MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e71ad815cd54594816cf7b66db9418eeab73bbc0b67f6ff22d45f7383418a001. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuasarRAT


Vendor detections: 17


Intelligence 17 IOCs YARA 24 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e71ad815cd54594816cf7b66db9418eeab73bbc0b67f6ff22d45f7383418a001
SHA3-384 hash: a0031648fcce597eedb9c8e0e297063941cefa676cab9663ddc92b45c902eb34f670b62421748d9bca496818ab52a4dc
SHA1 hash: 518a53e34aef6bc34d6e21574a15087a99ed43b8
MD5 hash: a9c65aeada0779aab074784a9189cfe1
humanhash: red-louisiana-winter-colorado
File name:a9c65aeada0779aab074784a9189cfe1.exe
Download: download sample
Signature QuasarRAT
Create hunting rule
File size:1'327'542 bytes
First seen:2023-03-06 11:35:40 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 00be6e6c4f9e287672c8301b72bdabf3 (116 x RedLineStealer, 70 x AsyncRAT, 55 x AgentTesla)
ssdeep 24576:FNA3R5drX5VWeDXvSER3eQLykNy12n8aPAz5MAXet6rD2:w5flqEhUsnBPEjeory
Threatray 740 similar samples on MalwareBazaar
TLSH T12F55E136F3CD2373C6F20239BA16E589F229E06427167E5B734A805BD276850C37B6D6
TrID 89.0% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
3.5% (.EXE) Win64 Executable (generic) (10523/12/4)
2.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
1.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.5% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon ecd292d2ecd2d2de (3 x QuasarRAT)
Reporter abuse_ch
Tags:exe QuasarRAT RAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
226
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
quasar
Create hunting rule
ID:
1
File name:
a9c65aeada0779aab074784a9189cfe1.exe
Verdict:
Malicious activity
Analysis date:
2023-03-06 11:40:57 UTC
Tags:
evasion quasar
Link:
https://app.any.run/tasks/53040b32-fd0e-4390-8a50-6285f22e612b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
QuasarRAT
Create hunting rule
Link:
https://www.capesandbox.com/analysis/371940/
Detection(s):
SecuriteInfo.com.Troj.NanoCo_TZ.22029.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %AppData% directory
Creating a process from a recently created file
Creating a file
Launching the default Windows debugger (dwwin.exe)
Using the Windows Management Instrumentation requests
DNS request
Sending an HTTP GET request
Creating a file in the %AppData% subdirectories
Launching a process
Sending a custom TCP request
Enabling the 'hidden' option for recently created files
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Query of malicious DNS domain
Sending a TCP request to an infection source
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
80%
Tags:
confuserex greyware net overlay packed packed setupapi.dll shdocvw.dll shell32.dll
Link:
https://www.filescan.io/uploads/6405d02703b144271569e7fc/reports/f6704fad-fe90-43dd-aa86-647af212d4ea/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/e71ad815cd54594816cf7b66db9418eeab73bbc0b67f6ff22d45f7383418a001
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Quasar RAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/cb3c6dc7-4131-49a6-bc0f-0169c810ffe4
Result
Threat name:
Quasar
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1188175
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Snort IDS alert for network traffic
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
Yara detected Quasar RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 821054 Sample: WjoZJP0T67.exe Startdate: 06/03/2023 Architecture: WINDOWS Score: 100 83 Snort IDS alert for network traffic 2->83 85 Multi AV Scanner detection for domain / URL 2->85 87 Malicious sample detected (through community Yara rule) 2->87 89 6 other signatures 2->89 10 WjoZJP0T67.exe 7 2->10         started        13 ugwdr.exe 2->13         started        process3 file4 61 C:\Users\user\AppData\Roaming\ugwdr.exe, PE32 10->61 dropped 16 ugwdr.exe 1 10->16         started        105 Injects a PE file into a foreign processes 13->105 19 ugwdr.exe 3 13->19         started        22 ugwdr.exe 13->22         started        signatures5 process6 dnsIp7 73 Multi AV Scanner detection for dropped file 16->73 75 May check the online IP address of the machine 16->75 77 Machine Learning detection for dropped file 16->77 79 Uses schtasks.exe or at.exe to add and modify task schedules 16->79 24 ugwdr.exe 15 4 16->24         started        29 ugwdr.exe 2 16->29         started        63 ip-api.com 19->63 81 Hides that the sample has been downloaded from the Internet (zone.identifier) 19->81 31 msi.exe 19->31         started        33 schtasks.exe 19->33         started        35 WerFault.exe 22->35         started        signatures8 process9 dnsIp10 65 ip-api.com 208.95.112.1, 49697, 49698, 49699 TUT-ASUS United States 24->65 67 192.168.2.1 unknown unknown 24->67 59 C:\Users\user\AppData\Roaming\mvi\msi.exe, PE32 24->59 dropped 101 Hides that the sample has been downloaded from the Internet (zone.identifier) 24->101 37 msi.exe 24->37         started        40 schtasks.exe 1 24->40         started        42 WerFault.exe 24->42         started        103 Injects a PE file into a foreign processes 31->103 44 msi.exe 31->44         started        47 msi.exe 31->47         started        49 conhost.exe 33->49         started        file11 signatures12 process13 dnsIp14 91 Multi AV Scanner detection for dropped file 37->91 93 May check the online IP address of the machine 37->93 95 Machine Learning detection for dropped file 37->95 97 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 37->97 51 conhost.exe 40->51         started        69 www.dnuocc.com 185.254.37.238, 49710, 64577 NETERRA-ASBG Germany 44->69 71 ip-api.com 44->71 99 Hides that the sample has been downloaded from the Internet (zone.identifier) 44->99 53 schtasks.exe 44->53         started        55 WerFault.exe 47->55         started        signatures15 process16 process17 57 conhost.exe 53->57         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e71ad815cd54594816cf7b66db9418eeab73bbc0b67f6ff22d45f7383418a001/
Threat name:
ByteCode-MSIL.Trojan.Quasar
Create hunting rule
Status:
Malicious
First seen:
2023-03-06 10:54:02 UTC
File Type:
PE (Exe)
Extracted files:
10
AV detection:
20 of 37 (54.05%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=44nnqfonkrmuqfwppntnxfay52vxho6awz7w74rnix3tqnayuaaq._file
Verdict:
malicious
Similar samples:
0579f660e3087207714180f271bd21e9ecaea4e7103e1a140ebadf378473416f
QuasarRAT
100f14bd43501076a1b9dc89bdbc702aadbe65054c05e4bdf9ad8f0000d1c699
QuasarRAT
126a6947bb766d06e7f1eb176b6fa573e72c72dd0f705a99df1e335b7839b134
QuasarRAT
4a43cb5a42dc1d8817d4887d659d99001ede14343263557381eb4399bcf10962
QuasarRAT
52807927efca34144cfa56a3868a913858fa0fc74aeb0b370964688ec49f1312
QuasarRAT
5b507cc8ae7d2edc65f3c23cd89742d28c054eeea1a415dfe3f9ba9a427f33fc
QuasarRAT
b9d9a182e7f6f1afaf0f5058def2ca3e4e65f71a387c228c0a098b6c41b6d319
QuasarRAT
e1993021c0575594ff63f2685d56f1e80c60d6fc67e5e86ff1c5ef7b25f773d5
QuasarRAT
f29d669285f859b0ad90269aa5338bbad96e32369d02f9b8586ac5ede04cf9ce
QuasarRAT
+ 730 additional samples on MalwareBazaar
Result
Malware family:
quasar
Create hunting rule
Score:
  10/10
Tags:
family:quasar botnet:swl spyware trojan
Link:
https://tria.ge/reports/230306-nqkylscb25/
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Creates scheduled task(s)
Modifies data under HKEY_USERS
Suspicious use of AdjustPrivilegeToken
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Looks up external IP address via web service
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Quasar RAT
Quasar payload
Malware Config
C2 Extraction:
www.dnuocc.com:64577
dnuocc.com:64577
Unpacked files
SH256 hash:
e32f7e851bda07f9887cc28057df9a0d88f9e68420891eccc8e7abc5c607bde0
MD5 hash:
2344021b4fcb0652bb9eacffdd947e0b
SHA1 hash:
ccfd49b6da9532123d927e7b69e2af552a538eb3
Link:
https://www.unpac.me/results/9264604b-ff3a-4261-bd04-24e2e91ed58c/
SH256 hash:
b1d7f8f577082a3d1cbf437a80a0850fc8de8c0dea95b6da1446c7dc703ddc79
MD5 hash:
1d5184241b79757452630c198a9bd056
SHA1 hash:
870be6ecf84227c20ec4862e7b7eaaf8f9db4188
Link:
https://www.unpac.me/results/9264604b-ff3a-4261-bd04-24e2e91ed58c/
SH256 hash:
bafecf55de792984b68f05c97fe7568c18fd26201a5be09466d10957db79da87
MD5 hash:
efed7ccb44d0a9b77f47952d2120bb30
SHA1 hash:
61d29ab1788c270415389cae6e0085d8f3f874eb
Link:
https://www.unpac.me/results/9264604b-ff3a-4261-bd04-24e2e91ed58c/
SH256 hash:
e71ad815cd54594816cf7b66db9418eeab73bbc0b67f6ff22d45f7383418a001
MD5 hash:
a9c65aeada0779aab074784a9189cfe1
SHA1 hash:
518a53e34aef6bc34d6e21574a15087a99ed43b8
Detections:
win_xorist_auto
Create hunting rule
Link:
https://www.unpac.me/results/9264604b-ff3a-4261-bd04-24e2e91ed58c/
Malware family:
xRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e71ad815cd54/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e71ad815cd54594816cf7b66db9418eeab73bbc0b67f6ff22d45f7383418a001

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CN_disclosed_20180208_KeyLogger_1
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects malware from disclosed CN malware set
Reference:https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details
Rule name:CN_disclosed_20180208_KeyLogger_1_RID3227
Create hunting rule
Author:Florian Roth
Description:Detects malware from disclosed CN malware set
Reference:https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details
Rule name:INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
Author:ditekSHen
Description:Detects Windows executables referencing non-Windows User-Agents
Rule name:INDICATOR_SUSPICIOUS_GENInfoStealer
Create hunting rule
Author:ditekSHen
Description:Detects executables containing common artifcats observed in infostealers
Rule name:malware_Quasar_strings
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect QuasarRAT in memory
Rule name:MALWARE_Win_QuasarRAT
Create hunting rule
Author:ditekSHen
Description:QuasarRAT payload
Rule name:MAL_QuasarRAT_May19_1
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects QuasarRAT malware
Reference:https://blog.ensilo.com/uncovering-new-activity-by-apt10
Rule name:MAL_QuasarRAT_May19_1_RID2E1E
Create hunting rule
Author:Florian Roth
Description:Detects QuasarRAT malware
Reference:https://blog.ensilo.com/uncovering-new-activity-by-apt10
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:pe_imphash
Create hunting rule
Rule name:QbotStuff
Create hunting rule
Author:anonymous
Rule name:Quasar_RAT_1
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects Quasar RAT
Reference:https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
Rule name:Quasar_RAT_1_RID2B54
Create hunting rule
Author:Florian Roth
Description:Detects Quasar RAT
Reference:https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
Rule name:Quasar_RAT_2
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects Quasar RAT
Reference:https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
Rule name:Quasar_RAT_2_RID2B55
Create hunting rule
Author:Florian Roth
Description:Detects Quasar RAT
Reference:https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
Rule name:sfx_pdb
Create hunting rule
Author:@razvialex
Description:Detect interesting files containing sfx with pdb paths.
Rule name:sfx_pdb_winrar_restrict
Create hunting rule
Author:@razvialex
Description:Detect interesting files containing sfx with pdb paths.
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Vermin_Keylogger_Jan18_1
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects Vermin Keylogger
Reference:https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/
Rule name:Windows_Trojan_Quasarrat_e52df647
Create hunting rule
Author:Elastic Security
Rule name:win_xorist_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.xorist.
Rule name:xRAT_1
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects Patchwork malware
Reference:https://goo.gl/Pg3P4W
Rule name:xRAT_1_RID2900
Create hunting rule
Author:Florian Roth
Description:Detects Patchwork malware
Reference:https://goo.gl/Pg3P4W
Rule name:yara_template
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

QuasarRAT

Executable exe e71ad815cd54594816cf7b66db9418eeab73bbc0b67f6ff22d45f7383418a001

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2560055/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/371940/

Comments