MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b7823b23e2ef21045e77a01f2f34f86f387a607f4c1d949571c01c1fcdfd7fa1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuasarRAT


Vendor detections: 7


Intelligence 7 IOCs YARA 11 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b7823b23e2ef21045e77a01f2f34f86f387a607f4c1d949571c01c1fcdfd7fa1
SHA3-384 hash: f63f6201d91cbb51b2cb26a2e1965bd18de29f5e9a982889ea576f1cd4ece29b6d740cbc91a47edd7789f08e97f93ffe
SHA1 hash: da5a2b0b9edfbfb7ae5b5f0e9241e0352893bb14
MD5 hash: e18ea0cf45d53d61e52ea83246bfbc55
humanhash: angel-bravo-august-helium
File name:fola(1).exe
Download: download sample
Signature QuasarRAT
Create hunting rule
File size:4'876'800 bytes
First seen:2020-12-01 08:32:03 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 5479775c1d012f10601477c1237fe7d4 (6 x QuasarRAT, 2 x BitRAT, 1 x RevCodeRAT)
ssdeep 98304:2vP/VTjzO1WUFmmlfU4zGsuhf1R4LYEywbs/ExnnXqrKJI:EVTjzKY8t3b25cNarKJI
Threatray 31 similar samples on MalwareBazaar
TLSH A436236FA6B14833C0231A789D17D76B5D26BE132B2868966BF42D4C7F3D2513E39183
Reporter Marco_Ramilli
Tags:QuasarRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
154
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/106176/
Detection(s):
SecuriteInfo.com.BackDoor.Quasar.124.18597.2139.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Launching a process
Result
Gathering data
Result
Threat name:
Quasar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/551945
Signature
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Antivirus detection for URL or domain
Connects to many ports of the same IP (likely port scanning)
Contains functionality to detect sleep reduction / modifications
Contains functionality to hide a thread from the debugger
Contains functionality to inject code into remote processes
Creates files in alternative data streams (ADS)
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Drops VBS files to the startup folder
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Drops script at startup location
Writes to foreign memory regions
Yara detected Quasar RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 325076 Sample: fola(1).exe Startdate: 01/12/2020 Architecture: WINDOWS Score: 100 83 g.msn.com 2->83 93 Malicious sample detected (through community Yara rule) 2->93 95 Antivirus detection for URL or domain 2->95 97 Yara detected Quasar RAT 2->97 99 6 other signatures 2->99 13 fola(1).exe 2->13         started        16 wscript.exe 1 2->16         started        18 wscript.exe 2->18         started        signatures3 process4 signatures5 145 Writes to foreign memory regions 13->145 147 Allocates memory in foreign processes 13->147 149 Queues an APC in another process (thread injection) 13->149 20 notepad.exe 5 13->20         started        24 emkp.exe 16->24         started        26 emqkp.exe 18->26         started        process6 file7 69 C:\Users\user\AppData\Roaming\fgbp\emkp.exe, PE32 20->69 dropped 71 C:\Users\user\...\emkp.exe:Zone.Identifier, ASCII 20->71 dropped 73 C:\Users\user\AppData\Roaming\...\cviw.vbs, ASCII 20->73 dropped 101 Creates files in alternative data streams (ADS) 20->101 103 Drops VBS files to the startup folder 20->103 28 emkp.exe 20->28         started        105 Maps a DLL or memory area into another process 24->105 31 emkp.exe 24->31         started        33 emqkp.exe 26->33         started        signatures8 process9 signatures10 131 Multi AV Scanner detection for dropped file 28->131 133 Detected unpacking (changes PE section rights) 28->133 135 Detected unpacking (overwrites its own PE header) 28->135 139 4 other signatures 28->139 35 emkp.exe 1 25 28->35         started        137 Hides threads from debuggers 31->137 process11 dnsIp12 85 yz.videomarket.eu 185.157.161.109, 1972, 1973, 49713 OBE-EUROPEObenetworkEuropeSE Sweden 35->85 87 medicalcorp.ro 176.126.200.6, 49715, 49757, 49760 GTSCEGTSCentralEuropeAntelGermanyCZ Romania 35->87 75 C:\Users\user\...\cMPHS3CRCvrMygNK.exe, PE32 35->75 dropped 77 C:\Users\user\...\c7kIHNys3uWrlhUS.exe, PE32 35->77 dropped 79 C:\Users\user\...\S1hS3Fo7vQLjT5Tm.exe, PE32 35->79 dropped 81 3 other files (2 malicious) 35->81 dropped 107 Sample uses process hollowing technique 35->107 109 Hides threads from debuggers 35->109 111 Injects a PE file into a foreign processes 35->111 40 FIDyeSe4e8ruLdPN.exe 35->40         started        43 S1hS3Fo7vQLjT5Tm.exe 35->43         started        45 emkp.exe 35->45         started        47 emkp.exe 35->47         started        file13 signatures14 process15 signatures16 123 Machine Learning detection for dropped file 40->123 125 Writes to foreign memory regions 40->125 127 Allocates memory in foreign processes 40->127 129 Contains functionality to detect sleep reduction / modifications 40->129 49 notepad.exe 4 40->49         started        52 notepad.exe 43->52         started        process17 file18 65 C:\Users\user\AppData\Roaming\...\emqkp.exe, PE32 49->65 dropped 54 emqkp.exe 49->54         started        67 C:\Users\user\AppData\Roaming\...\cviqw.vbs, ASCII 52->67 dropped 57 emqkp.exe 52->57         started        process19 signatures20 113 Detected unpacking (changes PE section rights) 54->113 115 Detected unpacking (creates a PE file in dynamic memory) 54->115 117 Detected unpacking (overwrites its own PE header) 54->117 121 3 other signatures 54->121 59 emqkp.exe 15 4 54->59         started        119 Maps a DLL or memory area into another process 57->119 63 emqkp.exe 57->63         started        process21 dnsIp22 89 yz.videomarket.eu 59->89 91 ip-api.com 208.95.112.1, 49718, 80 TUT-ASUS United States 59->91 141 Hides that the sample has been downloaded from the Internet (zone.identifier) 59->141 143 Installs a global keyboard hook 59->143 signatures23
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b7823b23e2ef21045e77a01f2f34f86f387a607f4c1d949571c01c1fcdfd7fa1/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-12-01 08:33:05 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=w6bdwi7c54qqixtxuaps6nhyn44huyd7jqozjflryaob7tp5p6qq._file
Verdict:
malicious
Similar samples:
04c27b0ff1c12b58c1520db0ffc14e7ced2f5adae24e08a3ff66fcc1723676cf
QuasarRAT
0c32d3b8dc349aac990a76c405f39b973ed2664847602f4100200ae12ccabd6d
QuasarRAT
0cf6c64800271784234f89dd95925d58075254e5756946de94f447b6defee4fc
QuasarRAT
40512789548e02bb2db55e51975a733d342279a76c7ecdf78b9e238329591200
QuasarRAT
723e6b54cd996205412396bbfba18171a8e4e7297dd2492b35ec198e122849cb
QuasarRAT
78fc1b0ad5b1bf8392a5e1a6dde5dab2fbee2f2fbb833c3c4ba85ace7e9c35e5
QuasarRAT
83db3e008537b9da1f048cf2a36931238afcdabf35ecbeedecd808ea6bee3bf3
QuasarRAT
c074b02a7c31f653ce16773fe3d97884a5d4cefed346918b79db7f060661f9f0
QuasarRAT
cd857ee1ccdff34a0cd65732a18bc3a99d53e388423dcff0a73ca0307dcb1f7a
QuasarRAT
ef67b30b7ae1fd2b27a17f1e0172954912c78c541f7cb162ff003a9b42f128c4
QuasarRAT
+ 21 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/201201-sszdbb66s6/
Behaviour
NTFS ADS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Drops startup file
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
b7823b23e2ef21045e77a01f2f34f86f387a607f4c1d949571c01c1fcdfd7fa1
MD5 hash:
e18ea0cf45d53d61e52ea83246bfbc55
SHA1 hash:
da5a2b0b9edfbfb7ae5b5f0e9241e0352893bb14
Link:
https://www.unpac.me/results/6ac9b654-8ee7-4c48-b2e6-4f35a82c56c2/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Cryptor
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b7823b23e2ef21045e77a01f2f34f86f387a607f4c1d949571c01c1fcdfd7fa1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Chrome_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Chrome in files like avemaria
Rule name:CN_disclosed_20180208_KeyLogger_1
Create hunting rule
Author:Florian Roth
Description:Detects malware from disclosed CN malware set
Reference:https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:MAL_QuasarRAT_May19_1
Create hunting rule
Author:Florian Roth
Description:Detects QuasarRAT malware
Reference:https://blog.ensilo.com/uncovering-new-activity-by-apt10
Rule name:MSILStealer
Create hunting rule
Author:https://github.com/hwvs
Description:Detects strings from C#/VB Stealers and QuasarRat
Reference:https://github.com/quasar/QuasarRAT
Rule name:Quasar
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect QuasarRAT in memory
Rule name:Quasar_RAT_1
Create hunting rule
Author:Florian Roth
Description:Detects Quasar RAT
Reference:https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
Rule name:Quasar_RAT_2
Create hunting rule
Author:Florian Roth
Description:Detects Quasar RAT
Reference:https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
Rule name:Select_from_enumeration
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:Vermin_Keylogger_Jan18_1
Create hunting rule
Author:Florian Roth
Description:Detects Vermin Keylogger
Reference:https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/
Rule name:xRAT_1
Create hunting rule
Author:Florian Roth
Description:Detects Patchwork malware
Reference:https://goo.gl/Pg3P4W

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

QuasarRAT

Executable exe b7823b23e2ef21045e77a01f2f34f86f387a607f4c1d949571c01c1fcdfd7fa1

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/869726/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/106176/

Comments