MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c332f4d57dabe228b40ae4a6003b31647cb9241658b79f681680ff5f89d68be1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuasarRAT


Vendor detections: 14


Intelligence 14 IOCs YARA 24 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c332f4d57dabe228b40ae4a6003b31647cb9241658b79f681680ff5f89d68be1
SHA3-384 hash: ab9df713a36f69ba54612638179b63818da17e3943c1e33473d220778a45fc17c0e48cef2e1426e58bd3b175a383a984
SHA1 hash: e0d86c8c42d4d1225eee24dde5a1448b02707129
MD5 hash: 3033d164767ec699060e7a437da7e85c
humanhash: social-montana-violet-alaska
File name:LisectAVT_2403002C_1.exe
Download: download sample
Signature QuasarRAT
Create hunting rule
File size:2'113'350 bytes
First seen:2024-07-25 01:40:13 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash afcdf79be1557326c854b6e20cb900a7 (1'102 x FormBook, 936 x AgentTesla, 399 x RemcosRAT)
ssdeep 24576:su6J33O0c+JY5UZ+XC0kGso6FaI1IXgM6YmenKKSUlmDaGJTA4Pqa6jUvOkQwKYt:2u0c++OCvkGs9Fap5aLKLkDl+dUvO9YP
TLSH T145A5BE41A3DC82A1CE6A4372BA36DB219B777C692634F70E1ED83D7A3E723521518353
TrID 53.9% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
15.4% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
9.8% (.EXE) Win64 Executable (generic) (10523/12/4)
6.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon d4c4c4d8ccd4f0cc (241 x AgentTesla, 65 x Loki, 41 x Formbook)
Reporter Anonymous
Tags:exe QuasarRAT


Avatar
Anonymous
this malware sample is very nasty!

Intelligence

File Origin
# of uploads :
1
# of downloads :
212
Origin country :
CN CN
Vendor Threat Intelligence
Detection(s):
Win.Dropper.Miner-7086570-0
Create hunting rule

Win.Packed.Autoit-7640561-0
Create hunting rule

Win.Malware.Carberp-9796259-0
Create hunting rule

Win.Packed.Generic-9830106-0
Create hunting rule

Win.Packed.QuasarRAT-10012744-0
Create hunting rule

Win.Malware.Generic-6623004-0
Create hunting rule

SecuriteInfo.com.BehavesLike.Win32.Generic.vh.UNOFFICIAL
Create hunting rule

Gathering data
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Creating a file in the %temp% directory
Creating a process from a recently created file
Restart of the analyzed sample
Launching a process
Creating a file
Enabling the 'hidden' option for recently created files
Creating a process with a hidden window
Connection attempt
Sending an HTTP POST request
Sending an HTTP POST request to an infection source
Using the Windows Management Instrumentation requests
DNS request
Sending an HTTP GET request
Creating a file in the %AppData% subdirectories
Setting a keyboard event handler
Running batch commands
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Unauthorized injection to a recently created process
Query of malicious DNS domain
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Connection attempt to an infection source
Unauthorized injection to a system process
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug anti-vm anti-vm autoit control crypto epmicrosoft_visual_cc evasive eventvwr eventvwr explorer fingerprint fingerprint infostealer keylogger keylogger lolbin lolbin microsoft_visual_cc overlay packed quasar quasarrat rat schtasks shell32 stealer stealer vermin xrat
Link:
https://www.filescan.io/uploads/66a1ad349149fd55f99033be/reports/60aa097c-b7a8-4b55-ad02-f8975ddb4e42/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AZORult, Quasar, Ramnit
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1481562
Behaviour
Behavior Graph:
n/a
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/c332f4d57dabe228b40ae4a6003b31647cb9241658b79f681680ff5f89d68be1
Detection:
quasar
Create hunting rule
Link:
https://mwdb.cert.pl/sample/c332f4d57dabe228b40ae4a6003b31647cb9241658b79f681680ff5f89d68be1/
Threat name:
Win32.Trojan.MoksSteal
Create hunting rule
Status:
Malicious
First seen:
2024-07-25 01:41:09 UTC
File Type:
PE (Exe)
Extracted files:
48
AV detection:
32 of 38 (84.21%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ymzpjvl5vprcrnak4staaozrmr6lsjawlc3z62awqd7v7cowrpqq._file
Verdict:
malicious
Label(s):
azorult
Create hunting rule
Result
Malware family:
quasar
Create hunting rule
Score:
  10/10
Tags:
family:azorult family:quasar botnet:ebayprofiles discovery infostealer spyware trojan
Link:
https://tria.ge/reports/240725-b36pmatdpe/
Behaviour
Runs ping.exe
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
AutoIT Executable
Suspicious use of SetThreadContext
Enumerates connected drives
Looks up external IP address via web service
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Azorult
Quasar RAT
Quasar payload
Malware Config
C2 Extraction:
http://0x21.in:8000/_az/
5.8.88.191:443
sockartek.icu:443
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/f9e85ab1-9b93-4055-a394-82d0adf21526
Unpacked files
SH256 hash:
7050608d53f80269df951d00883ed79815c060ce7678a76b5c3f6a2a985beea9
MD5 hash:
b4a202e03d4135484d0e730173abcc72
SHA1 hash:
01b30014545ea526c15a60931d676f9392ea0c70
Detections:
QuasarRAT
Create hunting rule
malware_windows_xrat_quasarrat
Create hunting rule
CN_disclosed_20180208_KeyLogger_1
Create hunting rule
cn_utf8_windows_terminal
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
Quasar_RAT_2
Create hunting rule
Quasar
Create hunting rule
Vermin_Keylogger_Jan18_1
Create hunting rule
MAL_QuasarRAT_May19_1
Create hunting rule
MALWARE_Win_QuasarRAT
Create hunting rule
INDICATOR_SUSPICIOUS_GENInfoStealer
Create hunting rule
Quasar_RAT_1
Create hunting rule
xRAT_1
Create hunting rule
win_quasarrat_j1
Create hunting rule
Link:
https://www.unpac.me/results/e43815ab-e583-42a9-9976-ca910f0eff91/
Parent samples :
c332f4d57dabe228b40ae4a6003b31647cb9241658b79f681680ff5f89d68be1
ecb11a3ef61c5e48bc36f4dda326720913f71eeb26161e42c46b0b01cf4e8b3d
2c6ab1efe207f8a2f8528ce232dcd1e2ff0b0dd82c5b460f51457a7bf97f60d9
877106f8412be6c602573e6ece4b51e3dd4eaa33030946b9ae785ed9d19933a4
c9bff2976429c2bf5aaebb22ff100e6b11f6e60e2bd085463f1fa42a288c6618
3a4a38ed839a1f73825b8456fc1efa73a65a7af25ba3513472d05cfac5ecef78
SH256 hash:
eed4ab78bbfed9d213f8cbfc02d4e0ce3a7cd755c11563f8afbdfcd7d8646eee
MD5 hash:
1ca2b88730c44dc7ec6ae57c530d0c11
SHA1 hash:
d2705c7f663d34058e6f9a0f53ac00ead0bcb38a
Detections:
HVNC
Create hunting rule
HiddenVNC
Create hunting rule
crime_win32_hvnc_banker_gen
Create hunting rule
Link:
https://www.unpac.me/results/e43815ab-e583-42a9-9976-ca910f0eff91/
Parent samples :
c332f4d57dabe228b40ae4a6003b31647cb9241658b79f681680ff5f89d68be1
ecb11a3ef61c5e48bc36f4dda326720913f71eeb26161e42c46b0b01cf4e8b3d
2c6ab1efe207f8a2f8528ce232dcd1e2ff0b0dd82c5b460f51457a7bf97f60d9
877106f8412be6c602573e6ece4b51e3dd4eaa33030946b9ae785ed9d19933a4
c9bff2976429c2bf5aaebb22ff100e6b11f6e60e2bd085463f1fa42a288c6618
3a4a38ed839a1f73825b8456fc1efa73a65a7af25ba3513472d05cfac5ecef78
SH256 hash:
d450f677fa392721f94fddf9f54d67bacd4bb93716ad2be85acd1cfc057379f7
MD5 hash:
c15241ac2ec164aaa68f810a84a1471c
SHA1 hash:
8239a3c454419fb057cbfd879c1e9d4ba0e9515a
Detections:
HVNC
Create hunting rule
HiddenVNC
Create hunting rule
crime_win32_hvnc_banker_gen
Create hunting rule
Link:
https://www.unpac.me/results/e43815ab-e583-42a9-9976-ca910f0eff91/
Parent samples :
c332f4d57dabe228b40ae4a6003b31647cb9241658b79f681680ff5f89d68be1
ecb11a3ef61c5e48bc36f4dda326720913f71eeb26161e42c46b0b01cf4e8b3d
2c6ab1efe207f8a2f8528ce232dcd1e2ff0b0dd82c5b460f51457a7bf97f60d9
877106f8412be6c602573e6ece4b51e3dd4eaa33030946b9ae785ed9d19933a4
c9bff2976429c2bf5aaebb22ff100e6b11f6e60e2bd085463f1fa42a288c6618
3a4a38ed839a1f73825b8456fc1efa73a65a7af25ba3513472d05cfac5ecef78
SH256 hash:
4e8a99cd33c9e5c747a3ce8f1a3e17824846f4a8f7cb0631aebd0815db2ce3a4
MD5 hash:
b8ba87ee4c3fc085a2fed0d839aadce1
SHA1 hash:
b3a2e3256406330e8b1779199bb2b9865122d766
Link:
https://www.unpac.me/results/e43815ab-e583-42a9-9976-ca910f0eff91/
SH256 hash:
c332f4d57dabe228b40ae4a6003b31647cb9241658b79f681680ff5f89d68be1
MD5 hash:
3033d164767ec699060e7a437da7e85c
SHA1 hash:
e0d86c8c42d4d1225eee24dde5a1448b02707129
Detections:
QuasarRAT
Create hunting rule
malware_windows_xrat_quasarrat
Create hunting rule
AutoIT_Compiled
Create hunting rule
cn_utf8_windows_terminal
Create hunting rule
Quasar_RAT_2
Create hunting rule
Quasar
Create hunting rule
MAL_QuasarRAT_May19_1
Create hunting rule
SUSP_Imphash_Mar23_3
Create hunting rule
Quasar_RAT_1
Create hunting rule
win_quasarrat_j1
Create hunting rule
Link:
https://www.unpac.me/results/e43815ab-e583-42a9-9976-ca910f0eff91/
Malware family:
QuasarRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c332f4d57dab/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AutoIT_Compiled
Create hunting rule
Author:@bartblaze
Description:Identifies compiled AutoIT script (as EXE). This rule by itself does NOT necessarily mean the detected file is malicious.
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
Author:ditekSHen
Description:Detects Windows executables referencing non-Windows User-Agents
Rule name:INDICATOR_SUSPICIOUS_GENInfoStealer
Create hunting rule
Author:ditekSHen
Description:Detects executables containing common artifacts observed in infostealers
Rule name:malware_Quasar_strings
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect QuasarRAT in memory
Rule name:MALWARE_Win_QuasarRAT
Create hunting rule
Author:ditekSHen
Description:QuasarRAT payload
Rule name:MAL_QuasarRAT_May19_1
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects QuasarRAT malware
Reference:https://blog.ensilo.com/uncovering-new-activity-by-apt10
Rule name:MAL_QuasarRAT_May19_1
Create hunting rule
Description:Detects QuasarRAT malware
Rule name:MAL_QuasarRAT_May19_1_RID2E1E
Create hunting rule
Author:Florian Roth
Description:Detects QuasarRAT malware
Reference:https://blog.ensilo.com/uncovering-new-activity-by-apt10
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:Quasar
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect QuasarRAT in memory
Rule name:Quasar_RAT_1
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects Quasar RAT
Reference:https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
Rule name:Quasar_RAT_1
Create hunting rule
Author:@SOCRadar
Description:Detects Quasar RAT
Rule name:Quasar_RAT_1_RID2B54
Create hunting rule
Author:Florian Roth
Description:Detects Quasar RAT
Reference:https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
Rule name:Quasar_RAT_2
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects Quasar RAT
Reference:https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
Rule name:Quasar_RAT_2
Create hunting rule
Description:Detects Quasar RAT
Rule name:Quasar_RAT_2_RID2B55
Create hunting rule
Author:Florian Roth
Description:Detects Quasar RAT
Reference:https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
Rule name:SUSP_Imphash_Mar23_3
Create hunting rule
Author:Arnim Rupp (https://github.com/ruppde)
Description:Detects imphash often found in malware samples (Maximum 0,25% hits with search for 'imphash:x p:0' on Virustotal) = 99,75% hits
Reference:Internal Research
Rule name:Windows_Trojan_Quasarrat_e52df647
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

QuasarRAT

Executable exe c332f4d57dabe228b40ae4a6003b31647cb9241658b79f681680ff5f89d68be1

(this sample)

  
Link
https://bbs.kafan.cn/forum-31-1.html
  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::AllocateAndInitializeSid
ADVAPI32.dll::CopySid
ADVAPI32.dll::FreeSid
ADVAPI32.dll::GetLengthSid
ADVAPI32.dll::GetTokenInformation
ADVAPI32.dll::GetAce
COM_BASE_APICan Download & Execute componentsole32.dll::CLSIDFromProgID
ole32.dll::CoCreateInstance
ole32.dll::CoCreateInstanceEx
ole32.dll::CoInitializeSecurity
ole32.dll::CreateStreamOnHGlobal
MULTIMEDIA_APICan Play MultimediaWINMM.dll::mciSendStringW
WINMM.dll::timeGetTime
WINMM.dll::waveOutSetVolume
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::AddAce
ADVAPI32.dll::AdjustTokenPrivileges
ADVAPI32.dll::CheckTokenMembership
ADVAPI32.dll::DuplicateTokenEx
ADVAPI32.dll::GetAclInformation
ADVAPI32.dll::GetSecurityDescriptorDacl
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteExW
SHELL32.dll::ShellExecuteW
SHELL32.dll::SHFileOperationW
WIN32_PROCESS_APICan Create Process and ThreadsADVAPI32.dll::CreateProcessAsUserW
KERNEL32.dll::CreateProcessW
ADVAPI32.dll::CreateProcessWithLogonW
KERNEL32.dll::OpenProcess
ADVAPI32.dll::OpenProcessToken
ADVAPI32.dll::OpenThreadToken
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::SetSystemPowerState
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::GetDriveTypeW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::ReadConsoleW
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleCP
KERNEL32.dll::GetConsoleMode
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileExW
KERNEL32.dll::CopyFileW
KERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateHardLinkW
IPHLPAPI.DLL::IcmpCreateFile
KERNEL32.dll::CreateFileW
WIN_BASE_USER_APIRetrieves Account InformationKERNEL32.dll::GetComputerNameW
ADVAPI32.dll::GetUserNameW
ADVAPI32.dll::LogonUserW
ADVAPI32.dll::LookupPrivilegeValueW
WIN_NETWORK_APISupports Windows NetworkingMPR.dll::WNetAddConnection2W
MPR.dll::WNetUseConnectionW
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegConnectRegistryW
ADVAPI32.dll::RegCreateKeyExW
ADVAPI32.dll::RegDeleteKeyW
ADVAPI32.dll::RegOpenKeyExW
ADVAPI32.dll::RegQueryValueExW
ADVAPI32.dll::RegSetValueExW
WIN_USER_APIPerforms GUI ActionsUSER32.dll::BlockInput
USER32.dll::CloseDesktop
USER32.dll::CreateMenu
USER32.dll::EmptyClipboard
USER32.dll::FindWindowExW
USER32.dll::FindWindowW

Comments