MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a98fb020ed1b1b79495423933331d152b65d0db7947e403bdebe41f999540e6d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

QuasarRAT

Vendor detections: 10

Intelligence 10 IOCs YARA 13 File information Comments

SHA256 hash:	a98fb020ed1b1b79495423933331d152b65d0db7947e403bdebe41f999540e6d
SHA3-384 hash:	588347a849c5c882bbb9af9da573de5cafb1b29fce92fe161b5ef45354ffb6853bca2ec9c456c5273807d756db2f115d
SHA1 hash:	2c66db4ab0a796fc4953bc5f496cb2ae904d3656
MD5 hash:	d17b424e6865ccfc1f790313c85347e2
humanhash:	carpet-connecticut-saturn-lamp
File name:	d17b424e6865ccfc1f790313c85347e2.exe
Download:	download sample
Signature	QuasarRAT Create hunting rule
File size:	371'712 bytes
First seen:	2021-01-06 18:43:32 UTC
Last seen:	2021-01-06 21:37:04 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'655 x AgentTesla, 19'464 x Formbook, 12'205 x SnakeKeylogger)
ssdeep	6144:b2b+8xfWxoKtSelAMnw4tF8GM8paEfwcN5XqzWC7pTm2su3:bKf2VSr0+G3pScN5tCvso
Threatray	163 similar samples on MalwareBazaar
TLSH	FD84F1429F90C142FD2F2D7C529DFC0ED3B1107D5B09F88E136899AD59CB242B4F5AAA
Reporter	abuse_ch
Tags:	exe QuasarRAT RAT

Intelligence

File Origin

# of uploads :

# of downloads :

272

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

d17b424e6865ccfc1f790313c85347e2.exe

Verdict:

Malicious activity

Analysis date:

2021-01-06 18:44:51 UTC

Tags:

evasion trojan rat quasar

Link:

https://app.any.run/tasks/5d075aac-42cc-4019-9fc8-ec4d00cfbbba

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

QuasarRAT

Link:

https://www.capesandbox.com/analysis/110778/

Detection(s):

SecuriteInfo.com.Trojan.GenericKD.36006335.4140.30893.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Unauthorized injection to a recently created process

Creating a file

Using the Windows Management Instrumentation requests

DNS request

Sending an HTTP GET request

Setting a keyboard event handler

Creating a file in the %AppData% subdirectories

Creating a window

Sending a UDP request

Connection attempt to an infection source

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

Quasar

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/575446

Signature

.NET source code contains potential unpacker

.NET source code contains very large array initializations

.NET source code references suspicious native API functions

Antivirus / Scanner detection for submitted sample

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Installs a global keyboard hook

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Yara detected Quasar RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/a98fb020ed1b1b79495423933331d152b65d0db7947e403bdebe41f999540e6d/

Threat name:

ByteCode-MSIL.Backdoor.Bladabhindi

Status:

Malicious

First seen:

2021-01-05 03:09:00 UTC

AV detection:

30 of 46 (65.22%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=vgh3aihndmnxsskueojtgmorkk3f2dnxsr7eao66xza7tgkubzwq._file

Verdict:

malicious

QuasarRAT

092223938bed5fec479602f4bf2cb0fd28dd628e8754714047b0b7939cd2e298

QuasarRAT

23ed6ef7aec39fbc37b613e5ad3611a84ba1facc92489ed818dcc72bee129022

QuasarRAT

41144a1619fe90c98275683389f032396d09687a336817bc65db220836c006b7

QuasarRAT

60d1ea55d2ecbd3f8289c2d11413ad2378551b8c87126d81483d18101bbd8e4a

QuasarRAT

60d4d26d3a67ea86d793602fa94ea83bdb8e888c4742b2a2601c68f577be4371

QuasarRAT

7431f9ba6aec04eac9673c804378df129f167a06927649ec7aca9872fb15f14b

QuasarRAT

b7823b23e2ef21045e77a01f2f34f86f387a607f4c1d949571c01c1fcdfd7fa1

QuasarRAT

c2f70806a9fddb3ff61f045c92c48a19a0f889b839f68a2acd0e71e6c091499c

QuasarRAT

fec56ffb3c5a61bffba235044da127eae17d9772dbd3817b8a5ce8cad0e93cb1

QuasarRAT

+ 153 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

6/10

Tags:

n/a

Link:

https://tria.ge/reports/210106-vyh7xjybg2/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Looks up external IP address via web service

Unpacked files

SH256 hash:

a98fb020ed1b1b79495423933331d152b65d0db7947e403bdebe41f999540e6d

MD5 hash:

d17b424e6865ccfc1f790313c85347e2

SHA1 hash:

2c66db4ab0a796fc4953bc5f496cb2ae904d3656

Link:

https://www.unpac.me/results/d7f5da3a-474f-4839-b476-39b72a21203a/

SH256 hash:

d003dce94fab99fe6244fc4add20fd410070fe1dae023d1d4484b4140280bd69

MD5 hash:

a3dcf3e8b8114e1fb0b33bdea6522071

SHA1 hash:

187aaba4665f8a7bc415ead4a9df0c17a2f8385e

Link:

https://www.unpac.me/results/d7f5da3a-474f-4839-b476-39b72a21203a/

SH256 hash:

325f7067648ad311eeeaabd7cb4336bd9eb887031267bc416de02d5439305154

MD5 hash:

4b559936315e30e7374f29153aed4d65

SHA1 hash:

ff2dcb741103e483776afc5c91e9a81671dd65ce

Link:

https://www.unpac.me/results/d7f5da3a-474f-4839-b476-39b72a21203a/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

NJRat

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/a98fb020ed1b1b79495423933331d152b65d0db7947e403bdebe41f999540e6d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Chrome_stealer_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Chrome in files like avemaria

Rule name:	CN_disclosed_20180208_KeyLogger_1 Create hunting rule
Author:	Florian Roth
Description:	Detects malware from disclosed CN malware set
Reference:	https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details

Rule name:	INDICATOR_SUSPICIOUS_GENInfoStealer Create hunting rule
Author:	ditekSHen
Description:	Detects executables containing common artifcats observed in infostealers

Rule name:	Keylog_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Contains Keylog

Rule name:	MALWARE_Win_QuasarRAT Create hunting rule
Author:	ditekSHen
Description:	QuasarRAT payload

Rule name:	MAL_QuasarRAT_May19_1 Create hunting rule
Author:	Florian Roth
Description:	Detects QuasarRAT malware
Reference:	https://blog.ensilo.com/uncovering-new-activity-by-apt10

Rule name:	MSILStealer Create hunting rule
Author:	https://github.com/hwvs
Description:	Detects strings from C#/VB Stealers and QuasarRat
Reference:	https://github.com/quasar/QuasarRAT

Rule name:	Quasar Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect QuasarRAT in memory

Rule name:	Quasar_RAT_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Quasar RAT
Reference:	https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf

Rule name:	Quasar_RAT_2 Create hunting rule
Author:	Florian Roth
Description:	Detects Quasar RAT
Reference:	https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf

Rule name:	Select_from_enumeration Create hunting rule
Author:	James_inthe_box
Description:	IP and port combo

Rule name:	Vermin_Keylogger_Jan18_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Vermin Keylogger
Reference:	https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/