MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b71f03f6fba81aae42811a696cd5f10ab0641df3bad8fadf0f96cac0aed2fbfe. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuasarRAT


Vendor detections: 19


Intelligence 19 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b71f03f6fba81aae42811a696cd5f10ab0641df3bad8fadf0f96cac0aed2fbfe
SHA3-384 hash: 79d513bacae0fad6ab24c51abe815a01aeda7b35ac7b5ef58c511e61e56ecc9b4198aae9262699ea9971232a4b342eac
SHA1 hash: d6b28200b6c602c97c0a94ee58aaf2e422723e1a
MD5 hash: 04fd32cad002b6be92f0b2e84f99084f
humanhash: robert-west-louisiana-vegan
File name:SecuriteInfo.com.Trojan.PWS.Lumma.1819.5964.184
Download: download sample
Signature QuasarRAT
Create hunting rule
File size:3'277'824 bytes
First seen:2025-02-15 13:08:29 UTC
Last seen:2025-02-15 16:30:48 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep 98304:2I9JbPFKwfRWrKMNnJRQChhZG+87BRGLfcdW:2Cb9KZrnJVMv7BkodW
Threatray 7 similar samples on MalwareBazaar
TLSH T156E5332C29610E3FF4975AB3AB656166188EE730313758869C408DAF21E5FFF1913ED1
TrID 66.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.5% (.EXE) Win64 Executable (generic) (10522/11/4)
5.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.0% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter SecuriteInfoCom
Tags:exe QuasarRAT

Intelligence

File Origin
# of uploads :
3
# of downloads :
389
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
59f504edf1dda0550c5be702f371ad7fe248e09d032044bae4d894523541bcbc
Verdict:
Malicious activity
Analysis date:
2025-02-14 23:52:14 UTC
Tags:
loader amadey botnet stealer lumma exfiltration cryptbot xenorat rat quasar remote ransomware themida antivm autoit github
Link:
https://app.any.run/tasks/e2a822fe-ff28-4015-b987-489aa5e54be1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.PWS.Lumma.1819.5964.184.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
90.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67b09331a0fd713c335ae51e
Tags:
virus micro msil
Result
Verdict:
Malware
Maliciousness:

Behaviour
Unauthorized injection to a recently created process
Restart of the analyzed sample
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Creating a window
Сreating synchronization primitives
Creating a file in the %AppData% subdirectories
Launching a process
Searching for the window
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated obfuscated packed packed packer_detected
Link:
https://www.filescan.io/uploads/67b091f9c2f1c1c7a059d207/reports/cf6ac6d8-374d-4d70-9e33-08939c4c1b2d/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/b71f03f6fba81aae42811a696cd5f10ab0641df3bad8fadf0f96cac0aed2fbfe
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Quasar RAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/dad0c6be-138d-412a-a271-335b9e30c52d
Result
Threat name:
Quasar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1615784
Signature
Contains functionality to inject code into remote processes
Drops PE files with benign system names
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: System File Execution Location Anomaly
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Quasar RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1615784 Sample: SecuriteInfo.com.Trojan.PWS... Startdate: 15/02/2025 Architecture: WINDOWS Score: 100 58 Found malware configuration 2->58 60 Malicious sample detected (through community Yara rule) 2->60 62 Multi AV Scanner detection for submitted file 2->62 64 5 other signatures 2->64 10 SecuriteInfo.com.Trojan.PWS.Lumma.1819.5964.184.exe 1 2->10         started        13 services.exe 1 2->13         started        process3 signatures4 70 Contains functionality to inject code into remote processes 10->70 72 Uses schtasks.exe or at.exe to add and modify task schedules 10->72 74 Drops PE files with benign system names 10->74 15 SecuriteInfo.com.Trojan.PWS.Lumma.1819.5964.184.exe 5 10->15         started        19 WerFault.exe 19 16 10->19         started        21 conhost.exe 10->21         started        23 SecuriteInfo.com.Trojan.PWS.Lumma.1819.5964.184.exe 10->23         started        76 Injects a PE file into a foreign processes 13->76 25 conhost.exe 13->25         started        27 services.exe 13->27         started        29 WerFault.exe 13->29         started        process5 file6 50 C:\Users\user\AppData\...\services.exe, PE32 15->50 dropped 52 SecuriteInfo.com.T...19.5964.184.exe.log, ASCII 15->52 dropped 56 Hides that the sample has been downloaded from the Internet (zone.identifier) 15->56 31 services.exe 1 15->31         started        34 schtasks.exe 1 15->34         started        signatures7 process8 signatures9 78 Multi AV Scanner detection for dropped file 31->78 80 Injects a PE file into a foreign processes 31->80 36 services.exe 8 31->36         started        40 WerFault.exe 19 16 31->40         started        42 conhost.exe 31->42         started        44 conhost.exe 34->44         started        process10 dnsIp11 54 195.177.95.118, 4782, 49710, 49871 DINET-ASRU Ukraine 36->54 66 Hides that the sample has been downloaded from the Internet (zone.identifier) 36->66 68 Installs a global keyboard hook 36->68 46 schtasks.exe 36->46         started        signatures12 process13 process14 48 conhost.exe 46->48         started       
Score:
97%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/b71f03f6fba81aae42811a696cd5f10ab0641df3bad8fadf0f96cac0aed2fbfe
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b71f03f6fba81aae42811a696cd5f10ab0641df3bad8fadf0f96cac0aed2fbfe/
Threat name:
Win32.Trojan.LummaC
Create hunting rule
Status:
Malicious
First seen:
2025-02-15 01:35:41 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
21 of 24 (87.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=w4pqh5x3vank4qubdjuwzvprbkygihptxlmpvxyps3fmblws7p7a._file
Verdict:
malicious
Label(s):
quasarrat
Create hunting rule
Similar samples:
1ed00e7cc3376be1502bbd36901fc1b3a79b32a2d41ad5638b004230ba8a32ef
QuasarRAT
268ab7cd89f77eb147718766428f4ea5dd4e54af254fd9b8892e95a0c5d9597f
QuasarRAT
ae5ce29fec8f3011032ac70f7cc139849a9d4a521b7095999fe378529d7aa64b
QuasarRAT
b111fa5b599bf24ccf0661176f0b14ebe377af5ba2f5aa0443e32686b4f09877
QuasarRAT
error
QuasarRAT
Result
Malware family:
quasar
Create hunting rule
Score:
  10/10
Tags:
family:quasar botnet:f2cvixz discovery spyware trojan
Link:
https://tria.ge/reports/250215-qdvndsskez/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Suspicious use of SetThreadContext
Executes dropped EXE
Loads dropped DLL
Downloads MZ/PE file
Quasar RAT
Quasar family
Quasar payload
Malware Config
C2 Extraction:
195.177.95.118:4782
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/86629ff1-940c-4b4e-8d67-6fd6e3e94f29
Unpacked files
SH256 hash:
b71f03f6fba81aae42811a696cd5f10ab0641df3bad8fadf0f96cac0aed2fbfe
MD5 hash:
04fd32cad002b6be92f0b2e84f99084f
SHA1 hash:
d6b28200b6c602c97c0a94ee58aaf2e422723e1a
Link:
https://www.unpac.me/results/8790fc97-99eb-4674-9fc7-29feb11db5ed/
SH256 hash:
a78a360007c6685165021b1c88060867a8557c5545f728d277abb74f0b8a1ed8
MD5 hash:
9e7d0df1a6a9217f8f80392cfed9ad34
SHA1 hash:
30342ce7463502d46516d5520ae552f07e1049ed
Detections:
QuasarRAT
Create hunting rule
cn_utf8_windows_terminal
Create hunting rule
malware_windows_xrat_quasarrat
Create hunting rule
MAL_QuasarRAT_May19_1
Create hunting rule
win_quasarrat_j2
Create hunting rule
win_quasar_rat_client
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_GENInfoStealer
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
MALWARE_Win_QuasarStealer
Create hunting rule
Link:
https://www.unpac.me/results/8790fc97-99eb-4674-9fc7-29feb11db5ed/
Malware family:
QuasarRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b71f03f6fba8/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b71f03f6fba81aae42811a696cd5f10ab0641df3bad8fadf0f96cac0aed2fbfe

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

QuasarRAT

Executable exe b71f03f6fba81aae42811a696cd5f10ab0641df3bad8fadf0f96cac0aed2fbfe

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3440664/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments