MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c2f70806a9fddb3ff61f045c92c48a19a0f889b839f68a2acd0e71e6c091499c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

QuasarRAT

Vendor detections: 3

Intelligence 3 IOCs YARA File information Comments

SHA256 hash:	c2f70806a9fddb3ff61f045c92c48a19a0f889b839f68a2acd0e71e6c091499c
SHA3-384 hash:	2e08aa3fd4c56cedc1c2e12da0761cc29c4854aa7016703add9122b1d111d3d96ba3f23c3cce2c5e564bf86764001c28
SHA1 hash:	41b068e4dc9724dbb61069b93cd5cd769172b36d
MD5 hash:	840028486eb7da9ee3653218f04561fe
humanhash:	minnesota-lactose-apart-spaghetti
File name:	9096ac05ab3135283dc41c505f72e03f.exe
Download:	download sample
Signature	QuasarRAT Create hunting rule
File size:	356'864 bytes
First seen:	2020-04-06 18:33:07 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	6144:Cbwb/c2L0tkneiArZTt0sGb7olktr9Ln+v17UE0d9K:UH2LBAHv5l2r9j+vyE0/K
Threatray	97 similar samples on MalwareBazaar
TLSH	E3748D2373A4D93BD1FD173AE53206051BB0D987B616E38B69585ABD6C233868DD03B3
Reporter	abuse_ch
Tags:	exe GuLoader QuasarRAT

abuse_ch

Payload dropped by GuLoader from the following URL:
https://drive.google.com/uc?export=download&id=1XMlFWkkVtFgB3XfcRN281v_k9_O3EPbq

Intelligence

File Origin

# of uploads :

# of downloads :

103

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

Win.Trojan.Generic-6295765-0

Win.Malware.Generic-6623004-0

Gathering data

Threat name:

ByteCode-MSIL.Trojan.Tinclex

Status:

Malicious

First seen:

2020-04-07 04:29:51 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

35 of 47 (74.47%)

Threat level:

5/5

Verdict:

malicious

QuasarRAT

06749098537b1e1e031e5d568e5e6d3f0bd89ca921953909b42c271b0a3fe5f0

QuasarRAT

0eaa5bbea25ef06214bc21deab41eb7f5bdcdd4c24b0297a28607d30edf65ae1

QuasarRAT

17a3a230d310ff684cf08306fe34d13c9505ac612942875a19c98b5d000119b0

QuasarRAT

2ea29fa9ad61f55762d2d1d3ce608c3fdfe4007802514042552293ce86af0454

QuasarRAT

7431f9ba6aec04eac9673c804378df129f167a06927649ec7aca9872fb15f14b

QuasarRAT

759650986713eaf7fe5021ead7a0994f33767c14b6a7caf1079379b087df21fe

QuasarRAT

9dfc0d127c1129cd943b1c6ea494a01b40b6b29656db9a44f3dc3231db127a0e

QuasarRAT

d478602bac8b8f334f06644dd92fbe60cbba6815ced96503c7aab4df6f305e77

QuasarRAT

fec56ffb3c5a61bffba235044da127eae17d9772dbd3817b8a5ce8cad0e93cb1

QuasarRAT

+ 87 additional samples on MalwareBazaar

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

84108c517600679b2a2f2402a6efbfbb97c8791e41c6f1e2f8b9927c9fdb334d

QuasarRAT

exe c2f70806a9fddb3ff61f045c92c48a19a0f889b839f68a2acd0e71e6c091499c

(this sample)

Dropped by

MD5 9096ac05ab3135283dc41c505f72e03f

Dropped by

MD5 3a0fe9e62ab89a8317fd21201bdf6cd6

Dropped by

GuLoader

Dropped by

SHA256 84108c517600679b2a2f2402a6efbfbb97c8791e41c6f1e2f8b9927c9fdb334d

Dropped by

SHA256 a53c4bcdccdde26be60d68afdb490d17b17b07b4f286685b4d1b847929b7732d

URLhaus

https://urlhaus.abuse.ch/url/336058/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample