MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ea9c85df4bf9c40e375d88e19cc1d83220580f0b14a6392b2a48dc1d1e24737c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuasarRAT


Vendor detections: 9


Intelligence 9 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ea9c85df4bf9c40e375d88e19cc1d83220580f0b14a6392b2a48dc1d1e24737c
SHA3-384 hash: 4b9140e5590fafc9042d34316fc15ce9d324fb1215255e43490e2d580b5cd72cfec9b3415bbc0e60815434246854e335
SHA1 hash: 0354fb5789082f417285d0019265c1e719a9848b
MD5 hash: f706444c2a227625890a3d44cfa11bb7
humanhash: glucose-purple-tennis-music
File name:ea9c85df4bf9c40e375d88e19cc1d83220580f0b14a6392b2a48dc1d1e24737c
Download: download sample
Signature QuasarRAT
Create hunting rule
File size:627'712 bytes
First seen:2021-02-28 07:08:00 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:gIU+8aYMs4++7dWkpaa5kBo+rCDL26wDEkTgaZ4icGLrnY8eJC3O:nU9l4++7Haa5kB8oEklaC
Threatray 57 similar samples on MalwareBazaar
TLSH 20D412DD3A10C272E5086F7695FA110B83DD48A63D32C6AF1FD622D9DBA40BD1E247D2
Reporter JAMESWT_WT
Tags:QuasarRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
82
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ea9c85df4bf9c40e375d88e19cc1d83220580f0b14a6392b2a48dc1d1e24737c
Verdict:
Malicious activity
Analysis date:
2021-02-28 07:48:48 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/13129ae7-ada7-47e6-a583-1f21748e2f57

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
QuasarStealer
Create hunting rule
Link:
https://www.capesandbox.com/analysis/119788/
Detection(s):
Win.Packed.njRAT-9815539-1
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %AppData% subdirectories
Unauthorized injection to a recently created process
Creating a file
Creating a window
Launching a process
Sending a UDP request
Setting a single autorun event
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Quasar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/621166
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Quasar RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 359575 Sample: w1QyJ4Plr2 Startdate: 28/02/2021 Architecture: WINDOWS Score: 100 65 Malicious sample detected (through community Yara rule) 2->65 67 Antivirus / Scanner detection for submitted sample 2->67 69 Multi AV Scanner detection for submitted file 2->69 71 6 other signatures 2->71 10 w1QyJ4Plr2.exe 1 4 2->10         started        14 RwFrZAZtSs.exe 1 2->14         started        16 w1QyJ4Plr2.exe 2->16         started        18 RwFrZAZtSs.exe 2->18         started        process3 file4 49 C:\Users\user\AppData\...\RwFrZAZtSs.exe, PE32 10->49 dropped 51 C:\Users\...\RwFrZAZtSs.exe:Zone.Identifier, ASCII 10->51 dropped 53 C:\Users\user\AppData\...\w1QyJ4Plr2.exe.log, ASCII 10->53 dropped 79 Injects a PE file into a foreign processes 10->79 20 w1QyJ4Plr2.exe 4 10->20         started        81 Antivirus detection for dropped file 14->81 83 Multi AV Scanner detection for dropped file 14->83 85 Machine Learning detection for dropped file 14->85 24 RwFrZAZtSs.exe 2 14->24         started        26 RwFrZAZtSs.exe 14->26         started        28 w1QyJ4Plr2.exe 2 16->28         started        30 RwFrZAZtSs.exe 18->30         started        signatures5 process6 file7 47 C:\Users\user\AppData\Roaming\...\Win10.exe, PE32 20->47 dropped 73 Hides that the sample has been downloaded from the Internet (zone.identifier) 20->73 32 Win10.exe 1 20->32         started        35 schtasks.exe 1 20->35         started        signatures8 process9 signatures10 57 Antivirus detection for dropped file 32->57 59 Multi AV Scanner detection for dropped file 32->59 61 Machine Learning detection for dropped file 32->61 63 Injects a PE file into a foreign processes 32->63 37 Win10.exe 2 32->37         started        41 conhost.exe 35->41         started        process11 dnsIp12 55 sherlock457-40088.portmap.io 193.161.193.99, 40088, 49726, 49727 BITREE-ASRU Russian Federation 37->55 75 Hides that the sample has been downloaded from the Internet (zone.identifier) 37->75 77 Installs a global keyboard hook 37->77 43 schtasks.exe 1 37->43         started        signatures13 process14 process15 45 conhost.exe 43->45         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ea9c85df4bf9c40e375d88e19cc1d83220580f0b14a6392b2a48dc1d1e24737c/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-02-26 02:44:57 UTC
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5koilx2l7hca4n25rdqzzqoygiqfqdylcstdskzkjdob2hreon6a._file
Verdict:
unknown
Similar samples:
2caacde56329c3cb26c041d2535a5121d02fc195193f4046aabec42d61655d68
QuasarRAT
3b1dc7e0c9154fe384c695f8eec5622ab2ba88bf59d990def6b2c11d8519cecf
QuasarRAT
59b230d608d121a6969fa2eab41b020c57f99328319ebd92ef00cb4081562589
QuasarRAT
7f5f68e3163fd4aae367b129dc4d519000905b78d66e6933e7b091053eadd98f
QuasarRAT
91f5ba0e0abcad0604f2a2f1ae529bf84c1e30b44677b572b89e150b48b59b46
QuasarRAT
ae9f21e994994c7d538df1032eb81cba7c3cbff6a76e8c15d91c8fe6f78dfa28
QuasarRAT
f1d81ae5a4ea7a71d5d7147565fecca141a8e03148ef3c9e7583b9159923d17a
QuasarRAT
f66ba3c9a85a0a54242aa2a905df2120305cec66efbc9a1a02db3c66ff50b722
QuasarRAT
f95573e18dd16600bedc2ab6917774a91603d5e90ae5deccfa969a8311802972
QuasarRAT
f9b03c723f0707c47dc00e0d77ac55559d2cd07cd6b38a67126e535068ca05dc
QuasarRAT
+ 47 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/210228-9msryelfkx/
Behaviour
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
775895c7717fc565c7b53c4e23e1099681e9467f2a4fbc821e06ec5e33e77af1
MD5 hash:
079f6b2d9435fc1eca69d4519509c3a6
SHA1 hash:
571058e8205177cb1d1ece7862624169bb1e1815
Link:
https://www.unpac.me/results/958238aa-84b6-4c07-9c05-97c054d0c18a/
SH256 hash:
79243bc7d5809322d4bb6286496db1711b239a17cfacfb158c6a6e5b91e57bb5
MD5 hash:
67e49231a7da6e0665d2b6510f7932f8
SHA1 hash:
22fba7336a9a804b0607c5a05e708ac753f5f4cb
Link:
https://www.unpac.me/results/958238aa-84b6-4c07-9c05-97c054d0c18a/
SH256 hash:
ea9c85df4bf9c40e375d88e19cc1d83220580f0b14a6392b2a48dc1d1e24737c
MD5 hash:
f706444c2a227625890a3d44cfa11bb7
SHA1 hash:
0354fb5789082f417285d0019265c1e719a9848b
Link:
https://www.unpac.me/results/958238aa-84b6-4c07-9c05-97c054d0c18a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ea9c85df4bf9c40e375d88e19cc1d83220580f0b14a6392b2a48dc1d1e24737c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:Chrome_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Chrome in files like avemaria
Rule name:INDICATOR_SUSPICIOUS_GENInfoStealer
Create hunting rule
Author:ditekSHen
Description:Detects executables containing common artifcats observed in infostealers
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:MALWARE_Win_QuasarStealer
Create hunting rule
Author:ditekshen
Description:Detects Quasar infostealer
Rule name:MAL_QuasarRAT_May19_1
Create hunting rule
Author:Florian Roth
Description:Detects QuasarRAT malware
Reference:https://blog.ensilo.com/uncovering-new-activity-by-apt10
Rule name:Select_from_enumeration
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:Vermin_Keylogger_Jan18_1
Create hunting rule
Author:Florian Roth
Description:Detects Vermin Keylogger
Reference:https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/119788/

Comments