MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 affd6e89b3357f6a8418ceb96c5a101eb38ea0af16b2d8a0ac256459130740ff. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuasarRAT


Vendor detections: 10


Intelligence 10 IOCs YARA 4 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: affd6e89b3357f6a8418ceb96c5a101eb38ea0af16b2d8a0ac256459130740ff
SHA3-384 hash: c91adf4dffff2cd09bbf9ad33c026042746a371626e3256c3ef549b13bc05d11764d9d48f4b57a9a3de9ffa47c1197ab
SHA1 hash: c7d7b3fe522bfd11d97b186f79713b9100465960
MD5 hash: b25394f4eebb48b3536b460929362643
humanhash: chicken-stairway-video-carbon
File name:b25394f4eebb48b3536b460929362643
Download: download sample
Signature QuasarRAT
Create hunting rule
File size:13'312 bytes
First seen:2022-01-31 10:14:02 UTC
Last seen:2022-02-02 19:04:43 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 192:ls5GYcnDCO/Labn9qTd/LZLp2HHBJkLqNxbbbbbbbbbbbbbbbbbbbbbbbbbbbbbw:m5GYc2O/Lab9qTd/LZLIJdoWFZ54W
Threatray 5'035 similar samples on MalwareBazaar
TLSH T1BA5285619FF45BF7E8F64F3A18B316309B38A7068832D67AB480167A1D363434663A71
File icon (PE):PE icon
dhash icon 1032d232e98c3689 (16 x AgentTesla, 8 x AveMariaRAT, 7 x Formbook)
Reporter zbetcheckin
Tags:32 exe QuasarRAT

Intelligence

File Origin
# of uploads :
3
# of downloads :
213
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
b25394f4eebb48b3536b460929362643
Verdict:
Malicious activity
Analysis date:
2022-01-31 10:18:24 UTC
Tags:
evasion trojan
Link:
https://app.any.run/tasks/67843b8b-ad42-416b-aada-51fe207cc162

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/228386/
Detection(s):
SecuriteInfo.com.Variant.Strictor.267075.29857.3621.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Running batch commands
DNS request
Sending a custom TCP request
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
cmd.exe obfuscated packed replace.exe
Link:
https://www.filescan.io/uploads/61f7b66cd9e6538232d6f47c/reports/d959e575-857b-44fe-b047-83fa13acc05e/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e54eaae9-33d5-4ec4-9aef-8aed4801e5f1
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/930725
Behaviour
Behavior Graph:
n/a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/affd6e89b3357f6a8418ceb96c5a101eb38ea0af16b2d8a0ac256459130740ff/
Threat name:
ByteCode-MSIL.Trojan.Strictor
Create hunting rule
Status:
Malicious
First seen:
2022-01-31 10:15:07 UTC
File Type:
PE (.Net Exe)
Extracted files:
4
AV detection:
14 of 28 (50.00%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
361ced68c7680745d536ecd6a4c9dcbc867234c4fe10e419553d24a2514c3840
QuasarRAT
4e9da20f5f7811b12fb30476fe4ecb65c36534316a2230f415f247a03a78932a
QuasarRAT
6166b3eaebbbdd68cb0ba54bbd9d4ab4f1fae7f79afc400c319cbb960c1c5053
QuasarRAT
648926c5d9a339ee75cddfe0731bc4c6dad66afbe0171b3d858993ed0f2640a4
QuasarRAT
6afa8f79af9fd9ec79a3ebd4fd0932c496afdd4766df779a796e9ee502553562
QuasarRAT
7d093e8382b6648ad18ae9e5a0e6b9daf7a752910a2e9793b5bdbf4b978e3582
QuasarRAT
cc973eb98def4aca2608cc493b2c5477d9049d6b316f482d8487b4394a1df90d
QuasarRAT
+ 5'025 additional samples on MalwareBazaar
Result
Malware family:
quasar
Create hunting rule
Score:
  10/10
Tags:
family:quasar botnet:remote2 persistence spyware trojan
Link:
https://tria.ge/reports/220131-l98gxahaak/
Behaviour
Delays execution with timeout.exe
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Looks up external IP address via web service
Quasar Payload
Quasar RAT
Malware Config
C2 Extraction:
thomasfunte.zapto.org:64779
yncesucesss.chickenkiller.com:64779
Unpacked files
SH256 hash:
affd6e89b3357f6a8418ceb96c5a101eb38ea0af16b2d8a0ac256459130740ff
MD5 hash:
b25394f4eebb48b3536b460929362643
SHA1 hash:
c7d7b3fe522bfd11d97b186f79713b9100465960
Link:
https://www.unpac.me/results/cd094518-26b0-464d-8bc1-8f077dab9c40/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/affd6e89b3357f6a8418ceb96c5a101eb38ea0af16b2d8a0ac256459130740ff

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_DiscordURL
Create hunting rule
Author:ditekSHen
Description:Detects executables Discord URL observed in first stage droppers
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_PE_Discord_Attachment_Oct21_1
Create hunting rule
Author:Florian Roth
Description:Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN)
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

QuasarRAT

Executable exe affd6e89b3357f6a8418ceb96c5a101eb38ea0af16b2d8a0ac256459130740ff

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/228386/

Comments


Avatar
zbet commented on 2022-01-31 10:14:05 UTC

url : hxxp://jcvmarketingassociates.com/lowirkoplk/eopmkomkoywjffwnfbefrvgqamigg.exe