MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b4401e082c3eb9275a7be41c333f1d7ee13894dff4f794dc3544f8397990e35e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuasarRAT


Vendor detections: 10


Intelligence 10 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b4401e082c3eb9275a7be41c333f1d7ee13894dff4f794dc3544f8397990e35e
SHA3-384 hash: 327e5cfd64cf04cdfa85ba372f70fd64a6cb5ddbc05a693da89d776e93d9c1d2f7ca51076f8687c01e95ffdfa54007a3
SHA1 hash: fd0f8618acbfff4ceb0743b468976879f24dec88
MD5 hash: a86d1b872c7339cc73f7a6c602b0166a
humanhash: jupiter-queen-tango-two
File name:a86d1b872c7339cc73f7a6c602b0166a.exe
Download: download sample
Signature QuasarRAT
Create hunting rule
File size:3'537'313 bytes
First seen:2021-08-01 04:15:50 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (873 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 98304:UbRdNP1xkn59yXmCJG/P2T+xgHyB9bxipo:UrenrDCJgeOyE91wo
Threatray 801 similar samples on MalwareBazaar
TLSH T17DF53311FDC4A9B2D8E14D7255A49E20597FBC201F288E9F63B88A3B96302D1B771727
dhash icon 9494b494d4aeaeac (832 x DCRat, 172 x RedLineStealer, 134 x CryptOne)
Reporter abuse_ch
Tags:exe QuasarRAT RAT


Avatar
abuse_ch
QuasarRAT C2:
45.14.50.120:8808

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
45.14.50.120:8808 https://threatfox.abuse.ch/ioc/165299/

Intelligence

File Origin
# of uploads :
1
# of downloads :
1'598
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Blizzard.zip
Verdict:
Malicious activity
Analysis date:
2021-07-30 16:43:08 UTC
Tags:
trojan rat quasar
Link:
https://app.any.run/tasks/d9a25bcf-4475-4e90-90e4-e90e34c0b652

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/175528/
Detection(s):
Win.Packed.Bulz-9875444-0
Create hunting rule

Win.Malware.Qshell-9875653-0
Create hunting rule

SecuriteInfo.com.Trojan.Rasftuby.Gen.14.10239.27368.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Quasar RAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b0e7fccc-6b13-4852-9abf-e2ffc8075765
Result
Threat name:
Quasar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/825006
Signature
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Beds Obfuscator
Yara detected BrowsingHistoryView browser history reader tool
Yara detected Costura Assembly Loader
Yara detected MultiObfuscated
Yara detected Quasar RAT
Yara detected WebBrowserPassView password recovery tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 457418 Sample: m8fxezg0Ur.exe Startdate: 01/08/2021 Architecture: WINDOWS Score: 100 125 Malicious sample detected (through community Yara rule) 2->125 127 Multi AV Scanner detection for submitted file 2->127 129 Yara detected MultiObfuscated 2->129 131 11 other signatures 2->131 10 m8fxezg0Ur.exe 10 2->10         started        13 Runtime.exe 2 2->13         started        process3 file4 91 C:\Users\user\AppData\Local\...\Runtime.exe, PE32 10->91 dropped 93 C:\Users\user\AppData\Local\...\Panel.exe, PE32 10->93 dropped 16 Panel.exe 5 10->16         started        20 Runtime.exe 5 10->20         started        151 Hides that the sample has been downloaded from the Internet (zone.identifier) 13->151 signatures5 process6 file7 77 C:\Users\user\AppData\...\RtkBtManServ.exe, PE32 16->77 dropped 79 C:\Users\user\AppData\Local\...\Panel.exe.log, ASCII 16->79 dropped 109 Antivirus detection for dropped file 16->109 111 Multi AV Scanner detection for dropped file 16->111 113 Detected unpacking (changes PE section rights) 16->113 115 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 16->115 22 RtkBtManServ.exe 17 46 16->22         started        81 C:\Users\user\AppData\...\WindowsWMI.exe, PE32 20->81 dropped 117 Detected unpacking (overwrites its own PE header) 20->117 119 Machine Learning detection for dropped file 20->119 121 Uses schtasks.exe or at.exe to add and modify task schedules 20->121 123 Hides that the sample has been downloaded from the Internet (zone.identifier) 20->123 27 WindowsWMI.exe 14 2 20->27         started        29 schtasks.exe 1 20->29         started        signatures8 process9 dnsIp10 95 api64.ipify.org 108.171.202.195, 443, 49735 WEBNXUS United States 22->95 97 discord.com 162.159.136.232, 443, 49737, 49743 CLOUDFLARENETUS United States 22->97 103 2 other IPs or domains 22->103 83 C:\Users\user\AppData\Local\...\xwizard.exe, PE32 22->83 dropped 85 C:\Users\user\AppData\Local\...\winhlp32.exe, PE32 22->85 dropped 87 C:\Users\user\AppData\Local\...\snuvcdsm.exe, PE32 22->87 dropped 89 5 other files (2 malicious) 22->89 dropped 133 Multi AV Scanner detection for dropped file 22->133 135 May check the online IP address of the machine 22->135 137 Machine Learning detection for dropped file 22->137 31 wscript.exe 22->31         started        33 wscript.exe 22->33         started        35 wscript.exe 22->35         started        41 2 other processes 22->41 99 tools.keycdn.com 185.172.148.96, 443, 49727 PROINITYPROINITYDE Germany 27->99 101 45.14.50.120, 49723, 8808 ITGLOBAL-NL Netherlands 27->101 105 3 other IPs or domains 27->105 139 Detected unpacking (overwrites its own PE header) 27->139 141 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 27->141 143 Hides that the sample has been downloaded from the Internet (zone.identifier) 27->143 145 Installs a global keyboard hook 27->145 37 schtasks.exe 1 27->37         started        39 conhost.exe 29->39         started        file11 signatures12 process13 process14 43 cmd.exe 31->43         started        45 cmd.exe 33->45         started        47 cmd.exe 35->47         started        49 conhost.exe 37->49         started        51 cmd.exe 41->51         started        53 conhost.exe 41->53         started        55 choice.exe 41->55         started        process15 57 snuvcdsm.exe 43->57         started        61 conhost.exe 43->61         started        63 winhlp32.exe 45->63         started        65 conhost.exe 45->65         started        75 2 other processes 45->75 67 xwizard.exe 47->67         started        69 conhost.exe 47->69         started        71 conhost.exe 51->71         started        73 bfsvc.exe 51->73         started        dnsIp16 107 192.168.2.1 unknown unknown 57->107 147 Multi AV Scanner detection for dropped file 57->147 149 Tries to harvest and steal browser information (history, passwords, etc) 57->149 signatures17
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b4401e082c3eb9275a7be41c333f1d7ee13894dff4f794dc3544f8397990e35e/
Threat name:
ByteCode-MSIL.Trojan.Quasar
Create hunting rule
Status:
Malicious
First seen:
2021-07-28 18:34:53 UTC
AV detection:
20 of 28 (71.43%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wrab4cbmh24sowt34qodgpy5p3qtrfg76t3zjxbvit4ds6mq4npa._file
Verdict:
malicious
Similar samples:
2c5d00f71931d80367ccae6bdd752ec56ab7647cc5312a0c7ddd24308ff9cc8e
QuasarRAT
3a83d1211c8a9235a72f0dcea5c36ec53a99ed83340e35097e7f41773bc8fb3f
QuasarRAT
585e4146923404bbe11c2cf5a423e2650a5d133541e9baeacb64a4d675f6484d
QuasarRAT
71b507a5d2ef28b951d65ba5a737c75e6e0ecdda454e7c70a40bd37b083ce9bd
QuasarRAT
8be3c7231a1d547531c3e669d380fd00b5b3e773da201b34bed04810062329c0
QuasarRAT
a33be1069f51683e3ef5290bedad88f032df7b67fde8955bf2ad72b2f8d5e647
QuasarRAT
a792be03af23fe52b708d22df6cadeb3374bb5500416a862eee57ea56db20fd5
QuasarRAT
b26c95976936054915610598a19dabb10dd52f47b9edbdbadc079d2e91717814
QuasarRAT
d3a5310046716a79439b26f59b1cd70e4220fbb3d4161c8cd57806be2b56be43
QuasarRAT
ee2e84f75b0b6043c2a2e3b84bdeabc0be4a4a1e4c6ec6a3ff255963b545425d
QuasarRAT
+ 791 additional samples on MalwareBazaar
Result
Malware family:
quasar
Create hunting rule
Score:
  10/10
Tags:
family:quasar botnet:gs ratter spyware stealer suricata trojan upx
Link:
https://tria.ge/reports/210801-1pz86ez56j/
Behaviour
Creates scheduled task(s)
Modifies registry class
Modifies system certificate store
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Looks up external IP address via web service
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
UPX packed file
NirSoft WebBrowserPassView
Nirsoft
Quasar Payload
Quasar RAT
suricata: ET MALWARE Observed Malicious SSL Cert (Quasar CnC)
Malware Config
C2 Extraction:
45.14.50.120:8808
Unpacked files
SH256 hash:
56e8830fa7e0194a01177b00749c8c2aba6c968a9c8ca4d94f39763da800b8b2
MD5 hash:
1b028d786a148e840ce254ec133658dd
SHA1 hash:
8cc9e0c8469e42d359b31b5d2e708a6e1c05c64f
Link:
https://www.unpac.me/results/a8bafe07-a777-48e9-b92e-9f6be3b48014/
SH256 hash:
f4fb42c8312a6002a8783e2a1ab4571eb89e92cd192b1a21e8c4582205c37312
MD5 hash:
88ab0bb59b0b20816a833ba91c1606d3
SHA1 hash:
72c09b7789a4bac8fee41227d101daed8437edeb
Link:
https://www.unpac.me/results/a8bafe07-a777-48e9-b92e-9f6be3b48014/
Parent samples :
c1b33d9ce977f2a7c8577c0b88a45b5bd309f7cc73d5f68151d5d4e5aa10a523
7697bddee02bf680693692309514c70a8bb30c70131ba9decaeb9d14cae6e1c5
8c8b9aee1ff113dc4de14fd7e45d8d250c483ba9bfc558cc24bdf777bbaa176f
SH256 hash:
b4401e082c3eb9275a7be41c333f1d7ee13894dff4f794dc3544f8397990e35e
MD5 hash:
a86d1b872c7339cc73f7a6c602b0166a
SHA1 hash:
fd0f8618acbfff4ceb0743b468976879f24dec88
Link:
https://www.unpac.me/results/a8bafe07-a777-48e9-b92e-9f6be3b48014/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b4401e082c3eb9275a7be41c333f1d7ee13894dff4f794dc3544f8397990e35e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/175528/

Comments