MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ee2e84f75b0b6043c2a2e3b84bdeabc0be4a4a1e4c6ec6a3ff255963b545425d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuasarRAT


Vendor detections: 6


Intelligence 6 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ee2e84f75b0b6043c2a2e3b84bdeabc0be4a4a1e4c6ec6a3ff255963b545425d
SHA3-384 hash: 8cfb416ae0141e83b6dd8a0bb56882423a2e484db5130eaff68add851982f540bbe43546e388ebc4f027a815b66eee9d
SHA1 hash: 9cf99395e2863ced59339bb86ac3263680ee564e
MD5 hash: df79eb7861a219796ad90d343001df90
humanhash: saturn-sierra-uniform-avocado
File name:igfx.sfx.exe
Download: download sample
Signature QuasarRAT
Create hunting rule
File size:720'836 bytes
First seen:2020-11-05 04:29:33 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 12288:5hqxSLo5C1Ps4XhitX+t4989D73ZxYLTpoiqTfUx7C9MxIFZGtd5aTP9:5HLmCiIhiXKn3ZxYLTpoxYx7bGwtdcTl
Threatray 281 similar samples on MalwareBazaar
TLSH AEE40103B9C595B2D53219321A39A750693D7D201F298EEFB3E8692DDF311C1AA34B73
Reporter TCMYT_
Tags:QuasarRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
116
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/83043/
Detection(s):
SecuriteInfo.com.BackDoor.SiggenNET.5.27436.8753.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Sending a UDP request
Launching a process
Creating a file
DNS request
Unauthorized injection to a recently created process
Connection attempt to an infection source
Enabling autorun by creating a file
Unauthorized injection to a system process
Result
Threat name:
Quasar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/520916
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Creates an undocumented autostart registry key
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected AntiVM_3
Yara detected Quasar RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ee2e84f75b0b6043c2a2e3b84bdeabc0be4a4a1e4c6ec6a3ff255963b545425d/
Threat name:
ByteCode-MSIL.Trojan.Perseus
Create hunting rule
Status:
Malicious
First seen:
2020-11-05 04:31:05 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=5yxij523bnqehqvc4o4exxvlyc7eusq6jrxmni77evmwhnkfijoq._file
Verdict:
malicious
Similar samples:
1aabe4a4ce09025edf03501ea5cce117d4315f4baa19c0110e1c779ae2bd9ad3
QuasarRAT
3a83d1211c8a9235a72f0dcea5c36ec53a99ed83340e35097e7f41773bc8fb3f
QuasarRAT
40ed39645e952f345485dea73f460ed5aecc2c523f598e46f2b7f883b50b2281
QuasarRAT
41c11b942c8abb394d9ee8b14bdd4edb229962db1b1efff70b36706dbf7f5fba
QuasarRAT
585e4146923404bbe11c2cf5a423e2650a5d133541e9baeacb64a4d675f6484d
QuasarRAT
5ba0344c196d2605e844a2b15cff5c93412d58e9ca5c8446c468fa768604242d
QuasarRAT
9760105f3177384c19086dee036cdc67916d744f4a1e7064ecfd906e252dba69
QuasarRAT
a62e4e1d21bdc64eea17d8bbc4ab5e6c48dc57abbb470322c3357abdef15341f
QuasarRAT
ac4d3acc896cc3fd6e4ba14547572dfc0447f47f2c29c28a170db4b0169c6e2f
QuasarRAT
d3922882bfee49abb72584b9d5918f3787221fa40b7f552c98d7bc0e55833234
QuasarRAT
+ 271 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/201105-lb6sj32bsa/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
de30889371185cac09f81542c32fdcf2bb37bbb71fe49a77b9240477476bf8e2
MD5 hash:
14bb24c867cf24f67005685af3a68644
SHA1 hash:
a30430bea8c7b90293103fa678643b255fae665b
Link:
https://www.unpac.me/results/22eb1319-14d1-49bc-a92e-d3fe96d7fcca/
SH256 hash:
a7850c2f465699f60d64d5bf78cd253e12ad1526b155d40e882a71a35d10c765
MD5 hash:
07d303186224b3e517f3c3fbf4eed1f8
SHA1 hash:
5cd8a79447bfc81d1f1ddad6cdfdcf3d29333317
Link:
https://www.unpac.me/results/22eb1319-14d1-49bc-a92e-d3fe96d7fcca/
SH256 hash:
d31841edc613e379bae3db31414378fdf797310040015185cd63d6d17bcff721
MD5 hash:
c0058b4073450dfd46cf965142c495ce
SHA1 hash:
7b6293c5af554b30f86c9b8420e8956e6a5d4a47
Link:
https://www.unpac.me/results/22eb1319-14d1-49bc-a92e-d3fe96d7fcca/
SH256 hash:
5fda7ee9bc5175075ee399ebf129d02f46eee3955ec06d359409e913ba7612d7
MD5 hash:
a10645a9d67ce46819443318e9b3063c
SHA1 hash:
a1ba5cfd0eb7fda77e513e3cc5c647baba61e29e
Link:
https://www.unpac.me/results/22eb1319-14d1-49bc-a92e-d3fe96d7fcca/
SH256 hash:
ee2e84f75b0b6043c2a2e3b84bdeabc0be4a4a1e4c6ec6a3ff255963b545425d
MD5 hash:
df79eb7861a219796ad90d343001df90
SHA1 hash:
9cf99395e2863ced59339bb86ac3263680ee564e
Link:
https://www.unpac.me/results/22eb1319-14d1-49bc-a92e-d3fe96d7fcca/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:Chrome_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Chrome in files like avemaria
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:MAL_QuasarRAT_May19_1
Create hunting rule
Author:Florian Roth
Description:Detects QuasarRAT malware
Reference:https://blog.ensilo.com/uncovering-new-activity-by-apt10
Rule name:Select_from_enumeration
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:Vermin_Keylogger_Jan18_1
Create hunting rule
Author:Florian Roth
Description:Detects Vermin Keylogger
Reference:https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/83043/

Comments