MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d9549ad3ed734261a0029adbed59926fed150f14d0e44fb85fa583a9fe6327f3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuasarRAT


Vendor detections: 9


Intelligence 9 IOCs YARA 13 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d9549ad3ed734261a0029adbed59926fed150f14d0e44fb85fa583a9fe6327f3
SHA3-384 hash: 79e2b284d2b097d28e546290dc51faa1c51a9419d8f28dec57a533d4b3058b2e25f3541d743e97b043a806f1a051e8d0
SHA1 hash: 7ec02657e55ae021720eff31e5b6cc6a9ad7f3ae
MD5 hash: f327a7c7345daf0200bc8700c02d4d1a
humanhash: lima-oxygen-cardinal-network
File name:d9549ad3ed734261a0029adbed59926fed150f14d0e44fb85fa583a9fe6327f3
Download: download sample
Signature QuasarRAT
Create hunting rule
File size:2'110'792 bytes
First seen:2020-11-06 10:53:49 UTC
Last seen:2020-11-07 16:56:11 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash afcdf79be1557326c854b6e20cb900a7 (1'102 x FormBook, 936 x AgentTesla, 399 x RemcosRAT)
ssdeep 24576:su6J33O0c+JY5UZ+XC0kGso6FaI1IXgM6YmenKKSUlmDaGJTA4Pqa6jUvOkQwKYh:2u0c++OCvkGs9Fap5aLKLkDl+dUvO9Yr
Threatray 336 similar samples on MalwareBazaar
TLSH C9A5BE41A3DC82A1CE6A4372BA36DB219B777C692634F70E1ED83D7A3E723521518353
Reporter seifreed
Tags:QuasarRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
75
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Win.Malware.Generic-6623004-0
Create hunting rule

Win.Dropper.Miner-7086570-0
Create hunting rule

Win.Packed.Autoit-7640561-0
Create hunting rule

SecuriteInfo.com.BehavesLike.Win32.Generic.vh.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Creating a file in the %temp% directory
Creating a process from a recently created file
Launching a process
Using the Windows Management Instrumentation requests
Creating a file
Enabling the 'hidden' option for recently created files
Creating a process with a hidden window
DNS request
Sending an HTTP GET request
Creating a file in the %AppData% subdirectories
Setting a keyboard event handler
Running batch commands
Launching the default Windows debugger (dwwin.exe)
Unauthorized injection to a recently created process
Connection attempt to an infection source
Unauthorized injection to a system process
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AZORult Quasar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/523039
Signature
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
AutoIt script contains suspicious strings
Binary is likely a compiled AutoIt script file
Contains functionality to inject code into remote processes
Contains VNC / remote desktop functionality (version string found)
Detected AZORult Info Stealer
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
May check the online IP address of the machine
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Svchost Process
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Azorult
Yara detected Azorult Info Stealer
Yara detected Quasar RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 310783 Sample: 1ko2V6oGae Startdate: 06/11/2020 Architecture: WINDOWS Score: 100 91 Found malware configuration 2->91 93 Malicious sample detected (through community Yara rule) 2->93 95 Antivirus / Scanner detection for submitted sample 2->95 97 15 other signatures 2->97 9 1ko2V6oGae.exe 5 2->9         started        13 SystemPropertiesPerformance.exe 1 2->13         started        15 windef.exe 2->15         started        process3 file4 71 C:\Users\...\SystemPropertiesPerformance.exe, PE32 9->71 dropped 73 C:\Users\user\AppData\Local\Temp\vnc.exe, PE32 9->73 dropped 125 Detected AZORult Info Stealer 9->125 127 Binary is likely a compiled AutoIt script file 9->127 129 Contains functionality to inject code into remote processes 9->129 131 Injects a PE file into a foreign processes 9->131 17 windef.exe 15 5 9->17         started        22 vnc.exe 9->22         started        24 1ko2V6oGae.exe 12 9->24         started        26 schtasks.exe 1 9->26         started        75 C:\Users\user\AppData\Local\Temp\windef.exe, PE32 13->75 dropped 133 Antivirus detection for dropped file 13->133 28 SystemPropertiesPerformance.exe 13->28         started        30 vnc.exe 13->30         started        32 schtasks.exe 13->32         started        34 windef.exe 13->34         started        signatures5 process6 dnsIp7 77 ip-api.com 208.95.112.1, 49730, 49732, 80 TUT-ASUS United States 17->77 69 C:\Users\user\AppData\Roaming\...\winsock.exe, PE32 17->69 dropped 101 Antivirus detection for dropped file 17->101 103 Multi AV Scanner detection for dropped file 17->103 105 Machine Learning detection for dropped file 17->105 107 Hides that the sample has been downloaded from the Internet (zone.identifier) 17->107 36 winsock.exe 14 6 17->36         started        40 schtasks.exe 1 17->40         started        109 Writes to foreign memory regions 22->109 111 Allocates memory in foreign processes 22->111 113 Modifies the context of a thread in another process (thread injection) 22->113 115 Maps a DLL or memory area into another process 22->115 42 svchost.exe 22->42         started        79 0x21.in 24->79 44 conhost.exe 26->44         started        81 0x21.in 28->81 46 svchost.exe 30->46         started        48 conhost.exe 32->48         started        file8 signatures9 process10 dnsIp11 83 sockartek.icu 36->83 85 192.168.2.1 unknown unknown 36->85 87 ip-api.com 36->87 117 Antivirus detection for dropped file 36->117 119 Multi AV Scanner detection for dropped file 36->119 121 Machine Learning detection for dropped file 36->121 123 2 other signatures 36->123 50 cmd.exe 36->50         started        53 schtasks.exe 36->53         started        55 WerFault.exe 36->55         started        57 conhost.exe 40->57         started        89 5.8.88.191, 443, 8080 KOMETA-ASRU Russian Federation 42->89 signatures12 process13 signatures14 99 Uses ping.exe to sleep 50->99 59 conhost.exe 50->59         started        61 chcp.com 50->61         started        63 PING.EXE 50->63         started        65 winsock.exe 50->65         started        67 conhost.exe 53->67         started        process15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d9549ad3ed734261a0029adbed59926fed150f14d0e44fb85fa583a9fe6327f3/
Threat name:
Win32.Trojan.Pincav
Create hunting rule
Status:
Malicious
First seen:
2020-10-27 02:34:43 UTC
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=3fkjvu7nonbgdiactln62wmsn7wrkdyu2dse7oc7uwb2t7tde7zq._file
Verdict:
malicious
Label(s):
azorult
Create hunting rule
Similar samples:
0fadb9fa2742735b1d7001fd5511627318e45fc51d8798f5b9f4bb20cfbd70e8
QuasarRAT
25a419f3b2963cf24fda8824b538b67dc73fd2e4d32e73cd5bfdf935c61769dd
QuasarRAT
26cb425375a7613736c367866d0b79b8b7d8845437ec88e87bc83146445f892e
QuasarRAT
40ac8e128b78d30d49accda865a6ca90a23cf7b7e5f31042c7df55a9fe1b5af4
QuasarRAT
764e98acd8f742f4037570abd1aa19d8acf37e22691159f2ab3e380b76437fff
QuasarRAT
b29a1b48648aacf2fe60861692bd0991cf226956ea986b687972667496e1d7d7
QuasarRAT
b3d36e86a478b5223968e34ca51bff54002eb9b1a01ef26d8b657d49dd4dd831
QuasarRAT
d6031bb15fd16cac9b514985035e18f08f0beaaa0542a66274467cb66e76a8fd
QuasarRAT
e2d6b8bc603260f1a7564a044523d230c31c8d873deabb579cae90b88f1b92b9
QuasarRAT
e99398f753e61710eaea626dc778a19fc47a34f103b5ff1daaa0d7ad7f6432c4
QuasarRAT
+ 326 additional samples on MalwareBazaar
Result
Malware family:
azorult
Create hunting rule
Score:
  10/10
Tags:
family:azorult infostealer trojan
Link:
https://tria.ge/reports/201106-2x33pxgqg2/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Enumerates connected drives
Looks up external IP address via web service
Maps connected drives based on registry
Loads dropped DLL
Executes dropped EXE
ServiceHost packer
Azorult
Malware Config
C2 Extraction:
http://0x21.in:8000/_az/
Unpacked files
SH256 hash:
d9549ad3ed734261a0029adbed59926fed150f14d0e44fb85fa583a9fe6327f3
MD5 hash:
f327a7c7345daf0200bc8700c02d4d1a
SHA1 hash:
7ec02657e55ae021720eff31e5b6cc6a9ad7f3ae
Link:
https://www.unpac.me/results/5b55796a-1dfb-491f-a4b7-2d3ddf6ddd17/
SH256 hash:
7050608d53f80269df951d00883ed79815c060ce7678a76b5c3f6a2a985beea9
MD5 hash:
b4a202e03d4135484d0e730173abcc72
SHA1 hash:
01b30014545ea526c15a60931d676f9392ea0c70
Link:
https://www.unpac.me/results/5b55796a-1dfb-491f-a4b7-2d3ddf6ddd17/
Parent samples :
c332f4d57dabe228b40ae4a6003b31647cb9241658b79f681680ff5f89d68be1
ecb11a3ef61c5e48bc36f4dda326720913f71eeb26161e42c46b0b01cf4e8b3d
2c6ab1efe207f8a2f8528ce232dcd1e2ff0b0dd82c5b460f51457a7bf97f60d9
877106f8412be6c602573e6ece4b51e3dd4eaa33030946b9ae785ed9d19933a4
c9bff2976429c2bf5aaebb22ff100e6b11f6e60e2bd085463f1fa42a288c6618
3a4a38ed839a1f73825b8456fc1efa73a65a7af25ba3513472d05cfac5ecef78
SH256 hash:
d450f677fa392721f94fddf9f54d67bacd4bb93716ad2be85acd1cfc057379f7
MD5 hash:
c15241ac2ec164aaa68f810a84a1471c
SHA1 hash:
8239a3c454419fb057cbfd879c1e9d4ba0e9515a
Link:
https://www.unpac.me/results/5b55796a-1dfb-491f-a4b7-2d3ddf6ddd17/
Parent samples :
c332f4d57dabe228b40ae4a6003b31647cb9241658b79f681680ff5f89d68be1
ecb11a3ef61c5e48bc36f4dda326720913f71eeb26161e42c46b0b01cf4e8b3d
2c6ab1efe207f8a2f8528ce232dcd1e2ff0b0dd82c5b460f51457a7bf97f60d9
877106f8412be6c602573e6ece4b51e3dd4eaa33030946b9ae785ed9d19933a4
c9bff2976429c2bf5aaebb22ff100e6b11f6e60e2bd085463f1fa42a288c6618
3a4a38ed839a1f73825b8456fc1efa73a65a7af25ba3513472d05cfac5ecef78
SH256 hash:
4e8a99cd33c9e5c747a3ce8f1a3e17824846f4a8f7cb0631aebd0815db2ce3a4
MD5 hash:
b8ba87ee4c3fc085a2fed0d839aadce1
SHA1 hash:
b3a2e3256406330e8b1779199bb2b9865122d766
Link:
https://www.unpac.me/results/5b55796a-1dfb-491f-a4b7-2d3ddf6ddd17/
SH256 hash:
0fe774d249d7c3093dd6b8de1c9c045f6efd4553710d877828e871e1be0e54f4
MD5 hash:
8246d054df8814106a8c11ae6df1e946
SHA1 hash:
8e9e84bd726fd9042fb99139b8c7dd00fccdc0a2
Detections:
win_azorult_g1
Create hunting rule
win_azorult_auto
Create hunting rule
Link:
https://www.unpac.me/results/5b55796a-1dfb-491f-a4b7-2d3ddf6ddd17/
Parent samples :
570f6415d2dec01d2fa1616a85636e20b8cb9bd437d4be605704f28568172e31
9b6bd1205d9c3f35fd1e97d34e831af1454faa78338d22cdf507d255250259bc
d9549ad3ed734261a0029adbed59926fed150f14d0e44fb85fa583a9fe6327f3
9ab585c5c9aa389cb859ce05381200cf0949d9543a9634d2cfcde9ff65fe874e
d6925f01c421c035fb4cdb32f6d1c143eede807c8ff264c691501213af9c5aa0
f52d1fc9f4b66a779a6c8c35b63f58546933f40ad39d15287009f44b14986bcb
ff87441fe213e765819165032d00061e5ca6a94905f213e6a4798bd35273a7c3
4d93f781c3e7509fb4a1f962a1752c4d36e5243cae382db1cdcc4064086035c2
8f2ad0a7a9bcd06a6f4dffe37c5bcba72e653f9752c2af2fd22176416cbe12b5
ff1fe4e3fd829fd0146c1e15dbbff49e610e67b6cd55d8135233675c28431f77
e04f76e1a3dae89b31aa188c667e177f38abc85daf2ee7dccaac9d79a2c25f05
454709c8e3b81f6fe53cf0937bb361d951b8ea05706adb0c9ad90118a9c157ee
d3fb7826cbcb6f33fbfcd59d74d77040265017d512477fe34d61f6fb3880b90a
486224ce113ae629b279a03505bd035a762144f3573113e9ca199b4272508cad
ef7887e2a018cf7d973e731609c48c0600cb47329e526f5d6bf50636624c786c
c48cecba8431d80cfa7c6a46e6e7e49de8d031816c09505527874ce113f95df2
4bfc73e59f71614b6344622009eceee0c8b5c0ecb6f9e617676c6d4fe6b76024
cf3223c925614fb3b773a1f3048605b1424e6e954a42065ea4834bbba02abe6d
d4d6982ec8929bd7f596b1c32cc19f8d95430b7e8dafb3994de890761ba1e9de
f28325f4da5423889167b710090cc10a524341a4ae4cd31d6c011f77756d9e17
562b5b8f2b94be983e46ef2e851570371473c03e324d3d951014579c8f566042
5285fc4f59a5847a66117240c59925f42dd6e5c7a17c2e90c49234d7913b6afb
4839f576da58bcfd097c24c5c3ff4d72029377dfd450420e99b745b3deda62bc
8f44f9b4e0716329638b3cf4b2470df57e199e9b66bb58e225aa767d9d48dd7e
94f9f632bad9fa9d923de55c08186af273b060d05bd305212fce8ec782bdad7f
6bb7ee8547b6d468228ef89c407d4abaee8067f0edb58d626b10ff7aba6c1ef3
aa5a4440dab4909f58308d8c80a2d2a0b2edfb56aa4e60aa67e83e9203773a07
4ce95594d4b615d8612589de57a0df0dfc3d059f0bc61f7df4d2bbeefe5323e4
540108c43aa0ca447ad443bdae4995b45c4cb52f523f7c31908f6b062f931a04
07db5ffae9143270d00563a1b95b456633a7c2fa07fe26cbe138a7b233dff180
381c28bd8d6e3538bcdea645faa825012355305a2ea5df8ad4f526b3750484e5
1d4a50a04f528b48ae1eec907ffae079186843b16e29f1488ff3fbc5e9f253f0
afe362f2b4c796b7177aea8bd909fedbe9e22b07dcec38234a454c47264e6b82
96eb8d5baeb832fcb780f73a0528b1ac2a4ae5b6a91517d727e38443129db0a5
7035da8898c0867d775597910d50f55a1428bc4588558319f70b1b219cb067be
f8a421f5b3771603d633527896e9e5d9f566ad88ecfb4f7204c7482966a1653c
ee6cf94ca7b7652517a776b59b503a8cb8c4f30136a28a3967d14b6d8fdd3597
40981ed2079d1c26fa7b1fb1640aa315dfdebd128741fdc1e3629d0e470e9238
ac0c1890dabbd2f119231b92b9a5f4174de5d7a335e91aad2836baf2a647d66c
5bafba82265fc0cd3b3b802850bfc982a7427239f87c364c881591c96c717cb5
6175df01c768533f5c4e3e3d1a49d0770a2dcca9c45ae2d150d95f4ff666b54f
466bd07ba5662c8787479a2ead7d90419ef31c4b61f36b9384968b9ea1822a10
c93d2d7d45d531ead9824e70925767ef0e8adc23f88f05baafb7e6435772db58
ccd68adcb8b8997dfabaf2d2b960d56a9d03e4ffaf8aff1cb6e0a83f948cf850
38da70826e367c9808b135717c5ea31e4e69ef03eef307e958773053508badf3
10bba880bc376e0d2f6578ba5aa30e2145730f9e5f49c95dc15d36f3cf9369b7
773a219eb43af7fb4a56992e11871dbd3463acae0f7a82f12efa25ac84248d13
422d646c28b4fda4b6291e868342895495b714cba76384d01b769db14ead4c79
760d1df67b31599e46ae064d183e44f511acfa7c2d5f6241fe96bf6e484e7dab
f699ae77419a80e03b5113a3f60b5e06a98b304db624c4d331e227555e51b563
3569516ca7fb25dbd76547a0d73e55e201838126e90b4f6aad641e29a87c67eb
4e2212b5c17f53f53984fa67051a2aa386147eba453d51f6bb6798b833c7ad1e
16c80a82f353e2d4ba539b68fd79b969045f03d5f51c0fe3cd0e63c909d69d31
02915d95d547fb99913510cb80de6f84bace739e40fc1aa4a5e5689e7a1ca4d2
efacb905cbe59645ce57ea6ac46d32add5f48278aefd411bf4f53116ca0fb0e0
d064d129468e2dc39658850f39237561aa02ed7c87715c4f3b37ec475904cf04
c468c0cee1e4f984dddcd81bfa0108b6f8fa97f6666ece1df8f912c52109feb9
f4b43bbc941d68dd3f835a9fc776c5b3e4e0e7442836bcd845d31c87acf64be7
96393c19d6a8749a8772ad2cec560aa8715db7f4efc3edc6e33f1d5dc525af3c
30bc6d1024943ded3b3b666c9bebaea8059b6cd06d9af6ec346e113407f439db
b7b94daf07f73603e9cfe3ffc082ce9a63db71e9815c2cf1105d25653bb1d32f
6e46c37c824f13c573fea62962c995f2e614c4751db1102e842033c176014378
d1ad5fd5f6ed1ca6556b80636b019b020755c7b3586c683fcddeb9688ed0017e
2006d79276316eea72f9c19d6169a67fd71eefd25b8e1007d9a72f1a1154b1e5
48d29a8519bd574b03306f6c5e47cc9918d204a4a492acf654ce3acafa59498c
21b45cf293c8b1587d29f4a641b448ff3f817d6c99fa114841858208a0e2ae0a
53cddb13890406ae74bed519674f611b58188fb94b6485d624a60680f6d0b786
c5b1a84308686f8d0009dc18291bb28be36ea5863180cfcf5fa5206e0daa7df5
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AutoIT_Compiled
Create hunting rule
Author:@bartblaze
Description:Identifies compiled AutoIT script (as EXE).
Rule name:Chrome_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Chrome in files like avemaria
Rule name:crime_win32_hvnc_banker_gen
Create hunting rule
Author:@VK_Intel
Description:Detects malware banker hidden VNC
Reference:https://twitter.com/VK_Intel/status/1247058432223477760
Rule name:crime_win32_hvnc_zloader1_hvnc_generic
Create hunting rule
Author:@VK_Intel
Description:Detects Zloader hidden VNC
Reference:https://twitter.com/malwrhunterteam/status/1240664014121828352
Rule name:HiddenVNC
Create hunting rule
Author:@bartblaze
Description:Identifies HiddenVNC, which can start remote sessions.
Rule name:IPPort_combo_mem
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:MAL_QuasarRAT_May19_1
Create hunting rule
Author:Florian Roth
Description:Detects QuasarRAT malware
Reference:https://blog.ensilo.com/uncovering-new-activity-by-apt10
Rule name:MSILStealer
Create hunting rule
Author:https://github.com/hwvs
Description:Detects strings from C#/VB Stealers and QuasarRat
Reference:https://github.com/quasar/QuasarRAT
Rule name:Quasar
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect QuasarRAT in memory
Rule name:Quasar_RAT_1
Create hunting rule
Author:Florian Roth
Description:Detects Quasar RAT
Reference:https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
Rule name:Quasar_RAT_2
Create hunting rule
Author:Florian Roth
Description:Detects Quasar RAT
Reference:https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
Rule name:Select_from_enumeration
Create hunting rule
Author:James_inthe_box
Description:IP and port combo

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other

Comments