a04458505287ed0a7c5a31b12ede7c64c3630534d1d551d6af51d0e3588dd3782369
SHA1 hash:	684cb0e959aa1ffb0beba40c1a7ef6168e347477
MD5 hash:	2752ebe367014ca2506e55fc3c0a27fd
humanhash:	diet-nine-washington-fanta
File name:	长江环保生态系统-胡琳琳-个人简历.exe
Download:	download sample
Signature	QuasarRAT Create hunting rule
File size:	3'302'609 bytes
First seen:	2021-04-03 14:04:07 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep	49152:4bA3wJJyUs7x2kgxSaEV3TR0ChGhUrl15BdnpjdES+QGFSh0zP3j:4bVJv2mODR02GherzxpjOFSaz7
Threatray	447 similar samples on MalwareBazaar
TLSH	EFE52222CE818EB2D088197095307B5A3E7B7D809F63DACFD7C5B86DAC751D09638639
Reporter	vm001cn
Tags:	QuasarRAT RAT sfx winrarsfx

Intelligence

File Origin

# of uploads :

# of downloads :

323

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

长江环保生态系统-胡琳琳-个人简历.exe

Verdict:

Malicious activity

Analysis date:

2021-04-03 13:51:44 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/7fb0a41f-b911-469e-93ad-502665674b19

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/131998/

Detection(s):

SecuriteInfo.com.Trojan.Rasftuby.Gen.14.10239.27368.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Searching for the window

Creating a file in the Windows subdirectories

Creating a process from a recently created file

Creating a file in the %temp% subdirectories

DNS request

Sending a UDP request

Creating a file

Changing a file

Sending a custom TCP request

Moving a recently created file

Sending an HTTP GET request

Connection attempt

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/a8f0dbc38f4fa81b8dc71d6a69df4a5a9963ad57de7c491a61044dbe42f586e5/

Threat name:

ByteCode-MSIL.Trojan.Quasar

Status:

Malicious

First seen:

2021-04-02 05:04:00 UTC

AV detection:

16 of 29 (55.17%)

Threat level:

5/5

Verdict:

suspicious

QuasarRAT

0eb41e962d7be24fe14670c0bda3283dd6db00bbe813d1d93da23c125af8e4dc

QuasarRAT

1202173f3ce4f49947f8e6554991a320c7a6e5faced43bec6a3bd051d13f7666

QuasarRAT

3d783630a9df4cc2fc3bed2bd696e006c4eb018ca419295fc1fc94010659ecac

QuasarRAT

3d84d2ad35397d5b2b3d482886e2a15551053e903de3fb446704754b48ffa925

QuasarRAT

4824693d37ee0c444b89e21a2ae1cba396927f299e88751759635b2795c1bc96

QuasarRAT

847d04c20badc69bf87617204f50b8ab0a4c1837466025c5cefc115569b581c7

QuasarRAT

d1a4049ba690a122863c55c4c7b35e18fdd25225dcb1f5e0a08a7c9f8ddb77be

QuasarRAT

e571cd3a4c0744cb3c5443b868577adced331a7545fcb6e2ed0efbe7506a2f9b

QuasarRAT

e8f9e4daabce9c02c3b067fa13c72e8d43d229296eb8e2f96e2ee66baa42ab96

QuasarRAT

+ 437 additional samples on MalwareBazaar

Result

Malware family:

quasar

Score:

10/10

Tags:

family:quasar spyware trojan

Link:

https://tria.ge/reports/210403-mynkrfgr42/

Behaviour

Modifies Internet Explorer settings

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Drops file in Windows directory

Loads dropped DLL

Executes dropped EXE

Quasar Payload

Quasar RAT

Unpacked files

SH256 hash:

f4f1217afb98eee40c60aa59d8a831d940ed3b5849a3757e7667816f5b95dcd4

MD5 hash:

0c9593d89170cf6ce54dca90e94da2b3

SHA1 hash:

105efcf8f1409a91c2b03a34e366ad8912f064af

Link:

https://www.unpac.me/results/e4e89504-c0c4-47eb-b352-22464e0411d7/

SH256 hash:

56fcae371373897ad40c930b1f15e14908922587b8ab877e531ef0ccb0ae8672

MD5 hash:

fa3acaf70653b7c8bdadd337705a3f5b

SHA1 hash:

c0de6f5bcc11867a72cacb25606e4653ae7a4c60

Link:

https://www.unpac.me/results/e4e89504-c0c4-47eb-b352-22464e0411d7/

SH256 hash:

a8f0dbc38f4fa81b8dc71d6a69df4a5a9963ad57de7c491a61044dbe42f586e5

MD5 hash:

2752ebe367014ca2506e55fc3c0a27fd

SHA1 hash:

684cb0e959aa1ffb0beba40c1a7ef6168e347477

Link:

https://www.unpac.me/results/e4e89504-c0c4-47eb-b352-22464e0411d7/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

ScriptKD

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/a8f0dbc38f4fa81b8dc71d6a69df4a5a9963ad57de7c491a61044dbe42f586e5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	suspicious_packer_section Create hunting rule
Author:	@j0sm1
Description:	The packer/protector section names/keywords
Reference:	http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/131998/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample