MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cccbae1f5f6c7792c6a54cc84fff79dbdd24f1e9b54527143316541d7375aee5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuasarRAT


Vendor detections: 8


Intelligence 8 IOCs 1 YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cccbae1f5f6c7792c6a54cc84fff79dbdd24f1e9b54527143316541d7375aee5
SHA3-384 hash: 8eea326e9253d7b3db25b912d3fd88c466a3a90a655509689c9cc2a1a5e80af72ebc0eab5b8dbb6635edbba21735d961
SHA1 hash: 1a92c6fd729b7a5d864a9fcc99c07b8edabf06a3
MD5 hash: b6d96813a4a0aaa4749f4f3643cf50d2
humanhash: hydrogen-william-carpet-carolina
File name:b6d96813a4a0aaa4749f4f3643cf50d2.exe
Download: download sample
Signature QuasarRAT
Create hunting rule
File size:656'384 bytes
First seen:2021-08-07 06:35:27 UTC
Last seen:2021-08-07 08:14:10 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:k2XhbUIb4tvvg/2SsajramsSZW9RdWUT5ug8+Xu5+GZH2U:hpU/t82SsaLsWdUT55+5rZH2U
Threatray 289 similar samples on MalwareBazaar
TLSH T1B4D47A909EEFCECEC2AF723FA01A0D9215DED3164787A2D58B065E30B3845239D561E7
dhash icon 0cd2c1c4d0c1f20c (18 x AsyncRAT, 9 x QuasarRAT, 8 x RedLineStealer)
Reporter abuse_ch
Tags:exe QuasarRAT RAT


Avatar
abuse_ch
QuasarRAT C2:
91.109.180.10:5490

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
91.109.180.10:5490 https://threatfox.abuse.ch/ioc/165999/

Intelligence

File Origin
# of uploads :
2
# of downloads :
196
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
b6d96813a4a0aaa4749f4f3643cf50d2.exe
Verdict:
Suspicious activity
Analysis date:
2021-08-07 06:36:47 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/ee63926c-5a8d-4962-b65a-19c989738521

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/177125/
Detection(s):
SecuriteInfo.com.Trojan.MSIL.Seraph.ac.12134.26960.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Quasar RAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0bf1b8f4-8bae-4db6-8c5f-a53ced0c9eb0
Result
Threat name:
Quasar
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/828579
Signature
.NET source code contains potential unpacker
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Uses dynamic DNS services
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Writes to foreign memory regions
Yara detected Quasar RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 461010 Sample: 69vQIi0V4Q.exe Startdate: 07/08/2021 Architecture: WINDOWS Score: 100 84 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->84 86 Malicious sample detected (through community Yara rule) 2->86 88 Multi AV Scanner detection for submitted file 2->88 90 4 other signatures 2->90 8 NVA.exe 5 2->8         started        12 69vQIi0V4Q.exe 1 7 2->12         started        14 NVA.exe 2 2->14         started        process3 file4 48 C:\Users\user\AppData\Local\Temp48VA.exe, PE32 8->48 dropped 50 C:\Users\user\...50VA.exe:Zone.Identifier, ASCII 8->50 dropped 92 Machine Learning detection for dropped file 8->92 94 Writes to foreign memory regions 8->94 96 Injects a PE file into a foreign processes 8->96 16 NVA.exe 14 4 8->16         started        52 C:\Users\user\AppData\...\69vQIi0V4Q.exe, PE32 12->52 dropped 54 C:\Users\user\AppData\Local54VA.exe, PE32 12->54 dropped 56 C:\Users\...\69vQIi0V4Q.exe:Zone.Identifier, ASCII 12->56 dropped 58 2 other malicious files 12->58 dropped 20 69vQIi0V4Q.exe 12->20         started        22 69vQIi0V4Q.exe 15 2 12->22         started        24 NVA.exe 14->24         started        signatures5 process6 dnsIp7 60 50.16.216.118, 443, 49765, 49768 AMAZON-AESUS United States 16->60 62 nagano-19599.herokussl.com 16->62 64 api.ipify.org 16->64 76 May check the online IP address of the machine 16->76 78 Machine Learning detection for dropped file 16->78 80 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 16->80 26 cmd.exe 16->26         started        66 tools.keycdn.com 185.172.148.96, 443, 49748, 49764 PROINITYPROINITYDE Germany 22->66 68 societyf500.ddns.net 91.109.180.10, 49746, 49762, 49766 IELOIELOMainNetworkFR France 22->68 70 3 other IPs or domains 22->70 72 2 other IPs or domains 24->72 82 Hides that the sample has been downloaded from the Internet (zone.identifier) 24->82 29 cmd.exe 24->29         started        signatures8 process9 signatures10 98 Uses ping.exe to sleep 26->98 100 Uses ping.exe to check the status of other devices and networks 26->100 31 PING.EXE 26->31         started        34 conhost.exe 26->34         started        36 chcp.com 26->36         started        38 NVA.exe 26->38         started        40 conhost.exe 29->40         started        42 chcp.com 29->42         started        44 PING.EXE 29->44         started        46 NVA.exe 29->46         started        process11 dnsIp12 74 192.168.2.1 unknown unknown 31->74
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cccbae1f5f6c7792c6a54cc84fff79dbdd24f1e9b54527143316541d7375aee5/
Threat name:
ByteCode-MSIL.Downloader.Seraph
Create hunting rule
Status:
Malicious
First seen:
2021-08-07 06:36:14 UTC
AV detection:
13 of 47 (27.66%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ztf24h27nr3zfrvfjtee773z3posj4pjwvcsofbtczkb243vv3sq._file
Verdict:
unknown
Similar samples:
0de691a91c2cce2b647aafa0fc5abdbfb84e2a91cda8ff93f4f85f2385007901
QuasarRAT
2a0f53dd66eff57c82fcad2fff75d7ac63f6f4d764ec27fe862e6b3f01a21c03
QuasarRAT
41576a4ea5b8e1d0c9a1ca017e2a5265c1d7ae9e32f2327871e8f9acc6219fa3
QuasarRAT
8abaa16d8c8878bea5bc52bd5f80500333df51ee8e3212899abafd9d299131fd
QuasarRAT
b04306fa8223c20a1abaaa6aeb5cabb2a83dc04337beb2acfd47784b34b682bc
QuasarRAT
da805e8b0f86bcc67aeeb038fc69ef5551b4de2b22105aef39d534e051f57d4a
QuasarRAT
+ 279 additional samples on MalwareBazaar
Result
Malware family:
quasar
Create hunting rule
Score:
  10/10
Tags:
family:quasar botnet:office04w persistence spyware suricata trojan
Link:
https://tria.ge/reports/210807-7fljlc4nqn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Looks up external IP address via web service
Quasar Payload
Quasar RAT
suricata: ET MALWARE Observed Malicious SSL Cert (Quasar CnC)
Malware Config
C2 Extraction:
societyf500.ddns.net:5490
Unpacked files
SH256 hash:
9b7a5988387a15c6bc0ddfda72d761e983e2cc0621851a9ae7b6ddb936768c2e
MD5 hash:
e99db28442a5f993134913686d4ccbe9
SHA1 hash:
ffa83676afcbecee18e9c6d727b52be39df72e1f
Link:
https://www.unpac.me/results/2670166f-f1ca-4cf4-828b-1533b0924dc8/
SH256 hash:
8efab25b544e1a3a84d59ba4763b37d196e26f1d2d9a6ee57ebd27d045a36d51
MD5 hash:
8bc15f25301a685167e7b19ca06d34b4
SHA1 hash:
9832f75c07ac9ffadc7b07debe6dfd6374ed4c1b
Link:
https://www.unpac.me/results/2670166f-f1ca-4cf4-828b-1533b0924dc8/
SH256 hash:
72c5742e9a615b536bcb0fdbf9d1c92f7c4ac87f3993d9c2603ab5574c947964
MD5 hash:
e89f8f9ddba3f733b7fbc08b9ab16e2c
SHA1 hash:
6eee187ac1d9b65cc10cb0ccbce60e45812f29d1
Link:
https://www.unpac.me/results/2670166f-f1ca-4cf4-828b-1533b0924dc8/
SH256 hash:
cccbae1f5f6c7792c6a54cc84fff79dbdd24f1e9b54527143316541d7375aee5
MD5 hash:
b6d96813a4a0aaa4749f4f3643cf50d2
SHA1 hash:
1a92c6fd729b7a5d864a9fcc99c07b8edabf06a3
Link:
https://www.unpac.me/results/2670166f-f1ca-4cf4-828b-1533b0924dc8/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cccbae1f5f6c7792c6a54cc84fff79dbdd24f1e9b54527143316541d7375aee5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_GENInfoStealer
Create hunting rule
Author:ditekSHen
Description:Detects executables containing common artifcats observed in infostealers
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_QuasarStealer
Create hunting rule
Author:ditekshen
Description:Detects Quasar infostealer
Rule name:MAL_QuasarRAT_May19_1
Create hunting rule
Author:Florian Roth
Description:Detects QuasarRAT malware
Reference:https://blog.ensilo.com/uncovering-new-activity-by-apt10
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Vermin_Keylogger_Jan18_1
Create hunting rule
Author:Florian Roth
Description:Detects Vermin Keylogger
Reference:https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

QuasarRAT

Executable exe cccbae1f5f6c7792c6a54cc84fff79dbdd24f1e9b54527143316541d7375aee5

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1392911/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/177125/

Comments