MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f4fd51e6e0684d722cfacceb9a3abb8e4c449e96dce19b1f8b47fc8b09abf9df. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuasarRAT


Vendor detections: 8


Intelligence 8 IOCs 1 YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f4fd51e6e0684d722cfacceb9a3abb8e4c449e96dce19b1f8b47fc8b09abf9df
SHA3-384 hash: b72c277e73c11296ce1dd9ab9faf20483ea31addb00965743a23b156efb2ffe62d4f41d63219f95dad528a88a1880cb6
SHA1 hash: 2d7ab3ad129e2d372e672a236aae5e82ba835626
MD5 hash: b127f3a9da9a84ab311eeff6917b7bd6
humanhash: arkansas-indigo-river-enemy
File name:b127f3a9da9a84ab311eeff6917b7bd6.exe
Download: download sample
Signature QuasarRAT
Create hunting rule
File size:24'064 bytes
First seen:2021-06-15 15:01:30 UTC
Last seen:2021-06-15 15:42:09 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 384:5vrOSKo2KlUgzlMX4hGGBVUUUqUUUUUUUUUUUUdTvULJ0+IeMQqt/UGK8X+uxLeU:trOZtkXBVUUUqUUUUUUUUUUUUdTvYJE5
Threatray 174 similar samples on MalwareBazaar
TLSH 64B2F80572E85B22C0BE0BF51CB19414C7B6B6572924EF4C6EC930CE197AF485E51FAB
Reporter abuse_ch
Tags:exe QuasarRAT RAT


Avatar
abuse_ch
QuasarRAT C2:
194.5.98.38:4783

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
194.5.98.38:4783 https://threatfox.abuse.ch/ioc/116596/

Intelligence

File Origin
# of uploads :
2
# of downloads :
216
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
b127f3a9da9a84ab311eeff6917b7bd6.exe
Verdict:
Malicious activity
Analysis date:
2021-06-15 15:09:38 UTC
Tags:
trojan rat quasar
Link:
https://app.any.run/tasks/cafb4a92-06ca-4418-a894-e21b981fd924

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.37088973.26117.3375.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending an HTTP GET request
Sending a UDP request
Creating a window
Running batch commands
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
Unauthorized injection to a recently created process
Creating a file
Setting a keyboard event handler
Sending a custom TCP request
Reading critical registry keys
Sending a TCP request to an infection source
Stealing user critical data
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/576992ed-e126-42ec-ac31-c861382e091b
Result
Threat name:
Quasar
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/802546
Signature
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Drops PE files to the startup folder
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Sigma detected: WScript or CScript Dropper
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Yara detected Quasar RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 434942 Sample: b8H57DyrVF.exe Startdate: 15/06/2021 Architecture: WINDOWS Score: 100 77 Found malware configuration 2->77 79 Malicious sample detected (through community Yara rule) 2->79 81 Multi AV Scanner detection for dropped file 2->81 83 7 other signatures 2->83 9 b8H57DyrVF.exe 15 4 2->9         started        12 b8H57DyrVF.exe 3 2->12         started        process3 dnsIp4 63 community-dofus.com 31.132.0.67, 49706, 49720, 49733 UKSERVERS-ASUKDedicatedServersHostingandCo-Location United Kingdom 9->63 65 192.168.2.1 unknown unknown 9->65 16 cmd.exe 1 9->16         started        19 cmd.exe 3 9->19         started        47 C:\Users\user\AppData\...\b8H57DyrVF.exe.log, ASCII 12->47 dropped 93 Injects a PE file into a foreign processes 12->93 22 b8H57DyrVF.exe 16 12->22         started        file5 signatures6 process7 dnsIp8 67 Suspicious powershell command line found 16->67 25 powershell.exe 18 16->25         started        27 wscript.exe 16->27         started        29 conhost.exe 16->29         started        31 timeout.exe 1 16->31         started        43 C:\Users\user\AppData\...\b8H57DyrVF.exe, PE32 19->43 dropped 45 C:\Users\...\b8H57DyrVF.exe:Zone.Identifier, ASCII 19->45 dropped 69 Drops PE files to the startup folder 19->69 33 conhost.exe 19->33         started        51 vpnnid.hopto.org 194.5.98.38, 4783, 49728, 49747 DANILENKODE Netherlands 22->51 53 tools.keycdn.com 185.172.148.96, 443, 49730, 49749 PROINITYPROINITYDE Germany 22->53 55 3 other IPs or domains 22->55 71 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 22->71 73 Hides that the sample has been downloaded from the Internet (zone.identifier) 22->73 75 Installs a global keyboard hook 22->75 file9 signatures10 process11 process12 35 b8H57DyrVF.exe 25->35         started        dnsIp13 49 community-dofus.com 35->49 85 Injects a PE file into a foreign processes 35->85 39 b8H57DyrVF.exe 35->39         started        signatures14 process15 dnsIp16 57 vpnnid.hopto.org 39->57 59 54.225.210.209, 443, 49751 AMAZON-AESUS United States 39->59 61 4 other IPs or domains 39->61 87 Tries to harvest and steal browser information (history, passwords, etc) 39->87 89 Hides that the sample has been downloaded from the Internet (zone.identifier) 39->89 91 Installs a global keyboard hook 39->91 signatures17
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f4fd51e6e0684d722cfacceb9a3abb8e4c449e96dce19b1f8b47fc8b09abf9df/
Threat name:
ByteCode-MSIL.Trojan.Quasar
Create hunting rule
Status:
Malicious
First seen:
2021-06-13 00:54:38 UTC
File Type:
PE (.Net Exe)
Extracted files:
4
AV detection:
18 of 46 (39.13%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=6t6vdzxanbgxelh2ztvzuov3rzgejhuw3tqzwh4li76iwcnl7hpq._file
Verdict:
unknown
Similar samples:
0ba7d87707e5cd53958cb9afd59f1c70b76bad4ba28341e8bdee3d32bf417edb
QuasarRAT
21ba0bed0b05a2ce68496e73a5c103fb5b815ac2c77e997f46e5d09666c1c978
QuasarRAT
32560ccc4af2d37c587bbc551e1dd8127b8efaafb199f74c18ec111a812a7f30
QuasarRAT
507cd77f0000cc2af40601e9121683769ea55d389a1df1c7832a103785711fb4
QuasarRAT
8b0d6717a7d98595e7727f5309e19a1f3dae7986d1809f14f8de4edfb2810a3e
QuasarRAT
a3c961a0fe00bc7bcfa3b0e34baa03d8c3b1d03889cb150e270f5e33f15a8007
QuasarRAT
aab01704c3cce6d9a75418e3ba4a905ebe215eed1d8d010096638b7f849a4f87
QuasarRAT
ac4b99079b1ceb11db593097e421de9d9092765feedc23a3ab8ef912b292c988
QuasarRAT
bdc5cb40d2d655865ed182688f4cb623c545dd9875c6198bf16d616e53c52eb0
QuasarRAT
d1d0ac76e59b9e2a8ae3a433e0186d74fc61417c89fe5ee4b93c02faa1dc58f8
QuasarRAT
+ 164 additional samples on MalwareBazaar
Result
Malware family:
quasar
Create hunting rule
Score:
  10/10
Tags:
family:quasar spyware stealer trojan
Link:
https://tria.ge/reports/210615-n8ketr598a/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Looks up external IP address via web service
Drops startup file
Reads user/profile data of web browsers
Quasar Payload
Quasar RAT
Unpacked files
SH256 hash:
f4fd51e6e0684d722cfacceb9a3abb8e4c449e96dce19b1f8b47fc8b09abf9df
MD5 hash:
b127f3a9da9a84ab311eeff6917b7bd6
SHA1 hash:
2d7ab3ad129e2d372e672a236aae5e82ba835626
Link:
https://www.unpac.me/results/1beaaeaf-d96c-4a67-b78c-f8191a36accc/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/f4fd51e6e0684d722cfacceb9a3abb8e4c449e96dce19b1f8b47fc8b09abf9df

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

QuasarRAT

Executable exe f4fd51e6e0684d722cfacceb9a3abb8e4c449e96dce19b1f8b47fc8b09abf9df

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1370454/
  
Delivery method
Distributed via web download

Comments