MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d6031bb15fd16cac9b514985035e18f08f0beaaa0542a66274467cb66e76a8fd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuasarRAT


Vendor detections: 5


Intelligence 5 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d6031bb15fd16cac9b514985035e18f08f0beaaa0542a66274467cb66e76a8fd
SHA3-384 hash: a06821be993f4c95a6d103622372025cc859994f24186cd400274696046bbc038d0d8f5a23a5cee46bd39c86f3fcfcd7
SHA1 hash: 029109f3e5956c873207c6c4e85339b4ae13aba5
MD5 hash: 00696c885b4edd39dc7def77f57a400c
humanhash: delaware-princess-five-quebec
File name:d6031bb15fd16cac9b514985035e18f08f0beaaa0542a66274467cb66e76a8fd
Download: download sample
Signature QuasarRAT
Create hunting rule
File size:2'110'632 bytes
First seen:2020-06-10 07:32:23 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash afcdf79be1557326c854b6e20cb900a7 (1'102 x FormBook, 936 x AgentTesla, 399 x RemcosRAT)
ssdeep 24576:su6J33O0c+JY5UZ+XC0kGso6FaI1IXgM6YmenKKSUlmDaGJTA4Pqa6jUvOkQwKYt:2u0c++OCvkGs9Fap5aLKLkDl+dUvO9YL
Threatray 530 similar samples on MalwareBazaar
TLSH 4BA5BE41A3DC82A1CE6A4372BA36DB219B777C692634F70E1ED83D7A3E723521518353
Reporter JAMESWT_WT
Tags:QuasarRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
80
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Win.Malware.Generic-6623004-0
Create hunting rule

Win.Dropper.Miner-7086570-0
Create hunting rule

Win.Packed.Autoit-7640561-0
Create hunting rule

SecuriteInfo.com.BehavesLike.Win32.Generic.vh.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Win32.Hacktool.AutoInject
Create hunting rule
Status:
Malicious
First seen:
2020-06-04 07:29:22 UTC
File Type:
PE (Exe)
Extracted files:
48
AV detection:
25 of 28 (89.29%)
Threat level:
  1/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=2ybrxmk72fwkzg2rjgcqgxqy6chqx2vkavbkmytuiz6lm3twvd6q._file
Verdict:
malicious
Label(s):
azorult
Create hunting rule
Similar samples:
0fadb9fa2742735b1d7001fd5511627318e45fc51d8798f5b9f4bb20cfbd70e8
QuasarRAT
1f6a8fd32a14dd74a23ad8e588d3543120b254290283d6092693d564ea0fc265
QuasarRAT
25a419f3b2963cf24fda8824b538b67dc73fd2e4d32e73cd5bfdf935c61769dd
QuasarRAT
26cb425375a7613736c367866d0b79b8b7d8845437ec88e87bc83146445f892e
QuasarRAT
40ac8e128b78d30d49accda865a6ca90a23cf7b7e5f31042c7df55a9fe1b5af4
QuasarRAT
764e98acd8f742f4037570abd1aa19d8acf37e22691159f2ab3e380b76437fff
QuasarRAT
b29a1b48648aacf2fe60861692bd0991cf226956ea986b687972667496e1d7d7
QuasarRAT
b3d36e86a478b5223968e34ca51bff54002eb9b1a01ef26d8b657d49dd4dd831
QuasarRAT
e2d6b8bc603260f1a7564a044523d230c31c8d873deabb579cae90b88f1b92b9
QuasarRAT
e99398f753e61710eaea626dc778a19fc47a34f103b5ff1daaa0d7ad7f6432c4
QuasarRAT
+ 520 additional samples on MalwareBazaar
Result
Malware family:
azorult
Create hunting rule
Score:
  10/10
Tags:
family:azorult infostealer trojan
Link:
https://tria.ge/reports/201109-ea3sdrf1ae/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Enumerates connected drives
Looks up external IP address via web service
Maps connected drives based on registry
Loads dropped DLL
Executes dropped EXE
ServiceHost packer
Azorult
Malware Config
C2 Extraction:
http://0x21.in:8000/_az/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MAL_QuasarRAT_May19_1
Create hunting rule
Author:Florian Roth
Description:Detects QuasarRAT malware
Reference:https://blog.ensilo.com/uncovering-new-activity-by-apt10
Rule name:MSILStealer
Create hunting rule
Author:https://github.com/hwvs
Description:Detects strings from C#/VB Stealers and QuasarRat
Reference:https://github.com/quasar/QuasarRAT
Rule name:Quasar_RAT_1
Create hunting rule
Author:Florian Roth
Description:Detects Quasar RAT
Reference:https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
Rule name:Quasar_RAT_2
Create hunting rule
Author:Florian Roth
Description:Detects Quasar RAT
Reference:https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments