MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d1769c69f1e4ea60bf17e10853d24d83941b132ff80026a9af50f0e243564629. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuasarRAT


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d1769c69f1e4ea60bf17e10853d24d83941b132ff80026a9af50f0e243564629
SHA3-384 hash: 94ebd181a9dea2ea2e4dd10bcfb523c822c012fa3f97b7097cbae8b20504fdd206e37cdb9c6c03266e35e1c522fcfb4c
SHA1 hash: f4f59eb9d0def6a7222a816573dbabdf120ecfd1
MD5 hash: 40c9e4bc9c5a61f468c184a47d7886c3
humanhash: sodium-autumn-shade-nebraska
File name:SecuriteInfo.com.W32.AIDetectNet.01.21880.168
Download: download sample
Signature QuasarRAT
Create hunting rule
File size:125'440 bytes
First seen:2022-08-25 06:30:51 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 768:OrZvZtCXykEqh2WB5EBv//aNl6QUC+0e3iCekyTsBk67q//jn1SRayhlox:ytCi6gWBiBXyD6QUC+FAjCh+x
Threatray 195 similar samples on MalwareBazaar
TLSH T102C3A496A64FCA53C441433B8BD6A8074124AEF34C03B57EE84933FD19F3FE599546A8
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon ccc6b4e8ecb6b0f4 (1 x QuasarRAT)
Reporter SecuriteInfoCom
Tags:exe QuasarRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
284
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.W32.AIDetectNet.01.21880.168
Verdict:
Malicious activity
Analysis date:
2022-08-25 06:36:01 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/038a771a-2e5a-441f-aac9-dfe45645fa4a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/301017/
Detection(s):
SecuriteInfo.com.W32.AIDetectNet.01.21880.168.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Сreating synchronization primitives
Sending an HTTP GET request
Launching a process
Creating a process with a hidden window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6307176bc9bbd9909791defd/reports/bbb2cd5b-89be-49f6-bee5-27e77e217346/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2efd4db5-5191-4b2c-9cf5-2352b7f85eb3
Result
Threat name:
AsyncRAT, Clipboard Hijacker, Quasar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1057457
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Connects to a pastebin service (likely for C&C)
Contains functionality to hide user accounts
Encrypted powershell cmdline option found
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected AsyncRAT
Yara detected Clipboard Hijacker
Yara detected Generic Downloader
Yara detected Quasar RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 689974 Sample: SecuriteInfo.com.W32.AIDete... Startdate: 25/08/2022 Architecture: WINDOWS Score: 100 62 Snort IDS alert for network traffic 2->62 64 Multi AV Scanner detection for domain / URL 2->64 66 Malicious sample detected (through community Yara rule) 2->66 68 15 other signatures 2->68 9 SecuriteInfo.com.W32.AIDetectNet.01.21880.exe 16 7 2->9         started        14 Uutvn.exe 14 3 2->14         started        16 Uutvn.exe 2->16         started        process3 dnsIp4 60 147.124.209.112, 49716, 49730, 49734 AC-AS-1US United States 9->60 48 C:\Users\user\AppData\Roaming\...\Uutvn.exe, PE32 9->48 dropped 50 C:\Users\user\...\Uutvn.exe:Zone.Identifier, ASCII 9->50 dropped 52 SecuriteInfo.com.W...et.01.21880.exe.log, ASCII 9->52 dropped 74 Encrypted powershell cmdline option found 9->74 76 Writes to foreign memory regions 9->76 78 Injects a PE file into a foreign processes 9->78 18 MSBuild.exe 14 13 9->18         started        23 MSBuild.exe 9->23         started        25 powershell.exe 18 9->25         started        80 Machine Learning detection for dropped file 14->80 file5 signatures6 process7 dnsIp8 54 ip-api.com 208.95.112.1, 49728, 80 TUT-ASUS United States 18->54 56 pastebin.com 104.20.67.143, 443, 49729 CLOUDFLARENETUS United States 18->56 58 192.168.2.1 unknown unknown 18->58 46 C:\Users\user\AppData\Roaming\updater.exe, PE32 18->46 dropped 70 Hides that the sample has been downloaded from the Internet (zone.identifier) 18->70 27 cmd.exe 1 18->27         started        30 updater.exe 2 18->30         started        72 May check the online IP address of the machine 23->72 32 conhost.exe 25->32         started        file9 signatures10 process11 signatures12 82 Uses ping.exe to sleep 27->82 84 Uses ping.exe to check the status of other devices and networks 27->84 34 MSBuild.exe 27->34         started        36 conhost.exe 27->36         started        38 chcp.com 1 27->38         started        40 PING.EXE 27->40         started        42 conhost.exe 30->42         started        process13 process14 44 conhost.exe 34->44         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d1769c69f1e4ea60bf17e10853d24d83941b132ff80026a9af50f0e243564629/
Threat name:
ByteCode-MSIL.Trojan.Quasar
Create hunting rule
Status:
Malicious
First seen:
2022-08-25 06:31:12 UTC
File Type:
PE (.Net Exe)
Extracted files:
12
AV detection:
9 of 26 (34.62%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2f3jy2pr4tvgbpyx4eefhusnqokbwezp7aacnknpkdyoeq2wiyuq._file
Verdict:
malicious
Label(s):
masslogger
Create hunting rule
Similar samples:
245487e656fbcf24e02ed26ab3af808023d27b4a0e676ec82cc5397208ba4d40
QuasarRAT
32bf6a730cca597011b8e619bad0168190337b8e96db09e2fe214b436d8f2f69
QuasarRAT
47f55d901f3a0fcc649afa6e44bd4307fffd877ac92a33fde21992a93e54b27d
QuasarRAT
4b08ecf8154c2aec9f610d64a7f86adcd35c42211c0b30e1ded43f05b64a5bd2
QuasarRAT
5d8823c74c9bd0d2b25fd7d4443d4652cb92c2513c6e5e339884619052672880
QuasarRAT
7fa160e2ee00bd1ace890c6761f0bb81ea43a8937dffb003229dd4b232027a6b
QuasarRAT
8bc03680f98a99ea21d78a4a132be678f848a7209efa0656123745fba54fae03
QuasarRAT
b988c0f23891eb55f3c66c0409aa327da666d9b084d309e1d8907976c36027ed
QuasarRAT
ef4292a933e33418776d69b89f4cba6fc5acb974eccebd852c0d31cc16161dcc
QuasarRAT
+ 185 additional samples on MalwareBazaar
Result
Malware family:
quasar
Create hunting rule
Score:
  10/10
Tags:
family:quasar botnet:venom client persistence spyware trojan
Link:
https://tria.ge/reports/220825-g92xxahgd2/
Behaviour
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Quasar RAT
Quasar payload
Malware Config
C2 Extraction:
darwin22.ddns.net:4782
Unpacked files
SH256 hash:
d1769c69f1e4ea60bf17e10853d24d83941b132ff80026a9af50f0e243564629
MD5 hash:
40c9e4bc9c5a61f468c184a47d7886c3
SHA1 hash:
f4f59eb9d0def6a7222a816573dbabdf120ecfd1
Link:
https://www.unpac.me/results/c7918251-2424-467a-9d6c-72a38bace444/
Malware family:
xRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d1769c69f1e4/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/d1769c69f1e4ea60bf17e10853d24d83941b132ff80026a9af50f0e243564629

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/301017/

Comments