MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ab7cc003aa4d6807236dcd8983804a44a460a462c0e6d4ef70b3030f8ab6b366. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

QuasarRAT

Vendor detections: 6

Intelligence 6 IOCs YARA 4 File information Comments

SHA256 hash:	ab7cc003aa4d6807236dcd8983804a44a460a462c0e6d4ef70b3030f8ab6b366
SHA3-384 hash:	2dec681ece1b79ab6c506065939d3c8cfa984898e6c14db81e7a2db7e422d20512ea0c538bdf33b4e36287deb0f8d72f
SHA1 hash:	c0839a0612424887aa64368519e255712f3e4958
MD5 hash:	4abdadc34034a39389d8a9c90d160d31
humanhash:	nineteen-april-carbon-chicken
File name:	ZHANG21053.exe
Download:	download sample
Signature	QuasarRAT Create hunting rule
File size:	1'027'072 bytes
First seen:	2020-09-09 13:46:25 UTC
Last seen:	2020-09-09 14:45:07 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	24576:khl4mPnB4t8u9Dqr1ELJuU/OXNrZGPOkFY6weVQ2hy:mnBAWrSCXNrOOkIeV
Threatray	37 similar samples on MalwareBazaar
TLSH	552512834E98B754C9A8897B601B741C08EA5DBEBEE6FB034BCC3118D777BD15807992
Reporter	James_inthe_box
Tags:	exe QuasarRAT

Intelligence

File Origin

# of uploads :

# of downloads :

104

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/58171/

Detection(s):

SecuriteInfo.com.Trojan.Siggen10.14423.32142.698.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Creating a window

Creating a file

Result

Threat name:

Unknown

Detection:

malicious

Classification:

n/a

Score:

52 / 100

Link:

https://www.joesandbox.com/analysis/462071

Signature

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Behaviour

Behavior Graph:

n/a

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/ab7cc003aa4d6807236dcd8983804a44a460a462c0e6d4ef70b3030f8ab6b366/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2020-09-09 09:41:47 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

23 of 29 (79.31%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=vn6maa5kjvuaoi3nzweyhackissgbjdcydtnj33qwmbq7cvwwnta._file

Verdict:

unknown

QuasarRAT

234b2c300af5e4ac2001332e07c2e54bd48dac174cf8b5d0c486a3cc6076043c

QuasarRAT

7f65935cd55b5a0978bf0a70690462a08d83657a97ddbe6aba871a5496d5f9c5

QuasarRAT

9bf180bb7b3cc0fcc6d01b68e2aa82d2f853e081ec71e34942d875324a2415b4

QuasarRAT

9f999d5b44ff7bd243bc33f8a89f504c95d6b21eef26b7b80a49715471ff43d3

QuasarRAT

d8cea078199dbdef51ec7189cf03541bbcbd10c49a133b187348e2a24fe1e2eb

QuasarRAT

dc0087097e433036c00aaf8751d4cd9dc3e309fdba09c2ee1415a4060aa1cced

QuasarRAT

dd652810ff0fc0288768ac20d5fcc76f7bc517c3ed8b066a18340a8b69c69c3a

QuasarRAT

ed42640da83dda3bf2ed08c414bfd256a82c9a8ef1894a59e3c421b254c59d4d

QuasarRAT

f784d412a56ccd414525c22e6b2e7c9482040e89be20fdb1f2e4db0016812ea7

QuasarRAT

+ 27 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

spyware

Link:

https://tria.ge/reports/200909-jkxvlpgcts/

Behaviour

Creates scheduled task(s)

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Modifies data under HKEY_USERS

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Drops file in Windows directory

Suspicious use of SetThreadContext

Looks up external IP address via web service

Checks computer location settings

Reads user/profile data of web browsers

Checks computer location settings

Reads user/profile data of web browsers

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

MassLogger

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/ab7cc003aa4d6807236dcd8983804a44a460a462c0e6d4ef70b3030f8ab6b366

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	CAP_HookExKeylogger Create hunting rule
Author:	Brian C. Bell -- @biebsmalwareguy
Reference:	https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar

Rule name:	masslogger_gcch Create hunting rule
Author:	govcert_ch

Rule name:	Quasar_RAT_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Quasar RAT
Reference:	https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf

Rule name:	win_masslogger_w0 Create hunting rule
Author:	govcert_ch

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/58171/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample