MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 aec29917a6378853cf92981da56d336cf7639b43b3a3963a66bea0102c10ee1a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuasarRAT


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: aec29917a6378853cf92981da56d336cf7639b43b3a3963a66bea0102c10ee1a
SHA3-384 hash: 2f5a700e4a7b35c483c0248c9c007ce56e9ad2df5e363c988f2ed9a36f9b195faebc373284a6828d68a33fe80b699706
SHA1 hash: 3c196510585f015a954e6ef0ce155cc9534b0e33
MD5 hash: cbb95d0c561feba363ae3946629d3aa1
humanhash: oscar-freddie-virginia-nuts
File name:aec29917a6378853cf92981da56d336cf7639b43b3a3963a66bea0102c10ee1a
Download: download sample
Signature QuasarRAT
Create hunting rule
File size:2'637'312 bytes
First seen:2021-09-30 07:38:42 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'741 x AgentTesla, 19'604 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 49152:zHVkXSoB2seN2EWiBvzma5N5LJTL9cDi8WG9GiYWNwVd+Zfys:NoctWMySPVTZ2i8x9GizwVE9y
Threatray 232 similar samples on MalwareBazaar
TLSH T1C6C5AF9310609572F07FBBF2D94A65B205E5BA2B14C24064DFFC24F90DB62F842FE95A
File icon (PE):PE icon
dhash icon c8e2eae6e292c2ee (14 x ArkeiStealer, 10 x RedLineStealer, 3 x Vidar)
Reporter JAMESWT_WT
Tags:exe QuasarRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
136
Origin country :
n/a
Vendor Threat Intelligence
Detection:
QuasarRAT
Create hunting rule
Link:
https://www.capesandbox.com/analysis/193380/
Detection(s):
Win.Trojan.Nanobot-9774604-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Unauthorized injection to a recently created process
Using the Windows Management Instrumentation requests
Launching a service
DNS request
Connection attempt
Sending an HTTP GET request
Running batch commands
Query of malicious DNS domain
Malware family:
Quasar RAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1a173fbd-1b9b-4106-ac8e-8a6de5150f3f
Result
Threat name:
Quasar
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/862309
Signature
.NET source code contains potential unpacker
.NET source code contains very large strings
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected Cassandra Crypter
Yara detected Quasar RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 494736 Sample: r659zoSxx2 Startdate: 30/09/2021 Architecture: WINDOWS Score: 100 80 qs.mngbfdghsdfa.xyz 2->80 82 ip-api.com 2->82 110 Malicious sample detected (through community Yara rule) 2->110 112 Antivirus detection for dropped file 2->112 114 Antivirus / Scanner detection for submitted sample 2->114 116 12 other signatures 2->116 15 r659zoSxx2.exe 5 2->15         started        signatures3 process4 file5 72 C:\Users\user\AppData\...\KdusctsFPP.exe, PE32 15->72 dropped 74 C:\Users\...\KdusctsFPP.exe:Zone.Identifier, ASCII 15->74 dropped 76 C:\Users\user\AppData\Local\...\tmp87B9.tmp, XML 15->76 dropped 78 C:\Users\user\AppData\...\r659zoSxx2.exe.log, ASCII 15->78 dropped 98 May check the online IP address of the machine 15->98 100 Performs DNS queries to domains with low reputation 15->100 102 Uses schtasks.exe or at.exe to add and modify task schedules 15->102 104 Injects a PE file into a foreign processes 15->104 19 r659zoSxx2.exe 15 4 15->19         started        23 schtasks.exe 1 15->23         started        signatures6 process7 dnsIp8 84 ip-api.com 208.95.112.1, 49741, 49765, 49774 TUT-ASUS United States 19->84 86 192.168.2.1 unknown unknown 19->86 88 qs.mngbfdghsdfa.xyz 19->88 118 Hides that the sample has been downloaded from the Internet (zone.identifier) 19->118 25 cmd.exe 1 19->25         started        28 conhost.exe 23->28         started        signatures9 process10 signatures11 122 Uses ping.exe to sleep 25->122 124 Uses ping.exe to check the status of other devices and networks 25->124 30 r659zoSxx2.exe 2 25->30         started        33 conhost.exe 25->33         started        35 PING.EXE 1 25->35         started        37 chcp.com 1 25->37         started        process12 signatures13 130 Injects a PE file into a foreign processes 30->130 39 r659zoSxx2.exe 4 30->39         started        43 schtasks.exe 1 30->43         started        process14 dnsIp15 90 qs.mngbfdghsdfa.xyz 39->90 92 ip-api.com 39->92 120 Hides that the sample has been downloaded from the Internet (zone.identifier) 39->120 45 cmd.exe 39->45         started        48 conhost.exe 43->48         started        signatures16 process17 signatures18 128 Uses ping.exe to sleep 45->128 50 r659zoSxx2.exe 45->50         started        53 conhost.exe 45->53         started        55 chcp.com 45->55         started        57 PING.EXE 45->57         started        process19 signatures20 108 Injects a PE file into a foreign processes 50->108 59 r659zoSxx2.exe 50->59         started        63 schtasks.exe 50->63         started        process21 dnsIp22 94 qs.mngbfdghsdfa.xyz 59->94 96 ip-api.com 59->96 126 Hides that the sample has been downloaded from the Internet (zone.identifier) 59->126 65 cmd.exe 59->65         started        68 conhost.exe 63->68         started        signatures23 process24 signatures25 106 Uses ping.exe to sleep 65->106 70 conhost.exe 65->70         started        process26
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/aec29917a6378853cf92981da56d336cf7639b43b3a3963a66bea0102c10ee1a/
Threat name:
ByteCode-MSIL.Backdoor.Bladabhindi
Create hunting rule
Status:
Malicious
First seen:
2021-09-23 00:24:53 UTC
AV detection:
31 of 45 (68.89%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
26cb425375a7613736c367866d0b79b8b7d8845437ec88e87bc83146445f892e
QuasarRAT
2df82d12b3e4627ffb2f7c0e6c8371f23c4beabb935f93b2c88389953fc07027
QuasarRAT
40ac8e128b78d30d49accda865a6ca90a23cf7b7e5f31042c7df55a9fe1b5af4
QuasarRAT
a323a9891c15a533b2356c710a9610dcd764931b2122404d1278952d6a2611e1
QuasarRAT
b29a1b48648aacf2fe60861692bd0991cf226956ea986b687972667496e1d7d7
QuasarRAT
b3d36e86a478b5223968e34ca51bff54002eb9b1a01ef26d8b657d49dd4dd831
QuasarRAT
d6031bb15fd16cac9b514985035e18f08f0beaaa0542a66274467cb66e76a8fd
QuasarRAT
e2d6b8bc603260f1a7564a044523d230c31c8d873deabb579cae90b88f1b92b9
QuasarRAT
f699ae77419a80e03b5113a3f60b5e06a98b304db624c4d331e227555e51b563
QuasarRAT
+ 222 additional samples on MalwareBazaar
Result
Malware family:
quasar
Create hunting rule
Score:
  10/10
Tags:
family:quasar botnet:nh12x spyware trojan
Link:
https://tria.ge/reports/210930-jgzceshabr/
Behaviour
Creates scheduled task(s)
Runs ping.exe
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Looks up external IP address via web service
Quasar Payload
Quasar RAT
Malware Config
C2 Extraction:
qs.mngbfdghsdfa.xyz:4782
2y9ea4pnl01jyr7.xyz:4782
j3vahjkvzinaqax.xyz:4782
g8m3cyido670ly5.club:4782
zykk5es6go3izsb.club:4782
j3wb76496fukmhj.ru:4782
6aj7sx0v4x0o7z8.ru:4782
yg9twivamv6sw0n.ru:4782
nxghej4nnhx4j8u.ru:4782
u4wqbjlplzi5hdx.ru:4782
Unpacked files
SH256 hash:
438068a6c478c1da9a6efc0a325ba478c02c0410d2ad23925c45ed360b648652
MD5 hash:
17ea15b21e9a517ceb4fa035f46b4e3c
SHA1 hash:
ef23c0ebba9c4a70135f9532250a66f081668268
Link:
https://www.unpac.me/results/b02e6c39-a5bc-4eea-a776-e6405b735d88/
SH256 hash:
6e34d3d48b810a0dc618a0921aa63961f56114408b0976aeb10c822f97ccca4c
MD5 hash:
afb560b4ed33d331619bb85b196996cc
SHA1 hash:
6d6f8b004527cb79a72e3f8131c7adc1095c054f
Link:
https://www.unpac.me/results/b02e6c39-a5bc-4eea-a776-e6405b735d88/
SH256 hash:
515ab01c62106c84df5996bf996f61c3d6173cfafb09f6cea3aad0442e0ca30d
MD5 hash:
27aa42ad5f8ed5dfdd5e060296afb403
SHA1 hash:
6aa23a2b679254c0709d4a122187c6148928caba
Link:
https://www.unpac.me/results/b02e6c39-a5bc-4eea-a776-e6405b735d88/
SH256 hash:
bd084d05ffa032b101eca6c315433f00b0b699cf9c94c2afe84825cdda0c63d5
MD5 hash:
46f8607c6d74257265458c3d39033ef2
SHA1 hash:
175d921a009b49cd1e8ecb0babc714e47dd143ce
Link:
https://www.unpac.me/results/b02e6c39-a5bc-4eea-a776-e6405b735d88/
SH256 hash:
aec29917a6378853cf92981da56d336cf7639b43b3a3963a66bea0102c10ee1a
MD5 hash:
cbb95d0c561feba363ae3946629d3aa1
SHA1 hash:
3c196510585f015a954e6ef0ce155cc9534b0e33
Link:
https://www.unpac.me/results/b02e6c39-a5bc-4eea-a776-e6405b735d88/
Malware family:
QuasarRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/aec29917a637/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/aec29917a6378853cf92981da56d336cf7639b43b3a3963a66bea0102c10ee1a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/193380/

Comments