MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f0c295d05e3abafc2d53f0c748a900a3571e1a17ee1754a6f3177266a743c42e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

QuasarRAT

Vendor detections: 14

Intelligence 14 IOCs YARA File information Comments

SHA256 hash:	f0c295d05e3abafc2d53f0c748a900a3571e1a17ee1754a6f3177266a743c42e
SHA3-384 hash:	c699d5d9b15951492a1a5f067a64f664f76e88ea27fb22135ec5e5afed729b9f456b792a81ec7dc4f8f1ca6b513d8747
SHA1 hash:	227e974b4ec3a72120cbf2928a673c7162edf2d8
MD5 hash:	e87a4d9bcbb37442e69780961b8fe70d
humanhash:	golf-asparagus-freddie-zebra
File name:	f0c295d05e3abafc2d53f0c748a900a3571e1a17ee1754a6f3177266a743c42e
Download:	download sample
Signature	QuasarRAT Create hunting rule
File size:	778'390 bytes
First seen:	2022-03-23 08:39:26 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep	12288:VhqxSLo5C1Ps4XhWT+trB8iLekEoSiWZI5UT+e7dJ/IiG9PukqS15YQ5mlENFfha:VHLmCiIhjD6hoSiWIe2i2d1z5miNFp0f
Threatray	8'036 similar samples on MalwareBazaar
TLSH	T1B4F4E143B0E64471DD152D39053A5BC13C37BC10AF28AFF7F7B97F8AAA910E25624662
File icon (PE):
dhash icon	9494b494d4aeaeac (832 x DCRat, 172 x RedLineStealer, 134 x CryptOne)
Reporter	JAMESWT_WT
Tags:	exe QuasarRAT

Intelligence

File Origin

# of uploads :

# of downloads :

148

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

23Server.bat

Verdict:

Malicious activity

Analysis date:

2022-03-01 07:58:53 UTC

Tags:

evasion trojan

Link:

https://app.any.run/tasks/4645bce7-6fba-4eee-b677-a466bb04092e

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RDPWrap

Link:

https://www.capesandbox.com/analysis/255797/

Detection(s):

Win.Trojan.Generic-9942096-0

SecuriteInfo.com.BackDoor.SiggenNET.5.27436.8753.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Сreating synchronization primitives

Searching for synchronization primitives

Creating a file

Running batch commands

Launching a process

Creating a process from a recently created file

Sending a custom TCP request

Using the Windows Management Instrumentation requests

DNS request

Sending an HTTP GET request

Creating a file in the %AppData% subdirectories

Setting a keyboard event handler

Creating a file in the %temp% directory

Creating a process with a hidden window

Launching the default Windows debugger (dwwin.exe)

BSOD occurred

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Unauthorized injection to a recently created process

Blocking the Windows Defender launch

Enabling autorun by creating a file

Result

Malware family:

n/a

Score:

6/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/10760/overview

Behaviour

MalwareBazaar

MeasuringTime

EvasionQueryPerformanceCounter

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware overlay packed setupapi.dll shdocvw.dll shell32.dll update.exe

Link:

https://www.filescan.io/uploads/623add27dfdfa8501cd22e73/reports/9fc367aa-8363-4372-990d-192f07901e2d/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Quasar RAT

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/a8beb17e-d187-4a62-a17a-93608c8006d9

Result

Threat name:

Unknown

Detection:

malicious

Classification:

troj

Score:

60 / 100

Link:

https://www.joesandbox.com/analysis/962726

Behaviour

Behavior Graph:

n/a

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/f0c295d05e3abafc2d53f0c748a900a3571e1a17ee1754a6f3177266a743c42e/

Threat name:

ByteCode-MSIL.Trojan.Venomrat

Status:

Malicious

First seen:

2022-03-15 11:11:06 UTC

File Type:

PE (Exe)

Extracted files:

643

AV detection:

13 of 26 (50.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=6dbjluc6hk5pylkt6ddurkiaunlr4gqx5ylvjjxtc5zgnj2dyqxa._file

Verdict:

malicious

QuasarRAT

2e1eda10e2bbd19418706a23888807e50c0407eb191cc26d541c85279193c3db

QuasarRAT

5e74c2b7ac2d1ad593abac2e47d690a083bf96f1566901e58a5f59d221bc9853

QuasarRAT

7482b140488cd74ef0403293fac39ef04971a50072ab191dd84ec9471b2f0b25

QuasarRAT

815b2bf1ddadfb46a27001e08246e8f82f629eb793963bef856d17e1ef9c4085

QuasarRAT

94b4df2a78e60f80472d518819e7383b09f20d18b270d60b99be31a4a12f7156

QuasarRAT

9e33fbfc975a81d62c7ec060a00a42fcdf5e84ba294be3f21d5307b79ddf9555

QuasarRAT

b46a76c6240983b927fa789dbfd5214bb513285da9205c52539736286346ddaf

QuasarRAT

b603bb5bf05a55c7687cbfa64566cb5608947284b8eaf0da2b1b6d282fee3ecd

QuasarRAT

+ 8'026 additional samples on MalwareBazaar

Result

Malware family:

venomrat

Score:

10/10

Tags:

family:quasar family:venomrat botnet:host persistence rat rootkit spyware stealer trojan

Link:

https://tria.ge/reports/220323-kk4lzsaga4/

Behaviour

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Adds Run key to start application

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Contains code to disable Windows Defender

Quasar Payload

Quasar RAT

VenomRAT

Malware Config

C2 Extraction:

44334333-37569.portmap.io:37569

Unpacked files

SH256 hash:

f6da001b9f43193ace33549e202780a7cf672d5dd03f149b7dfa4a4174f482c8

MD5 hash:

144667f65edb7e9b938b1d79c8d5cf54

SHA1 hash:

9a0c385e4f42e054e94858ee7b20bf67551493fa

Link:

https://www.unpac.me/results/5909a9fc-a13f-4533-8fa0-c3a492f03729/

SH256 hash:

74f157d228b19efbe878feb76a5be3caeb1cdd11c59ee3ec9622dbd994081310

MD5 hash:

025e2ffb735be017523af9c9a2fbbe87

SHA1 hash:

e5fa2a222098a73ac23644675947816ca14cb1aa

Link:

https://www.unpac.me/results/5909a9fc-a13f-4533-8fa0-c3a492f03729/

SH256 hash:

1bb6f045a9218bacd2c0f35f2e9fb3f0a92f5bdd7efd207b070c47707a6ae82d

MD5 hash:

1634b36bb54a876f818712d1f105fe00

SHA1 hash:

deaa950169f13bd1f07103e5aff7932547962e04

Link:

https://www.unpac.me/results/5909a9fc-a13f-4533-8fa0-c3a492f03729/

SH256 hash:

cf9cfbf0a6032ffb90f0b6889dc6ba17fee607f18ee2489b2f40795a61b8602b

MD5 hash:

98172297ab14ce38057c521b752ce5a4

SHA1 hash:

517041f9d2a32845f8036c205ce95ba254fda6cb

Link:

https://www.unpac.me/results/5909a9fc-a13f-4533-8fa0-c3a492f03729/

SH256 hash:

f0c295d05e3abafc2d53f0c748a900a3571e1a17ee1754a6f3177266a743c42e

MD5 hash:

e87a4d9bcbb37442e69780961b8fe70d

SHA1 hash:

227e974b4ec3a72120cbf2928a673c7162edf2d8

Link:

https://www.unpac.me/results/5909a9fc-a13f-4533-8fa0-c3a492f03729/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

iSpy Keylogger

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/f0c295d05e3abafc2d53f0c748a900a3571e1a17ee1754a6f3177266a743c42e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/255797/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample