MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c284505447b8529fdd468e13f149582f5083cf442733bfb7bdebf66d38476f20. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

QuasarRAT

Vendor detections: 12

Intelligence 12 IOCs YARA 3 File information Comments

SHA256 hash:	c284505447b8529fdd468e13f149582f5083cf442733bfb7bdebf66d38476f20
SHA3-384 hash:	841fbe553fe360cf442007473319c2f1b399dc570577b8871861bc596a5382bca0f65d49d0367dc7c6d260ba74521515
SHA1 hash:	2f449790415a4b7a2a4297e20169c6457b851863
MD5 hash:	c9abc0932559d7ecced02a9125acea05
humanhash:	kentucky-sixteen-fillet-yellow
File name:	c9abc0932559d7ecced02a9125acea05.exe
Download:	download sample
Signature	QuasarRAT Create hunting rule
File size:	3'664'896 bytes
First seen:	2023-10-12 12:55:55 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	847c2f25b48889c8545823bcf35ae6ba (1 x QuasarRAT)
ssdeep	98304:TMOl82OGyTIZ+e9KsPdJDrL6R2tcya1luLIlMCABHQ:T9l82skVxEGcya1lVKQ
Threatray	240 similar samples on MalwareBazaar
TLSH	T13A062326F76A60F8E07BC1B1964605316533FCB107746AFF02A0A7226E735E42E3DB95
TrID	48.7% (.EXE) Win64 Executable (generic) (10523/12/4) 23.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 9.3% (.EXE) OS/2 Executable (generic) (2029/13) 9.2% (.EXE) Generic Win/DOS Executable (2002/3) 9.2% (.EXE) DOS Executable Generic (2000/1)
Reporter	abuse_ch
Tags:	exe QuasarRAT RAT

abuse_ch

QuasarRAT C2:
185.17.0.246:1419

Intelligence

File Origin

# of uploads :

# of downloads :

347

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

c9abc0932559d7ecced02a9125acea05.exe

Verdict:

No threats detected

Analysis date:

2023-10-12 12:59:03 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/fbe052ca-8dd6-421a-8c4d-47f52ae0709b

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/453829/

Detection(s):

SecuriteInfo.com.Win64.TrojanX-gen.6491.17782.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Sending a custom TCP request

Creating a window

Launching a process

Gathering data

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

anti-debug greyware packed

Link:

https://www.filescan.io/uploads/6527ece43b921285dcdd5b2e/reports/65a6b039-c81f-44d1-a9c6-a1456cb57af9/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_90%

Link:

https://www.hybrid-analysis.com/sample/c284505447b8529fdd468e13f149582f5083cf442733bfb7bdebf66d38476f20

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/659590b7-5eb7-45c2-8d45-53d134da3829

Score:

98%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/c284505447b8529fdd468e13f149582f5083cf442733bfb7bdebf66d38476f20

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/c284505447b8529fdd468e13f149582f5083cf442733bfb7bdebf66d38476f20/

Threat name:

Win64.Trojan.Generic

Status:

Suspicious

First seen:

2023-10-12 12:56:06 UTC

File Type:

PE+ (Exe)

AV detection:

10 of 22 (45.45%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=ykcfavchxbjj7xkgryj7cskyf5iiht2ee4z37n555p3g2ochn4qa._file

Verdict:

malicious

QuasarRAT

71d8447b0d646903db508314cdc59708855c914ec4a3a72d7f06f487177e11fc

QuasarRAT

814fde58d94356918c7bdcd449e46c28aeff737db12aa6307f4dbf87eaf09277

QuasarRAT

9bc86d7600883fea7d2bd5d30eaef3f7ff8336ac4736ca16efa3f542a81e7e77

QuasarRAT

ae8c4f72c13b4103e0e977bbf2939a4b97860d1c279994d1b0bd27e00cbf8c2f

QuasarRAT

e844192fb4c52758db729e18e8898fe0921bdbe1e2d3ac3da6a6b5d2cedecb71

QuasarRAT

+ 230 additional samples on MalwareBazaar

Result

Malware family:

quasar

Score:

10/10

Tags:

family:quasar botnet:cashing spyware trojan

Link:

https://tria.ge/reports/231012-p6b63sch36/

Behaviour

Creates scheduled task(s)

Modifies Internet Explorer settings

Modifies registry class

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Quasar RAT

Quasar payload

Malware Config

C2 Extraction:

185.17.0.246:1419

Unpacked files

SH256 hash:

c284505447b8529fdd468e13f149582f5083cf442733bfb7bdebf66d38476f20

MD5 hash:

c9abc0932559d7ecced02a9125acea05

SHA1 hash:

2f449790415a4b7a2a4297e20169c6457b851863

Link:

https://www.unpac.me/results/be05f349-b37f-4ce9-9194-507240ae4ba9/

Malware family:

QuasarRAT

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/c284505447b8/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/c284505447b8529fdd468e13f149582f5083cf442733bfb7bdebf66d38476f20

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	Rustyloader_mem_loose Create hunting rule
Author:	James_inthe_box
Description:	Corroded buerloader
Reference:	https://app.any.run/tasks/83064edd-c7eb-4558-85e8-621db72b2a24