MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dddf4ec4d813131cd65ab7386154db7ed9d63ce84e4704a5532e7aa22e624c58. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuasarRAT


Vendor detections: 15


Intelligence 15 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dddf4ec4d813131cd65ab7386154db7ed9d63ce84e4704a5532e7aa22e624c58
SHA3-384 hash: bb76c22a41ebd8525eda24f1e06c045dec1a381b6078987b9fe4b1a231981b7542923b149a8ad6298447d6f00a6ea457
SHA1 hash: 4e3518b74b2ae236777986f27d45d8d70358256e
MD5 hash: cf118a2c4586551e6eae18e41b52842a
humanhash: four-moon-kitten-yellow
File name:cf118a2c4586551e6eae18e41b52842a.exe
Download: download sample
Signature QuasarRAT
Create hunting rule
File size:2'315'776 bytes
First seen:2024-11-06 15:42:58 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 49152:a7ptnb2Lrccd46i8IfuCnAaYMXmJR1CfWmO9xbHRFV8HU:o92L+6i8IAZJ6+zDx/m
Threatray 916 similar samples on MalwareBazaar
TLSH T115B5236AB7C80F32C68D893BF0C7A5654B35F4A6E34FD70515480EFA4C13B994A92B93
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10522/11/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter abuse_ch
Tags:exe QuasarRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
413
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
88aef0191ee6c4a8de8c970cd3bbfd8e9528b35ffb39a5633280dfff48d4f1d9.zip
Verdict:
Suspicious activity
Analysis date:
2024-11-06 11:53:00 UTC
Tags:
arch-exec
Link:
https://app.any.run/tasks/897f62d1-a113-4194-80a3-b50e0b442da5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Packed.Msilheracles-10017859-0
Create hunting rule

Verdict:
Malicious
Score:
81.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=672b48898d23d90491343338
Tags:
smartassembly packed msil
Result
Verdict:
Malware
Maliciousness:

Behaviour
Restart of the analyzed sample
Creating a window
Сreating synchronization primitives
Creating a file in the %AppData% subdirectories
Enabling the 'hidden' option for recently created files
Creating a process from a recently created file
Creating a file
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed packed packer_detected smartassembly smart_assembly
Link:
https://www.filescan.io/uploads/672b8e9551b378dcb5a5ab4d/reports/79202691-f06b-4ba5-8f4d-2feb05d85711/overview
Verdict:
Malicious
Labled as:
IL:Trojan.MSILZilla
Link:
https://www.hybrid-analysis.com/sample/dddf4ec4d813131cd65ab7386154db7ed9d63ce84e4704a5532e7aa22e624c58
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b13a6f2a-4636-441f-b991-dcb2801bbe37
Result
Threat name:
Quasar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1550364
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AntiVM3
Yara detected Costura Assembly Loader
Yara detected Generic Downloader
Yara detected Quasar RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1550364 Sample: GjNVpV53SR.exe Startdate: 06/11/2024 Architecture: WINDOWS Score: 100 35 goooooooool.com 2->35 41 Found malware configuration 2->41 43 Malicious sample detected (through community Yara rule) 2->43 45 Antivirus detection for URL or domain 2->45 47 10 other signatures 2->47 9 GjNVpV53SR.exe 2 2->9         started        12 shellhost.exe 2 2->12         started        14 shellhost.exe 2 2->14         started        signatures3 process4 signatures5 55 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 9->55 57 Injects a PE file into a foreign processes 9->57 16 GjNVpV53SR.exe 1 5 9->16         started        20 shellhost.exe 12->20         started        22 shellhost.exe 3 14->22         started        process6 file7 31 C:\Users\user\AppData\...\shellhost.exe, PE32 16->31 dropped 33 C:\Users\user\AppData\...behaviorgraphjNVpV53SR.exe.log, ASCII 16->33 dropped 39 Hides that the sample has been downloaded from the Internet (zone.identifier) 16->39 24 shellhost.exe 2 16->24         started        signatures8 process9 signatures10 49 Multi AV Scanner detection for dropped file 24->49 51 Machine Learning detection for dropped file 24->51 53 Injects a PE file into a foreign processes 24->53 27 shellhost.exe 2 24->27         started        process11 dnsIp12 37 goooooooool.com 80.78.28.83, 1337, 49832, 49889 CYBERDYNELR Cyprus 27->37 59 Hides that the sample has been downloaded from the Internet (zone.identifier) 27->59 61 Installs a global keyboard hook 27->61 signatures13
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/dddf4ec4d813131cd65ab7386154db7ed9d63ce84e4704a5532e7aa22e624c58
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/dddf4ec4d813131cd65ab7386154db7ed9d63ce84e4704a5532e7aa22e624c58/
Threat name:
ByteCode-MSIL.Trojan.Znyonm
Create hunting rule
Status:
Malicious
First seen:
2024-11-06 10:35:11 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
26 of 38 (68.42%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3xpu5rgycmjrzvs2w44gcvg3p3m5mphijzdqjjktfz5keltcjrma._file
Verdict:
malicious
Label(s):
quasarrat
Create hunting rule
Similar samples:
02f0a7f184fcdaaa4d9a46ca29712c8daae0a46d2038bd362dc818025df8d553
QuasarRAT
1fea532c75a33209f094f835261b4f579613a7b2ece7f046a11309d34537f8d5
QuasarRAT
4e6e48275b1f3412edc045e1a81d509ddcfe360c06bdd4483fcd5b4fc77b7ef3
QuasarRAT
a2b66f9f80d2add5e7b13f9e75b6c964e53d7aa2e52065b469b83f7e7c31fa7c
QuasarRAT
b4a61a178dfda52928802e1189f3bf1bef1c03aecf6b6fc99d2a3713f3d5e202
QuasarRAT
b70b64872a21f338463d0e6b1f2a45bb186ad711317164192b64e54a19baef85
QuasarRAT
+ 906 additional samples on MalwareBazaar
Result
Malware family:
quasar
Create hunting rule
Score:
  10/10
Tags:
family:quasar botnet:ching-chong discovery spyware trojan
Link:
https://tria.ge/reports/241106-s5yv8stckq/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Program crash
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Executes dropped EXE
Quasar RAT
Quasar family
Quasar payload
Suspicious use of NtCreateUserProcessOtherParentProcess
Malware Config
C2 Extraction:
goooooooool.com:1337
Verdict:
Malicious
Tags:
Win.Packed.Msilheracles-10017859-0
YARA:
n/a
Link:
https://app.threat.zone/submission/9d6cdc34-033e-436b-babb-92c2f2324530
Unpacked files
SH256 hash:
40c8b7ddf7e55ed44a053531a19caee8e1940657c14f8224ad493cfdae5f9621
MD5 hash:
9dac3c25551676ea6f5b601716c8226d
SHA1 hash:
d8fe0c78aebf22ba917db64ad1be85388e7fd9d3
Link:
https://www.unpac.me/results/c173628b-133d-4726-9084-215fe22b7ad7/
SH256 hash:
bc7ed8aa9360309ac6592209342538243b77a7c4acd0cb6644499c010c2decc6
MD5 hash:
34b5d653739ad15abdf09e6acd81980b
SHA1 hash:
7a747eb54042e74ed4734e59856792aee94096d4
Detections:
QuasarRAT
Create hunting rule
malware_windows_xrat_quasarrat
Create hunting rule
win_quasar_rat_client
Create hunting rule
win_quasarrat_j2
Create hunting rule
MALWARE_Win_QuasarStealer
Create hunting rule
cn_utf8_windows_terminal
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
MAL_QuasarRAT_May19_1
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_GENInfoStealer
Create hunting rule
Link:
https://www.unpac.me/results/c173628b-133d-4726-9084-215fe22b7ad7/
SH256 hash:
6e1323f2f3b46e2c6ad758fa6585e6361cbb46f86d47b766d1a75263a6229d55
MD5 hash:
05d19f8cc9764523d945026540bb43e4
SHA1 hash:
777079831da207a78eecc61ec2181d2cfd7c23a2
Link:
https://www.unpac.me/results/c173628b-133d-4726-9084-215fe22b7ad7/
SH256 hash:
2e6e98b187ac0e55d4a94792d5eb43af5945e61593e3321661c63729c91e7a34
MD5 hash:
1ed1408b2c9c7683997296caf8e7641f
SHA1 hash:
5cb5b75b25ed67a486959dcae150e1fde2fc6de1
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/c173628b-133d-4726-9084-215fe22b7ad7/
SH256 hash:
19efdf03cb94895935225795f68bb9abfded1869687367013b8b4eee3cc99372
MD5 hash:
4e29f75c0c51b9dec76955f0382d9541
SHA1 hash:
4899aa8e3f57339cbaec8faab777897a76fe1c3a
Link:
https://www.unpac.me/results/c173628b-133d-4726-9084-215fe22b7ad7/
SH256 hash:
642371655d896721f6cd1dc9853413398c34298ef9caecb0428864efdcde687d
MD5 hash:
5dc2b7030d1b0ca6c8926cd739453071
SHA1 hash:
3845a6b0fd5a115837058537e7ab3f1739b2b629
Link:
https://www.unpac.me/results/c173628b-133d-4726-9084-215fe22b7ad7/
SH256 hash:
dddf4ec4d813131cd65ab7386154db7ed9d63ce84e4704a5532e7aa22e624c58
MD5 hash:
cf118a2c4586551e6eae18e41b52842a
SHA1 hash:
4e3518b74b2ae236777986f27d45d8d70358256e
Link:
https://www.unpac.me/results/c173628b-133d-4726-9084-215fe22b7ad7/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with SmartAssembly
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments