MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 aa18400f1aa2fef6c2a5a50965981a3d668e052ce8ac851a8bd145cac1ee2ace. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuasarRAT


Vendor detections: 17


Intelligence 17 IOCs YARA 17 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: aa18400f1aa2fef6c2a5a50965981a3d668e052ce8ac851a8bd145cac1ee2ace
SHA3-384 hash: 8bd0535e93375f66233c14356e62180408668211b1bc09972579b29beb320c53be460d430c7ed0793e59bac6aeb90066
SHA1 hash: e8a8c76f9911b79feee2314e5945424204596f70
MD5 hash: 68459c40c0a1c9eaca41d76c094aae40
humanhash: fourteen-bakerloo-bravo-california
File name:OperaSetup.exe
Download: download sample
Signature QuasarRAT
Create hunting rule
File size:6'351'872 bytes
First seen:2023-07-25 09:26:45 UTC
Last seen:2023-07-25 09:34:54 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 98304:yGh5ziNlRUaub+MPDrc/c+NmXnKyFrsqCDHj92AYawl1WPOl6NVLkJ0xWCaaMF:y3NlqaubXgUCqCTBjxbm
Threatray 202 similar samples on MalwareBazaar
TLSH T10056BF1037F85E22E17BE27795B0441667F0FC2AB3A3EB1B2191767E1CA374059427AB
TrID 30.3% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
17.8% (.EXE) InstallShield setup (43053/19/16)
12.9% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
11.2% (.EXE) UPX compressed Win32 Executable (27066/9/6)
6.8% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
File icon (PE):PE icon
dhash icon aa38ce868282b882 (110 x Adware.Generic, 6 x CoinMiner, 5 x Formbook)
Reporter Anonymous
Tags:exe Fake Opera QuasarRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
312
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
asyncrat
Create hunting rule
ID:
1
File name:
OperaSetup.exe
Verdict:
Malicious activity
Analysis date:
2023-07-25 09:29:53 UTC
Tags:
installer trojan rat asyncrat quasar remote
Link:
https://app.any.run/tasks/0c1c1509-e813-42b5-9841-fab9fbf65176

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
QuasarStealer
Create hunting rule
Link:
https://www.capesandbox.com/analysis/432060/
Detection(s):
Win.Malware.Generic-9883083-0
Create hunting rule

Win.Malware.Msilheracles-9900242-0
Create hunting rule

ditekSHen.MALWARE.Win.Trojan.QuasarStealer.UNOFFICIAL
Create hunting rule

Win.Packed.Downeks-6898097-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a file in the %AppData% subdirectories
DNS request
Creating a process from a recently created file
Searching for the window
Creating a file
Launching a process
Sending a custom TCP request
Unauthorized injection to a recently created process
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm evasive fingerprint infostealer keylogger packed quasarrat rat stealer
Link:
https://www.filescan.io/uploads/64bf9568fd9e198dc117f65d/reports/6399935a-c361-4dc3-b9b4-52daaa4347a1/overview
Verdict:
Malicious
Labled as:
MSIL.PasswordStealerA.Generic
Link:
https://www.hybrid-analysis.com/sample/aa18400f1aa2fef6c2a5a50965981a3d668e052ce8ac851a8bd145cac1ee2ace
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/774c3b19-96da-4106-b1a0-eab2732b7255
Result
Threat name:
Quasar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
52 / 100
Link:
https://www.joesandbox.com/analysis/1278984
Signature
Antivirus / Scanner detection for submitted sample
Contains functionality to register a low level keyboard hook
Hides that the sample has been downloaded from the Internet (zone.identifier)
Installs a global keyboard hook
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
Yara detected Quasar RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1278984 Sample: OperaSetup.exe Startdate: 25/07/2023 Architecture: WINDOWS Score: 52 135 Malicious sample detected (through community Yara rule) 2->135 137 Antivirus / Scanner detection for submitted sample 2->137 139 Multi AV Scanner detection for dropped file 2->139 141 6 other signatures 2->141 10 OperaSetup.exe 14 2->10         started        13 opera.exe 2->13         started        15 launcher.exe 2->15         started        17 launcher.exe 2->17         started        process3 file4 101 C:\Users\user\AppData\Roaming\...\opera.exe, PE32 10->101 dropped 103 C:\Users\user\AppData\...\OperaSetup.exe, PE32 10->103 dropped 105 C:\Users\user\AppData\...\OperaSetup.exe.log, ASCII 10->105 dropped 19 opera.exe 4 10->19         started        23 OperaSetup.exe 50 10->23         started        26 opera_crashreporter.exe 13->26         started        28 opera_gx_splash.exe 13->28         started        30 opera.exe 13->30         started        32 opera.exe 13->32         started        107 C:\Users\user\AppData\Local\...\installer.exe, PE32+ 15->107 dropped 34 installer.exe 15->34         started        process5 dnsIp6 81 C:\Users\user\AppData\...\launcher.exe, PE32 19->81 dropped 143 Hides that the sample has been downloaded from the Internet (zone.identifier) 19->143 36 launcher.exe 2 19->36         started        40 schtasks.exe 1 19->40         started        129 107.167.125.189 OPERASOFTWAREUS United States 23->129 131 185.26.182.112 NO-OPERANO Norway 23->131 133 9 other IPs or domains 23->133 83 C:\Users\user\AppData\...\OperaSetup.exe, PE32 23->83 dropped 85 Assistant_100.0.48....exe_sfx.exe (copy), PE32 23->85 dropped 87 Opera_installer_2307251841578236792.dll, PE32 23->87 dropped 91 4 other files (none is malicious) 23->91 dropped 42 OperaSetup.exe 23->42         started        45 Assistant_100.0.4815.21_Setup.exe_sfx.exe 23->45         started        47 OperaSetup.exe 1 23->47         started        49 2 other processes 23->49 89 Opera_installer_2307251843404925700.dll, PE32+ 34->89 dropped file7 signatures8 process9 dnsIp10 123 18.197.239.109 AMAZON-02US United States 36->123 125 3.66.38.117 AMAZON-02US United States 36->125 127 3 other IPs or domains 36->127 145 Hides that the sample has been downloaded from the Internet (zone.identifier) 36->145 147 Installs a global keyboard hook 36->147 51 schtasks.exe 36->51         started        53 conhost.exe 40->53         started        109 Opera_installer_2307251842391246968.dll, PE32 42->109 dropped 55 installer.exe 42->55         started        58 OperaSetup.exe 42->58         started        111 C:\Users\user\AppData\Local\...\mojo_core.dll, PE32 45->111 dropped 113 C:\Users\user\AppData\Local\...\launcher.exe, PE32 45->113 dropped 115 C:\Users\user\AppData\Local\...\dbghelp.dll, PE32 45->115 dropped 121 3 other files (none is malicious) 45->121 dropped 117 Opera_installer_2307251842027797124.dll, PE32 47->117 dropped 119 Opera_installer_2307251841587936920.dll, PE32 49->119 dropped 60 assistant_installer.exe 49->60         started        file11 signatures12 process13 file14 62 conhost.exe 51->62         started        93 Opera_installer_2307251843179602788.dll, PE32+ 55->93 dropped 95 C:\Users\user\AppData\Local\...\opera.exe, PE32+ 55->95 dropped 97 C:\Users\user\AppData\Local\...\launcher.exe, PE32+ 55->97 dropped 64 opera.exe 55->64         started        66 installer.exe 55->66         started        69 installer_helper_64.exe 55->69         started        99 Opera_installer_2307251842405775644.dll, PE32 58->99 dropped process15 file16 71 opera_crashreporter.exe 64->71         started        73 opera_gx_splash.exe 64->73         started        75 opera.exe 64->75         started        77 opera.exe 64->77         started        79 Opera_installer_2307251843190266836.dll, PE32+ 66->79 dropped process17
Detection:
quasar
Create hunting rule
Link:
https://mwdb.cert.pl/sample/aa18400f1aa2fef6c2a5a50965981a3d668e052ce8ac851a8bd145cac1ee2ace/
Threat name:
ByteCode-MSIL.Trojan.Quasar
Create hunting rule
Status:
Malicious
First seen:
2023-07-25 09:27:07 UTC
File Type:
PE (.Net Exe)
Extracted files:
206
AV detection:
21 of 24 (87.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vimeady2ul7pnqvfuuewlga2hvti4bjm5cwikgul2fc4vqpoflha._file
Verdict:
malicious
Similar samples:
076cb1ac8e46bc1226a8bb42d83afac656d525cb7e6dc9a4d79475ab9b286440
QuasarRAT
150169f8a2862e4c977fe99b4d6a1af4e2169deae6d76d64434af35633c01e03
QuasarRAT
8a69059cb39f960058cba45dd63b1b33eba4011bff0cc3e374e4d844393f3acc
QuasarRAT
9bc86d7600883fea7d2bd5d30eaef3f7ff8336ac4736ca16efa3f542a81e7e77
QuasarRAT
9c17ba1f31d3c5a41d0437818a7d6512775ba991a1d8a03e49f29fc982191190
QuasarRAT
a75311b45f6434a5af77bc068b9daf6d6800704fb768aaaeb960a2448a355f02
QuasarRAT
d1ebd145d558af0cc2ee585a8463dd0336e59d13864552588d7a8a1fa3544770
QuasarRAT
d8c9255982a5932dbaf224d475d2161d814de36784b797d576e41c263587e20a
QuasarRAT
+ 192 additional samples on MalwareBazaar
Result
Malware family:
quasar
Create hunting rule
Score:
  10/10
Tags:
family:quasar botnet:opera spyware stealer trojan upx
Link:
https://tria.ge/reports/230725-letp9sce2y/
Behaviour
Creates scheduled task(s)
Modifies system certificate store
Runs ping.exe
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Enumerates connected drives
Legitimate hosting services abused for malware hosting/C2
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
UPX packed file
Downloads MZ/PE file
Quasar RAT
Quasar payload
Malware Config
C2 Extraction:
6.tcp.eu.ngrok.io:16309
Unpacked files
SH256 hash:
aa18400f1aa2fef6c2a5a50965981a3d668e052ce8ac851a8bd145cac1ee2ace
MD5 hash:
68459c40c0a1c9eaca41d76c094aae40
SHA1 hash:
e8a8c76f9911b79feee2314e5945424204596f70
Detections:
QuasarRAT
Create hunting rule
Link:
https://www.unpac.me/results/267b9b29-5013-4ae9-a404-0b86fc0d8d4e/
Malware family:
QuasarRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/aa18400f1aa2/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/aa18400f1aa2fef6c2a5a50965981a3d668e052ce8ac851a8bd145cac1ee2ace

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:grakate_stealer_nov_2021
Create hunting rule
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_B64_Encoded_UserAgent
Create hunting rule
Author:ditekSHen
Description:Detects executables containing base64 encoded User Agent
Rule name:INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
Author:ditekSHen
Description:Detects Windows executables referencing non-Windows User-Agents
Rule name:INDICATOR_SUSPICIOUS_GENInfoStealer
Create hunting rule
Author:ditekSHen
Description:Detects executables containing common artifcats observed in infostealers
Rule name:MALWARE_Win_QuasarStealer
Create hunting rule
Author:ditekshen
Description:Detects Quasar infostealer
Rule name:MAL_QuasarRAT_May19_1
Create hunting rule
Description:Detects QuasarRAT malware
Rule name:MAL_QuasarRAT_May19_1
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects QuasarRAT malware
Reference:https://blog.ensilo.com/uncovering-new-activity-by-apt10
Rule name:MAL_QuasarRAT_May19_1_RID2E1E
Create hunting rule
Author:Florian Roth
Description:Detects QuasarRAT malware
Reference:https://blog.ensilo.com/uncovering-new-activity-by-apt10
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:yara_template
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/432060/

Comments