MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 df8d26f897c26aa4051e4ed01b4b747a3cd0db41d1818726ea63fabfef008a00. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

QuasarRAT

Vendor detections: 10

Intelligence 10 IOCs YARA 11 File information Comments

SHA256 hash:	df8d26f897c26aa4051e4ed01b4b747a3cd0db41d1818726ea63fabfef008a00
SHA3-384 hash:	771fdc107e1405d9b42f5b8777479f94fb5090ba7467c8939bda362f2d79b106c1acede0ea251e569f9919b3edaa69a4
SHA1 hash:	b239a332a29817afafa1a9ec31e7f0426e9f1048
MD5 hash:	0349d15dd557355e2ebd5ce6e0032946
humanhash:	blossom-tennessee-may-oven
File name:	svchost_PROTECTED.exe
Download:	download sample
Signature	QuasarRAT Create hunting rule
File size:	1'305'616 bytes
First seen:	2021-06-11 15:41:04 UTC
Last seen:	2021-06-11 16:50:55 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	2e5467cba76f44a088d39f78c5e807b6 (131 x DCRat, 112 x njrat, 79 x RedLineStealer)
ssdeep	24576:wyU7UvkIVMT5YeDDpAgRLKf6eg6ZkivFxgTSFaZ+QemQEU3FnK+O8:wfwvkxFDDpAgRxB+kUFa2FaZ+Q3Quq
Threatray	2 similar samples on MalwareBazaar
TLSH	9D55334AAAD8D0D9F789C5F2255AE9A3C1F86FA3AFCFCC7601CF924476D914613018D8
Reporter	r3dbU7z
Tags:	exe QuasarRAT

Intelligence

File Origin

# of uploads :

# of downloads :

232

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

svchost_PROTECTED.exe

Verdict:

Malicious activity

Analysis date:

2021-06-11 15:45:29 UTC

Tags:

trojan rat quasar

Link:

https://app.any.run/tasks/6730257f-c459-4d42-a966-e073977a6fa7

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

QuasarStealer

Link:

https://www.capesandbox.com/analysis/166162/

Detection(s):

PUA.Win.Packer.EnigmaProtector-19

PUA.Win.Packer.EnigmaProtector-1

PUA.Win.Packer.EnigmaProtector-9852682-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a file in the %AppData% subdirectories

Launching a process

Enabling the 'hidden' option for analyzed file

Creating a process from a recently created file

Creating a file

Sending a UDP request

Enabling autorun by creating a file

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Quasar RAT

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/638da012-abd5-4407-b0f0-088cbe4c7402

Result

Threat name:

Quasar

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/800974

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

C2 URLs / IPs found in malware configuration

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Drops PE files with benign system names

Found malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Hides threads from debuggers

Installs a global keyboard hook

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

PE file has nameless sections

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Sigma detected: Schedule system process

Sigma detected: Suspect Svchost Activity

Sigma detected: Suspicious Svchost Process

Sigma detected: System File Execution Location Anomaly

System process connects to network (likely due to code injection or exploit)

Uses dynamic DNS services

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected Quasar RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/df8d26f897c26aa4051e4ed01b4b747a3cd0db41d1818726ea63fabfef008a00/

Threat name:

Win32.Trojan.Quasar

Status:

Malicious

First seen:

2021-06-11 15:41:08 UTC

AV detection:

25 of 29 (86.21%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=36gsn6exyjvkibi6j3ibws3upi6nbw2b2gayojxkmp5l73yariaa._file

Verdict:

malicious

QuasarRAT

50c1c541f9daea24b578ac94fd709b1214207a38cbc2ba3b36b2b0e81d0e4ee1

QuasarRAT

Result

Malware family:

n/a

Score:

8/10

Tags:

n/a

Link:

https://tria.ge/reports/210611-n5amr6lm46/

Behaviour

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of NtSetInformationThreadHideFromDebugger

Looks up external IP address via web service

Loads dropped DLL

Executes dropped EXE

Unpacked files

SH256 hash:

df8d26f897c26aa4051e4ed01b4b747a3cd0db41d1818726ea63fabfef008a00

MD5 hash:

0349d15dd557355e2ebd5ce6e0032946

SHA1 hash:

b239a332a29817afafa1a9ec31e7f0426e9f1048

Link:

https://www.unpac.me/results/4351d895-9a95-443b-8802-04581c3f49e6/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/df8d26f897c26aa4051e4ed01b4b747a3cd0db41d1818726ea63fabfef008a00

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	CAP_HookExKeylogger Create hunting rule
Author:	Brian C. Bell -- @biebsmalwareguy
Reference:	https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar

Rule name:	Chrome_stealer_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Chrome in files like avemaria

Rule name:	EnigmaStub Create hunting rule
Author:	@bartblaze
Description:	Identifies Enigma packer stub.

Rule name:	INDICATOR_SUSPICIOUS_GENInfoStealer Create hunting rule
Author:	ditekSHen
Description:	Detects executables containing common artifcats observed in infostealers

Rule name:	Keylog_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Contains Keylog

Rule name:	MALWARE_Win_QuasarStealer Create hunting rule
Author:	ditekshen
Description:	Detects Quasar infostealer

Rule name:	MAL_QuasarRAT_May19_1 Create hunting rule
Author:	Florian Roth
Description:	Detects QuasarRAT malware
Reference:	https://blog.ensilo.com/uncovering-new-activity-by-apt10

Rule name:	pe_imphash Create hunting rule

Rule name:	Select_from_enumeration Create hunting rule
Author:	James_inthe_box
Description:	IP and port combo

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	win_smominru_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/166162/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample