MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c1d67650c1478f217e31fc7d54d9196bf6384d6e6edcafcc85f600a858ea2252. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuasarRAT


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c1d67650c1478f217e31fc7d54d9196bf6384d6e6edcafcc85f600a858ea2252
SHA3-384 hash: 9ab81b7b5d641f71c1e656850ed53ab5fc6c3e45182900c1c158c6ce1d08356c64b506a463b3c5e611818bec6e172e48
SHA1 hash: 1b814baeae64dd9817ece6bb1511877839d307ab
MD5 hash: c9e9d9f08d6aa7277b027d6523967585
humanhash: bluebird-delaware-eighteen-bluebird
File name:Bypass.exe
Download: download sample
Signature QuasarRAT
Create hunting rule
File size:5'570'560 bytes
First seen:2023-07-31 19:49:16 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 98304:Sqi0ajmWi0flztEdP3ImavJ87wvIlW/jimpsq7gPbnfJtryiORabo:Sqi0ajmWi0N5E5fA6blWrFpzgXry3
Threatray 209 similar samples on MalwareBazaar
TLSH T1BB4633D1591A38E7D442837A720222284DB4A38A79BCFF34C3EB59507327764E6F86C7
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter sockd86
Tags:cracked exe NEW QuasarRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
383
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
quasar
Create hunting rule
ID:
1
File name:
Bypass.exe
Verdict:
Malicious activity
Analysis date:
2023-07-31 19:52:01 UTC
Tags:
rat quasar trojan asyncrat remote
Link:
https://app.any.run/tasks/0e6fa728-167f-4a20-8917-762c0a433bf9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
QuasarStealer
Create hunting rule
Link:
https://www.capesandbox.com/analysis/439477/
Detection(s):
SecuriteInfo.com.Trojan.KillProc2.20980.22838.12354.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Sending a custom TCP request
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Creating a file in the Windows directory
Creating a process from a recently created file
Creating a file in the %temp% directory
Creating a file
Creating a window
Creating a file in the system32 subdirectories
Using the Windows Management Instrumentation requests
Unauthorized injection to a system process
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/64c8106da6284b7a56833275/reports/ae54354d-001b-4886-9ea6-2402a80704aa/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/c1d67650c1478f217e31fc7d54d9196bf6384d6e6edcafcc85f600a858ea2252
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3ddd98f7-df9e-46da-a437-aa3e2515e13d
Result
Threat name:
Quasar
Create hunting rule
Detection:
malicious
Classification:
rans.troj.evad
Score:
74 / 100
Link:
https://www.joesandbox.com/analysis/1283394
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Drops executables to the windows directory (C:\Windows) and starts them
Encrypted powershell cmdline option found
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Potential dropper URLs found in powershell memory
Potentially malicious time measurement code found
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Uses schtasks.exe or at.exe to add and modify task schedules
Writes many files with high entropy
Yara detected Generic Downloader
Yara detected Quasar RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1283394 Sample: Bypass.exe Startdate: 31/07/2023 Architecture: WINDOWS Score: 74 109 Multi AV Scanner detection for domain / URL 2->109 111 Found malware configuration 2->111 113 Malicious sample detected (through community Yara rule) 2->113 115 10 other signatures 2->115 11 Steam.exe 2->11         started        15 Bypass.exe 6 2->15         started        18 WindowsAddon.exe 3 2->18         started        20 2 other processes 2->20 process3 dnsIp4 93 2.21.22.169 AKAMAI-ASN1EU European Union 11->93 95 2.21.22.184 AKAMAI-ASN1EU European Union 11->95 75 C:\Program Files (x86)\...\tenfoot.uifont_, PDP-11 11->75 dropped 77 C:\...\store_app_bg_mask.png_, PNG 11->77 dropped 79 C:\Program Files (x86)\...\store_app_bg.png_, PNG 11->79 dropped 87 35 other malicious files 11->87 dropped 81 C:\Windows\Windows.exe, PE32 15->81 dropped 83 C:\Users\user\AppData\...\SteamSetup.exe, PE32 15->83 dropped 85 C:\Users\user\AppData\...\Bypass.exe.log, CSV 15->85 dropped 131 Encrypted powershell cmdline option found 15->131 133 Drops executables to the windows directory (C:\Windows) and starts them 15->133 22 Windows.exe 5 15->22         started        26 SteamSetup.exe 16 70 15->26         started        28 powershell.exe 20 15->28         started        file5 signatures6 process7 file8 65 C:\Windows\System32\SubDir\WindowsAddon.exe, PE32 22->65 dropped 119 Machine Learning detection for dropped file 22->119 121 Uses schtasks.exe or at.exe to add and modify task schedules 22->121 123 Hides that the sample has been downloaded from the Internet (zone.identifier) 22->123 30 WindowsAddon.exe 14 9 22->30         started        35 schtasks.exe 1 22->35         started        67 C:\Program Files (x86)\Steam\uninstall.exe, PE32 26->67 dropped 69 C:\Program Files (x86)\...\SteamService.exe, PE32 26->69 dropped 71 C:\Program Files (x86)\Steam\Steam.exe, PE32 26->71 dropped 73 5 other files (none is malicious) 26->73 dropped 37 SteamService.exe 26->37         started        39 conhost.exe 28->39         started        signatures9 process10 dnsIp11 97 147.185.221.16 SALSGIVERUS United States 30->97 99 195.201.57.90 HETZNER-ASDE Germany 30->99 101 3 other IPs or domains 30->101 89 C:\Users\...\77EC63BDA74BD0D0E0426DC8F8008506, Microsoft 30->89 dropped 103 Machine Learning detection for dropped file 30->103 105 Writes many files with high entropy 30->105 107 Hides that the sample has been downloaded from the Internet (zone.identifier) 30->107 41 cmd.exe 30->41         started        44 schtasks.exe 30->44         started        46 conhost.exe 35->46         started        91 C:\Program Files (x86)\...\steamservice.exe, PE32 37->91 dropped 48 conhost.exe 37->48         started        file12 signatures13 process14 signatures15 125 Uses ping.exe to sleep 41->125 127 Drops executables to the windows directory (C:\Windows) and starts them 41->127 129 Uses ping.exe to check the status of other devices and networks 41->129 50 WindowsAddon.exe 41->50         started        53 conhost.exe 41->53         started        55 chcp.com 41->55         started        57 PING.EXE 41->57         started        59 conhost.exe 44->59         started        process16 signatures17 117 Hides that the sample has been downloaded from the Internet (zone.identifier) 50->117 61 schtasks.exe 50->61         started        process18 process19 63 conhost.exe 61->63         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c1d67650c1478f217e31fc7d54d9196bf6384d6e6edcafcc85f600a858ea2252/
Threat name:
ByteCode-MSIL.Trojan.AsyncRAT
Create hunting rule
Status:
Malicious
First seen:
2023-07-31 19:50:09 UTC
File Type:
PE (.Net Exe)
Extracted files:
4
AV detection:
21 of 24 (87.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=yhlhmugbi6hsc7rr7r6vjwiznp3dqtlon3ok7tef6yakqwhkejja._file
Verdict:
malicious
Similar samples:
076cb1ac8e46bc1226a8bb42d83afac656d525cb7e6dc9a4d79475ab9b286440
QuasarRAT
150169f8a2862e4c977fe99b4d6a1af4e2169deae6d76d64434af35633c01e03
QuasarRAT
8a69059cb39f960058cba45dd63b1b33eba4011bff0cc3e374e4d844393f3acc
QuasarRAT
9bc86d7600883fea7d2bd5d30eaef3f7ff8336ac4736ca16efa3f542a81e7e77
QuasarRAT
9c17ba1f31d3c5a41d0437818a7d6512775ba991a1d8a03e49f29fc982191190
QuasarRAT
a75311b45f6434a5af77bc068b9daf6d6800704fb768aaaeb960a2448a355f02
QuasarRAT
d1ebd145d558af0cc2ee585a8463dd0336e59d13864552588d7a8a1fa3544770
QuasarRAT
d8c9255982a5932dbaf224d475d2161d814de36784b797d576e41c263587e20a
QuasarRAT
+ 199 additional samples on MalwareBazaar
Result
Malware family:
quasar
Create hunting rule
Score:
  10/10
Tags:
family:quasar botnet:office04 spyware trojan
Link:
https://tria.ge/reports/230731-yj9nhaag45/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Windows directory
Drops file in System32 directory
Executes dropped EXE
Loads dropped DLL
Quasar RAT
Quasar payload
Malware Config
C2 Extraction:
line-ellis.gl.at.ply.gg:10735
Unpacked files
SH256 hash:
7b51372117960e84d6f5eb3a26810cc044ff02283b3d656a0a456b0ab5cb8ea7
MD5 hash:
c5b9fe538654a5a259cf64c2455c5426
SHA1 hash:
db45505fa041af025de53a0580758f3694b9444a
Link:
https://www.unpac.me/results/94b151ae-2d47-4ef5-9bbf-59ae0ab5a2b2/
SH256 hash:
9a88bccecb259132fab9a4f1772aad101941ec94a6dc4066f682ea98a8e7bb5c
MD5 hash:
0a3e96735158c2cfc4428be229bc5dd3
SHA1 hash:
c55008fe4406c21e8ec464eb8b8e896a9360f689
Link:
https://www.unpac.me/results/94b151ae-2d47-4ef5-9bbf-59ae0ab5a2b2/
SH256 hash:
067c77d51df034b4a614f83803140fbf4cd2f8684b88ea8c8acdf163edad085a
MD5 hash:
0d45588070cf728359055f776af16ec4
SHA1 hash:
c4375ceb2883dee74632e81addbfa4e8b0c6d84a
Link:
https://www.unpac.me/results/94b151ae-2d47-4ef5-9bbf-59ae0ab5a2b2/
SH256 hash:
e47f229a874c4ee7a4d65725ebbe9cf21ad4ad8721d7b79abc9525790c658da3
MD5 hash:
cc2c1ac676c52a4aa6e6f354b371e7a3
SHA1 hash:
c3e407a669b4c808e198ece5207bd238550ba69b
Link:
https://www.unpac.me/results/94b151ae-2d47-4ef5-9bbf-59ae0ab5a2b2/
SH256 hash:
30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11
MD5 hash:
f0438a894f3a7e01a4aae8d1b5dd0289
SHA1 hash:
b058e3fcfb7b550041da16bf10d8837024c38bf6
Link:
https://www.unpac.me/results/94b151ae-2d47-4ef5-9bbf-59ae0ab5a2b2/
SH256 hash:
e2ad7736209d62909a356248fce8e554093339b18ef3e6a989a3c278f177ad48
MD5 hash:
98a4efba4e4b566dc3d93d2d9bfcab58
SHA1 hash:
8c54ae9fcec30b2beea8b6af4ead0a76d634a536
Link:
https://www.unpac.me/results/94b151ae-2d47-4ef5-9bbf-59ae0ab5a2b2/
SH256 hash:
8dc2be6679497994e3ddc97bc7bc1ce2b3c17ef3528b03ded6696ef198a11d10
MD5 hash:
0c44f21d4afc81cc99fac7cc35e4503a
SHA1 hash:
3d0d5c684df99a46510c0e2c0020163a9d11c08d
Link:
https://www.unpac.me/results/94b151ae-2d47-4ef5-9bbf-59ae0ab5a2b2/
SH256 hash:
2e226715419a5882e2e14278940ee8ef0aa648a3ef7af5b3dc252674111962bc
MD5 hash:
a4dd044bcd94e9b3370ccf095b31f896
SHA1 hash:
17c78201323ab2095bc53184aa8267c9187d5173
Link:
https://www.unpac.me/results/94b151ae-2d47-4ef5-9bbf-59ae0ab5a2b2/
SH256 hash:
8c6a95a1bf06c22224ab43bc1a1948f2cb0fd8d7089f2b828033c0fde161d2c2
MD5 hash:
d5bf01b2a316120d3d906e48e850520e
SHA1 hash:
a0e2f1caca1d35c227d231e6063d71ffe1d06322
Link:
https://www.unpac.me/results/94b151ae-2d47-4ef5-9bbf-59ae0ab5a2b2/
SH256 hash:
c1d67650c1478f217e31fc7d54d9196bf6384d6e6edcafcc85f600a858ea2252
MD5 hash:
c9e9d9f08d6aa7277b027d6523967585
SHA1 hash:
1b814baeae64dd9817ece6bb1511877839d307ab
Link:
https://www.unpac.me/results/94b151ae-2d47-4ef5-9bbf-59ae0ab5a2b2/
Malware family:
QuasarRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c1d67650c147/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c1d67650c1478f217e31fc7d54d9196bf6384d6e6edcafcc85f600a858ea2252

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

QuasarRAT

Executable exe c1d67650c1478f217e31fc7d54d9196bf6384d6e6edcafcc85f600a858ea2252

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/439477/

Comments