MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b00ffbe33a4398cdfdb136564f24dfd6ff292b11a9adbc4041aa2a532af6edfb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

QuasarRAT

Vendor detections: 5

Intelligence 5 IOCs YARA 7 File information Comments

SHA256 hash:	b00ffbe33a4398cdfdb136564f24dfd6ff292b11a9adbc4041aa2a532af6edfb
SHA3-384 hash:	b8c6b938c644a8667ecb38d8a2110c30d07e34170d5f65b1ff16330b2b6a825e1fa9bba041f4c65b762825260309f4f4
SHA1 hash:	4ac043e971f3f1f8e04a3e5eb52bfce9fe39ab1e
MD5 hash:	7686afd2da84dbe8309e85738f2a7031
humanhash:	minnesota-foxtrot-berlin-hamper
File name:	b00ffbe33a4398cdfdb136564f24dfd6ff292b11a9adbc4041aa2a532af6edfb
Download:	download sample
Signature	QuasarRAT Create hunting rule
File size:	3'145'181 bytes
First seen:	2020-06-16 09:25:37 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	9165ea3e914e03bda3346f13edbd6ccd (3 x ValleyRAT, 2 x QuasarRAT, 1 x Redosdru)
ssdeep	49152:gvnob8xxOZW6g2+J2wbE6ZaE4KG8VsovYVo+JiP1zLWrd0cXmsvD/DX+y4onCYDz:8obaJ6vh+Z6J0c2svD/D+donCYUO
Threatray	65 similar samples on MalwareBazaar
TLSH	56E5AF43D37540E9E9EBC03689169623D7B1F4144722E7EF1690AEB12F237E15ABE312
Reporter	JAMESWT_WT
Tags:	QuasarRAT

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/10679/

Detection(s):

Win.Trojan.Generic-6295765-0

Win.Malware.Generic-6623004-0

Win.Malware.Vjadtre-6840658-0

Win.Malware.Flystudio-6937682-0

Win.Dropper.Flystudio-7049423-1

PUA.Win.Adware.Browsefox-6628766-0

PUA.Win.Trojan.Generic-6629274-0

Win.Trojan.Zloyfly-1

Gathering data

Threat name:

Win32.Backdoor.QuasarRAT

Status:

Malicious

First seen:

2020-06-11 14:05:00 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

30 of 31 (96.77%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=wah7xyz2iomm37nrgzle6jg7237sskyrvgw3yqcbvivfgkxw5x5q._file

Verdict:

malicious

QuasarRAT

0f1f333f34d4ab91907ca6a0ad8d3360d5324623e9c885ab228127bce34932e5

QuasarRAT

3b6888d30e34ab5f977345c962d76f352483f6138a89079061839af1f553ca18

QuasarRAT

48b9908bc98ae2903ee34167224b402fe5eb3a6c9b853ab17e728de52e2639a0

QuasarRAT

7722f9fc1c3104b305915e49413e86df71e233fc2ac2914eee60ab7a59fcdf14

QuasarRAT

95e35f1614df92a318a749a8f62a35b9c03f2f34f08ad5606b45c9d817ff1d93

QuasarRAT

bd668ef292ae01d2ed9a32b1ea054e2acb484f61e86481f306669637ba31ce82

QuasarRAT

e162d29d0ba895e3ea7d75000c41c843225c7d29147b323ed9a72f4de3c1f6f0

QuasarRAT

f309d3820c2f40109825f3ebf2e00f84f0eb8d97e3b78cc74e751b69ba738435

QuasarRAT

fde7c52c166cd76fea454bbb539e7eba9ce704f5b442534bf5c4163213215426

QuasarRAT

+ 55 additional samples on MalwareBazaar

Result

Malware family:

quasar

Score:

10/10

Tags:

trojan spyware family:quasar

Link:

https://tria.ge/reports/200624-59ay5yw9mn/

Behaviour

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

Looks up external IP address via web service

Loads dropped DLL

Executes dropped EXE

Quasar RAT

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MAL_CN_FlyStudio_May18_1 Create hunting rule
Author:	Florian Roth
Description:	Detects malware / hacktool detected in May 2018
Reference:	Internal Research

Rule name:	MAL_QuasarRAT_May19_1 Create hunting rule
Author:	Florian Roth
Description:	Detects QuasarRAT malware
Reference:	https://blog.ensilo.com/uncovering-new-activity-by-apt10

Rule name:	MSILStealer Create hunting rule
Author:	https://github.com/hwvs
Description:	Detects strings from C#/VB Stealers and QuasarRat
Reference:	https://github.com/quasar/QuasarRAT

Rule name:	Quasar Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect QuasarRAT in memory

Rule name:	Quasar_RAT_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Quasar RAT
Reference:	https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf

Rule name:	Quasar_RAT_2 Create hunting rule
Author:	Florian Roth
Description:	Detects Quasar RAT
Reference:	https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf

Rule name:	S_MultiFunction_Scanners_s Create hunting rule
Author:	Florian Roth
Description:	Chinese Hacktool Set - file s.exe
Reference:	http://tools.zjqhr.com/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/10679/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample