MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ccb7e7ea08121c1d3d37739b4273e750843fe2296d24ae69a8efb686adbf53c3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

QuasarRAT

Vendor detections: 3

Intelligence 3 IOCs YARA File information Comments

SHA256 hash:	ccb7e7ea08121c1d3d37739b4273e750843fe2296d24ae69a8efb686adbf53c3
SHA3-384 hash:	02785093803946700297ca9bb6d1590f1aa45b9d1cd26ed445633e4ad3ffd57e463c97196bde529d4ff5a412c31d93ad
SHA1 hash:	22fda11e61907085116beaf4a7ec029b2ebdb502
MD5 hash:	1befdf3eb631dea2820b51bfc888ca59
humanhash:	july-indigo-zebra-william
File name:	1befdf3eb631dea2820b51bfc888ca59.exe
Download:	download sample
Signature	QuasarRAT Create hunting rule
File size:	148'237 bytes
First seen:	2020-05-13 06:59:39 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	3072:TgenVDGgVRM2SGxVxQjXX/eLwRgPy62BE7xRD4F1x0v2GKc5JS:UenVL03GPWjaFlBYl45Q
Threatray	126 similar samples on MalwareBazaar
TLSH	E0E312C0E9DCA5B1C8F923B193F717C18219C013D7AA15F0E6D65D489CCF5E52B9A38A
Reporter	abuse_ch
Tags:	exe QuasarRAT RAT

Intelligence

File Origin

# of uploads :

1

# of downloads :

103

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

Win.Trojan.Generic-6898100-0

Win.Packed.Passwordstealera-7544296-0

Gathering data

Threat name:

ByteCode-MSIL.Trojan.Quasar

Status:

Malicious

First seen:

2020-05-11 11:11:06 UTC

File Type:

PE (.Net Exe)

Extracted files:

3

AV detection:

28 of 31 (90.32%)

Threat level:

2/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=zs36p2qiciob2pjxoonue47hkccd7yrjnusk42ni563inln7kpbq._file

Verdict:

unknown

Similar samples:

4ece7a3cd6313c022ce3d30028a8af4f4f4da6a35efcddb8136b4bb5520fdb21

5c16a29cf3c297635c1d40f3c26e85a147f6c9a1de2fb1dfe9836a3c3b547057

73a8ad379a2f6efec0754119102727765066db33a4f8b4a0aed21608bdb0cdfd

77146703fc5c722e50ccc571bcfcf55278f5cc86574f4b470ed382bf66447945

7de9a92068f5d5e76df10e9ea374223cc643bd7e48a6ca774f8017aa5e1ee0c8

9068f4fcfd2aa78ed5130d7af1f70bafe3388d3443991c372cb430bb64eb9a82

9bdea75678155f51df05070d28789a92296f5727a77ea232500b06beb2debd4d

e4b9d743c8ae9db1c7232c68e57d98efb5906a00b00ad5d9ab105ef1695de7c8

e9f48ee07c060bd829f28387a16c8eba4ef1d2fb475fc03a09d944cc858b77fb

f60a52512773b52def9ba9ce8aad61144d2cf351f6bc04d1c5a13abef8f3b89b

+ 116 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

8/10

Tags:

persistence

Link:

https://tria.ge/reports/201109-hqmbxqr1fs/

Behaviour

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Drops autorun.inf file

Drops file in System32 directory

Adds Run key to start application

Looks up external IP address via web service

Executes dropped EXE

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample