MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bef09c4e715063415146af6323755bbc13c1651c3ba5ac6bcd9acd283489cd5b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

QuasarRAT

Vendor detections: 13

Intelligence 13 IOCs YARA 4 File information Comments

SHA256 hash:	bef09c4e715063415146af6323755bbc13c1651c3ba5ac6bcd9acd283489cd5b
SHA3-384 hash:	c7c8f2c4be2937804d6e44b12099ff5565a6bb194f24e45ab3489550e2298480ca94ba335c78f3eb2eedb5654ac8a23d
SHA1 hash:	da9f5bf98ecdfc5e382def6e02886974aa6fab83
MD5 hash:	cf88a403dca8c960bc222d2686bde9b3
humanhash:	november-jig-west-network
File name:	SecuriteInfo.com.Variant.Jaik.77520.28663.5582
Download:	download sample
Signature	QuasarRAT Create hunting rule
File size:	485'728 bytes
First seen:	2022-12-13 04:29:03 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	97318da386948415d08cef4a9006d669 (71 x Formbook, 35 x SnakeKeylogger, 26 x AgentTesla)
ssdeep	12288:hyIoafqTrRqte3VasT9hC9MxtgsD+8HFX:hDYqcpYCbgKrHFX
Threatray	357 similar samples on MalwareBazaar
TLSH	T150A412C3368406CBC815457526BF0E794A37BF109C56BA477780BB6E0AB75C2BA03CE9
TrID	92.7% (.EXE) NSIS - Nullsoft Scriptable Install System (846567/2/133) 3.4% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 1.1% (.EXE) Win64 Executable (generic) (10523/12/4) 0.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 0.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):
dhash icon	74f48888868e88b4 (12 x SnakeKeylogger, 7 x Formbook, 5 x RemcosRAT)
Reporter	SecuriteInfoCom
Tags:	exe QuasarRAT

Intelligence

File Origin

# of uploads :

# of downloads :

193

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

quasar

ID:

File name:

SecuriteInfo.com.Variant.Jaik.77520.28663.5582

Verdict:

Malicious activity

Analysis date:

2022-12-13 04:34:40 UTC

Tags:

installer quasar

Link:

https://app.any.run/tasks/a8c91e75-6f01-45a2-b2ff-a9871ee8a3d4

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/345719/

Detection(s):

SecuriteInfo.com.Variant.Jaik.77520.28663.5582.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a file in the %temp% directory

Creating a window

Creating a process from a recently created file

Сreating synchronization primitives

Unauthorized injection to a recently created process

Unauthorized injection to a recently created process by context flags manipulation

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

overlay packed shell32.dll

Link:

https://www.filescan.io/uploads/6397ff939a505ad9423f6807/reports/700bb6ae-dc6f-4249-971a-13d60e1ff486/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/3625153c-ecec-4553-aabb-a79ea9eea584

Result

Threat name:

DarkCloud

Detection:

malicious

Classification:

troj.spyw.evad

Score:

96 / 100

Link:

https://www.joesandbox.com/analysis/1133191

Signature

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Tries to harvest and steal browser information (history, passwords, etc)

Writes or reads registry keys via WMI

Yara detected DarkCloud

Yara detected Generic Dropper

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/bef09c4e715063415146af6323755bbc13c1651c3ba5ac6bcd9acd283489cd5b/

Threat name:

Win32.Trojan.NSISInject

Status:

Malicious

First seen:

2022-12-13 04:30:07 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

21 of 26 (80.77%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=x3yjyttrkbrucukgv5rsg5k3xqj4czi4hos2y26ntlgsqnejzvnq._file

Verdict:

malicious

QuasarRAT

397be5bd6dd070eb7cb65a18294fbebc7d103d60de335ae146973e728e134f93

QuasarRAT

5a0e867d3425a538b1fcf0e08688d68025e6db8164936661bdc214ec7437d209

QuasarRAT

5d91b283ad506abd48ec8708fd2255c28e525c2c3c2cbcbcea1ff4e5a1185ce4

QuasarRAT

6c0f5a9bf9bfd84be91f3d84335b63ac95ac2b227fedc5de439971577328ac30

QuasarRAT

893a4410c9f5b1e2f6d60186615cbffadeb932f55c60b199e9ffdd0aabd83e1e

QuasarRAT

b4d384c4beb28700a5ca488567c34bcec8331baf771f16549383bb06e057d4a3

QuasarRAT

b9c5179f929bbd51d78b67ef1fa08e2336c47c649f0f9ec4fd307a292d4c3391

QuasarRAT

c0369b4df537e89f06bf2e978948a2aabb33a65069f58e1dee067cab7250e53a

QuasarRAT

c855930471954f5956be31cbfbee70a5ce52f50daadb0c9cdc6ba1e28b95510d

QuasarRAT

+ 347 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

8/10

Tags:

n/a

Link:

https://tria.ge/reports/221213-e4akcsde68/

Behaviour

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Loads dropped DLL

Executes dropped EXE

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/01910c05-e30c-419c-bf22-939fa6385c35

Unpacked files

SH256 hash:

cafe2d7046126b364865a98395f826645e1991dd6ed16487293bcc01e0832a6b

MD5 hash:

fe1770a209f5a3010f33d0dca014c652

SHA1 hash:

6fe0511f5bc6d9571e560388e109a9de65fbbf42

Link:

https://www.unpac.me/results/b12f3ca3-620f-43e0-86b6-9a8ee04f233d/

SH256 hash:

3aca553c2aaa41432c8e81aa344fbf997b7429464692d76cc2510f283d6a9852

MD5 hash:

7f8fb90e2bd899d039e2664c13d8d866

SHA1 hash:

3b12480638fb4a9f064f8c8864b923551cccd096

Link:

https://www.unpac.me/results/b12f3ca3-620f-43e0-86b6-9a8ee04f233d/

SH256 hash:

c83e00d2e65773d451ba2c1f8166c0614dfd8116a366b079b707f0888f2a9432

MD5 hash:

c8290f8d1257069aaa0e245bc9af619e

SHA1 hash:

06b56b286917e771fc0946fdb4befedd3ffcd867

Link:

https://www.unpac.me/results/b12f3ca3-620f-43e0-86b6-9a8ee04f233d/

SH256 hash:

e432a1c158f644efb098415ef02c7961618c8836c7a6b50fc7e2e8d2802d38dc

MD5 hash:

6e51087022a4da76cdde85cfe102f03d

SHA1 hash:

e5f59ffd1a294e565fa4e7b773aea4f4cfe56169

Link:

https://www.unpac.me/results/b12f3ca3-620f-43e0-86b6-9a8ee04f233d/

SH256 hash:

bef09c4e715063415146af6323755bbc13c1651c3ba5ac6bcd9acd283489cd5b

MD5 hash:

cf88a403dca8c960bc222d2686bde9b3

SHA1 hash:

da9f5bf98ecdfc5e382def6e02886974aa6fab83

Link:

https://www.unpac.me/results/b12f3ca3-620f-43e0-86b6-9a8ee04f233d/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.63

Link:

https://yomi.yoroi.company/submissions/bef09c4e715063415146af6323755bbc13c1651c3ba5ac6bcd9acd283489cd5b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore Create hunting rule
Author:	ditekSHen
Description:	Detects executables containing SQL queries to confidential data stores. Observed in infostealers

Rule name:	pdb_YARAify Create hunting rule
Author:	@wowabiy314
Description:	PDB

Rule name:	Quasar_RAT_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Quasar RAT
Reference:	https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf

Rule name:	Quasar_RAT_1_RID2B54 Create hunting rule
Author:	Florian Roth
Description:	Detects Quasar RAT
Reference:	https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/345719/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample