MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 af65c9bd3daedaa3d1560018858eeb0919159baf90d59b55c3363a6fffef9d92. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuasarRAT


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: af65c9bd3daedaa3d1560018858eeb0919159baf90d59b55c3363a6fffef9d92
SHA3-384 hash: cc23b6e18b3e1acc2328a1f6164300ab39e0f9eff495fc83ec0c5f2d00711635c527a04305aeaaaca39089b741306e92
SHA1 hash: 8792c035c4daddcc462912e1c1a407c964356846
MD5 hash: 4cc1cafa34803c6968f7a6d6cf7404a2
humanhash: glucose-lamp-princess-salami
File name:4cc1cafa34803c6968f7a6d6cf7404a2.exe
Download: download sample
Signature QuasarRAT
Create hunting rule
File size:1'980'973 bytes
First seen:2021-01-02 07:46:57 UTC
Last seen:2021-01-02 09:47:36 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'602 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 24576:JO5PnICv0OumSw5PnICv0OzhlsMWRLA+73UtwgaLTGovJc9T2:JAIC9u/uIC9w3w2
Threatray 34 similar samples on MalwareBazaar
TLSH 5E95DF06AB47CF27C4A7477AAED3424560B4E8402F5B530B7A8CA27E94791F876C52FC
Reporter abuse_ch
Tags:exe QuasarRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
279
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
4cc1cafa34803c6968f7a6d6cf7404a2.exe
Verdict:
Malicious activity
Analysis date:
2021-01-02 07:51:27 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/7b5513df-ba92-4199-8ff7-ee283c6182da

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
QuasarStealer
Create hunting rule
Link:
https://www.capesandbox.com/analysis/110282/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader36.32156.1849.27583.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a file
Creating a window
Creating a file in the %AppData% subdirectories
Launching a process
Sending a UDP request
Deleting a recently created file
DNS request
Connection attempt
Setting a keyboard event handler
Unauthorized injection to a recently created process
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Quasar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/572899
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Hides that the sample has been downloaded from the Internet (zone.identifier)
Installs a global keyboard hook
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Costura Assembly Loader
Yara detected Quasar RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 335512 Sample: qe66HYtm2L.exe Startdate: 02/01/2021 Architecture: WINDOWS Score: 100 54 g.msn.com 2->54 58 Malicious sample detected (through community Yara rule) 2->58 60 Antivirus detection for dropped file 2->60 62 Antivirus / Scanner detection for submitted sample 2->62 64 5 other signatures 2->64 11 qe66HYtm2L.exe 9 2->11         started        14 Tempf13c3grjsdn.exe 2 2->14         started        signatures3 process4 file5 46 C:\Users\user\AppData\Local\...46ehreyn.exe, PE32 11->46 dropped 48 C:\Users\user\AppData\Local\...\unpacker.exe, PE32 11->48 dropped 50 C:\Users\user\AppData\...\qe66HYtm2L.exe.log, ASCII 11->50 dropped 52 2 other files (none is malicious) 11->52 dropped 17 Nehreyn.exe 3 11->17         started        21 conhost.exe 11->21         started        72 Hides that the sample has been downloaded from the Internet (zone.identifier) 14->72 signatures6 process7 file8 42 C:\Users\user\AppData\...\Tempf13c3grjsdn.exe, PE32 17->42 dropped 56 Multi AV Scanner detection for dropped file 17->56 23 Tempf13c3grjsdn.exe 5 17->23         started        27 WerFault.exe 23 9 17->27         started        29 conhost.exe 17->29         started        signatures9 process10 file11 44 C:\Users\user\AppData\Roaming\...\chrome.exe, PE32 23->44 dropped 66 Antivirus detection for dropped file 23->66 68 Machine Learning detection for dropped file 23->68 70 Hides that the sample has been downloaded from the Internet (zone.identifier) 23->70 31 chrome.exe 2 23->31         started        34 schtasks.exe 1 23->34         started        signatures12 process13 signatures14 74 Antivirus detection for dropped file 31->74 76 Machine Learning detection for dropped file 31->76 78 Hides that the sample has been downloaded from the Internet (zone.identifier) 31->78 80 Installs a global keyboard hook 31->80 36 schtasks.exe 1 31->36         started        38 conhost.exe 34->38         started        process15 process16 40 conhost.exe 36->40         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/af65c9bd3daedaa3d1560018858eeb0919159baf90d59b55c3363a6fffef9d92/
Threat name:
Win32.Trojan.Tiggre
Create hunting rule
Status:
Malicious
First seen:
2020-12-28 12:00:19 UTC
AV detection:
19 of 29 (65.52%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=v5s4tpj5v3nkhukwaamildxlbemrlg5psdkzwvodgy5g777ptwja._file
Verdict:
malicious
Similar samples:
04d4ebdb690749b84d74422ccbb583acc3180cbe3eb280b9ece53ef5eb3b3abf
QuasarRAT
1230b290a583361b44a14b0ebf16925f07d7d6ed0d58ecae0bdd2419903d27b0
QuasarRAT
1aabe4a4ce09025edf03501ea5cce117d4315f4baa19c0110e1c779ae2bd9ad3
QuasarRAT
3a83d1211c8a9235a72f0dcea5c36ec53a99ed83340e35097e7f41773bc8fb3f
QuasarRAT
40b5d0462edaa8a9f567a3c5080e954a6d1897d6375ca4bd55017aedaf8f583f
QuasarRAT
41c11b942c8abb394d9ee8b14bdd4edb229962db1b1efff70b36706dbf7f5fba
QuasarRAT
5ba0344c196d2605e844a2b15cff5c93412d58e9ca5c8446c468fa768604242d
QuasarRAT
a62e4e1d21bdc64eea17d8bbc4ab5e6c48dc57abbb470322c3357abdef15341f
QuasarRAT
ac4d3acc896cc3fd6e4ba14547572dfc0447f47f2c29c28a170db4b0169c6e2f
QuasarRAT
d3922882bfee49abb72584b9d5918f3787221fa40b7f552c98d7bc0e55833234
QuasarRAT
+ 24 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/210102-krqkmjfeyx/
Behaviour
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
af65c9bd3daedaa3d1560018858eeb0919159baf90d59b55c3363a6fffef9d92
MD5 hash:
4cc1cafa34803c6968f7a6d6cf7404a2
SHA1 hash:
8792c035c4daddcc462912e1c1a407c964356846
Link:
https://www.unpac.me/results/5b22b315-188f-4a9e-8256-26d5201803d2/
SH256 hash:
d67c06124c638f0a6591a5c9fd9980a90bb7f60c0f71a6525aff906fed393313
MD5 hash:
275a013615282b9a0b9c8a238d61787f
SHA1 hash:
304336ea3b5f9a5e09f61c507759e8144a0e832f
Link:
https://www.unpac.me/results/5b22b315-188f-4a9e-8256-26d5201803d2/
SH256 hash:
c5231f19f3d57b0b307699dd509e5e6974b726a6da2bb7ecd490b55a0e0636b9
MD5 hash:
b8ddb1e2ee0659d7d9efe9a87d1479b4
SHA1 hash:
38d06d6fb5e5cb77cd6c1692ce489e7f4c72cec0
Link:
https://www.unpac.me/results/5b22b315-188f-4a9e-8256-26d5201803d2/
SH256 hash:
bb18acf9af0c380fd3113b5c470ab39be6bd7766bad18ed9bb6a141b32226be1
MD5 hash:
1e7f2464f66a7797f28c5015f4f0a460
SHA1 hash:
7f7099bbd9fb72b7be772870eb690246dd6b26f2
Link:
https://www.unpac.me/results/5b22b315-188f-4a9e-8256-26d5201803d2/
SH256 hash:
c02d68f65c43916a115236a3185abceb7dd9a9470548b683628c0854bfa18ba8
MD5 hash:
e9dc18bf44d4fa6d0fa4fbecba2702f0
SHA1 hash:
c29e193090b3e6e15d14a9b355b7dfe92b909895
Link:
https://www.unpac.me/results/5b22b315-188f-4a9e-8256-26d5201803d2/
SH256 hash:
511ba448768c21f525afe2fd8fdcaed4945f5b268ae3a1dcaf9b1def32dbfc1f
MD5 hash:
e98e6dc59328204c720df75a5721e366
SHA1 hash:
cdf2a8588ec1dad1947a4bdd54f23a3672fe261b
Link:
https://www.unpac.me/results/5b22b315-188f-4a9e-8256-26d5201803d2/
SH256 hash:
5eb509045378c79336f65d770dec6851618673d7e2e32319666b504bed7bb1ec
MD5 hash:
7f123db20d965a97f981638ef2d07d58
SHA1 hash:
7eb249aa91dbfc0d9f9af761e89b73a0388e122e
Link:
https://www.unpac.me/results/5b22b315-188f-4a9e-8256-26d5201803d2/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Virut
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/af65c9bd3daedaa3d1560018858eeb0919159baf90d59b55c3363a6fffef9d92

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/110282/

Comments