MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d578e84710ae7aa7b442850b6ee9e3420b543602e5971acb5ccbf440f3c6c726. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

QuasarRAT

Vendor detections: 11

Intelligence 11 IOCs 1 YARA 8 File information Comments

SHA256 hash:	d578e84710ae7aa7b442850b6ee9e3420b543602e5971acb5ccbf440f3c6c726
SHA3-384 hash:	37ca9bcd46f81280d55134ea82c35a53cc813d3aa730aea4904928bf5ea9c7504434541c3ebadddab73dbcbea0ba7a87
SHA1 hash:	30576b2c74702aa9ef8fdb89a94ba5c23f78671a
MD5 hash:	a678a2bde01d18e95da0556bde248ef2
humanhash:	idaho-hot-six-winter
File name:	a678a2bde01d18e95da0556bde248ef2.exe
Download:	download sample
Signature	QuasarRAT Create hunting rule
File size:	1'041'408 bytes
First seen:	2022-07-31 13:10:41 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'610 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	12288:zQvumheazyPotqSmMYZ9uQjcUvecPJaweosjt0mvM5ShUcnqbtzaAJaNtoMKLPKS:zQvumhWQmX2cPMNoOjn7qbcNFKLPN
Threatray	2'704 similar samples on MalwareBazaar
TLSH	T197255B9D725072CFC86BCC76CAA91C64EBA0757B830BD287946315EC9A4D99BCF140F2
TrID	64.2% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 11.5% (.SCR) Windows screen saver (13101/52/3) 9.2% (.EXE) Win64 Executable (generic) (10523/12/4) 5.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.9% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	abuse_ch
Tags:	exe QuasarRAT RAT

abuse_ch

QuasarRAT C2:
173.234.155.109:4782

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
173.234.155.109:4782	https://threatfox.abuse.ch/ioc/840580/

Intelligence

File Origin

# of uploads :

# of downloads :

363

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/295344/

Detection(s):

SecuriteInfo.com.Trojan.Inject4.38534.12628.26454.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Sending a custom TCP request

DNS request

Creating a file in the %AppData% directory

Creating a file in the %temp% directory

Сreating synchronization primitives

Launching a process

Creating a process with a hidden window

Unauthorized injection to a recently created process

Creating a file

Enabling autorun by creating a file

Verdict:

Suspicious

Threat level:

5/10

Confidence:

67%

Tags:

fareit packed wacatac

Link:

https://www.filescan.io/uploads/62e67fa35c07b66577e0bf9c/reports/5863ed26-472a-4627-9fa8-4aa19f9c7a1b/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/0919ad2b-e0ee-42cc-b1cd-ff873ce76096

Result

Threat name:

Quasar

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1043755

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected AntiVM3

Yara detected Generic Downloader

Yara detected Quasar RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/d578e84710ae7aa7b442850b6ee9e3420b543602e5971acb5ccbf440f3c6c726/

Threat name:

ByteCode-MSIL.Trojan.RealProtect

Status:

Malicious

First seen:

2022-07-03 16:59:11 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

25 of 26 (96.15%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=2v4oqryqvz5kpnccqufw52pdiifvinqc4wlrvs24zp2eb46gy4ta._file

Verdict:

malicious

QuasarRAT

1a653abe4b7712e10fd1b60ab8a3d6a5dd4819a6102c02cca5f0664127035486

QuasarRAT

44ab3d116f6c6318067f89ccb838b5198b6544469ec27557ca1de3655a6ceb96

QuasarRAT

56d092c2d8c927f25843226203655bf07c46845fb927d7d2640120862989bfdf

QuasarRAT

5b6d5819cc000436777cda63e9022fdd19b15a91451c7b8c4608db9fcf3d359c

QuasarRAT

bf94ae3815c7d2790667030ff2322157d3b8589b55286f74c875c46f4339fa55

QuasarRAT

ef0bc6b3030d77e348677e8f91644d09e59544a486a1b1767132ee20bce469af

QuasarRAT

+ 2'694 additional samples on MalwareBazaar

Result

Malware family:

quasar

Score:

10/10

Tags:

family:quasar botnet:officeserver2022 spyware trojan

Link:

https://tria.ge/reports/220731-qext5sffb9/

Behaviour

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Looks up external IP address via web service

Checks computer location settings

Quasar RAT

Quasar payload

Malware Config

C2 Extraction:

173.234.155.109:4782

Unpacked files

SH256 hash:

9d71a41cd2172aaf98613a5a6901ede6fb30ddea6720e46bea16b6df35f01e3c

MD5 hash:

7681129878879d46f9ebf2a8e43e1df6

SHA1 hash:

649f7672754897ece7e4c71d144ae9706943c069

Link:

https://www.unpac.me/results/cf1660d0-d9f7-4bba-a703-511a5d4d4570/

SH256 hash:

79823e47436e129def4fba8ee225347a05b7bb27477fb1cc8be6dc9e9ce75696

MD5 hash:

39f524c1ab0eb76dfd79b2852e5e8c39

SHA1 hash:

428018e1701006744e34480b0029982a76d8a57d

Link:

https://www.unpac.me/results/cf1660d0-d9f7-4bba-a703-511a5d4d4570/

SH256 hash:

e1a062e41400b32590f72659450aa6c6b817ce59e02e9ba7f1ffe51e40f8c1b7

MD5 hash:

eba0cb7920c42e4efccedc1234e414bc

SHA1 hash:

034b457c21f127ab865c49cfbe5ae28083ac21fc

Link:

https://www.unpac.me/results/cf1660d0-d9f7-4bba-a703-511a5d4d4570/

SH256 hash:

d578e84710ae7aa7b442850b6ee9e3420b543602e5971acb5ccbf440f3c6c726

MD5 hash:

a678a2bde01d18e95da0556bde248ef2

SHA1 hash:

30576b2c74702aa9ef8fdb89a94ba5c23f78671a

Link:

https://www.unpac.me/results/cf1660d0-d9f7-4bba-a703-511a5d4d4570/

Malware family:

xRAT

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/d578e84710ae/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

iSpy Keylogger

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/d578e84710ae7aa7b442850b6ee9e3420b543602e5971acb5ccbf440f3c6c726

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA Create hunting rule
Author:	ditekSHen
Description:	Detects Windows executables referencing non-Windows User-Agents

Rule name:	INDICATOR_SUSPICIOUS_GENInfoStealer Create hunting rule
Author:	ditekSHen
Description:	Detects executables containing common artifcats observed in infostealers

Rule name:	MALWARE_Win_QuasarStealer Create hunting rule
Author:	ditekshen
Description:	Detects Quasar infostealer

Rule name:	MAL_QuasarRAT_May19_1 Create hunting rule
Author:	Florian Roth
Description:	Detects QuasarRAT malware
Reference:	https://blog.ensilo.com/uncovering-new-activity-by-apt10

Rule name:	MAL_QuasarRAT_May19_1_RID2E1E Create hunting rule
Author:	Florian Roth
Description:	Detects QuasarRAT malware
Reference:	https://blog.ensilo.com/uncovering-new-activity-by-apt10

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Vermin_Keylogger_Jan18_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Vermin Keylogger
Reference:	https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/295344/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample