MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f5a57218a5047acc47859185bfdb93ed8ad0ee4ad7475cae24ebffe518569146. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuasarRAT


Vendor detections: 12


Intelligence 12 IOCs 1 YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f5a57218a5047acc47859185bfdb93ed8ad0ee4ad7475cae24ebffe518569146
SHA3-384 hash: 14b2eedc6239e0eb0c43eb79969d77ed770bcebe0a4313855f92750dc18e2fc02e732586f6f11e981d90b8ac394cfe40
SHA1 hash: 1729b91cbe1d8259c3f3addba06f9b4d8fafbfc6
MD5 hash: 7f0994266ca6932d6ffaef01fb46f3ea
humanhash: crazy-social-nineteen-four
File name:7f0994266ca6932d6ffaef01fb46f3ea.exe
Download: download sample
Signature QuasarRAT
Create hunting rule
File size:1'397'592 bytes
First seen:2022-03-26 19:01:26 UTC
Last seen:2024-07-24 23:04:47 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 24576:hzgON0iIHBrHd0anQJAlfUeLUinLPjdOPFvNMBfY:hzbEBrHKoNbcvEY
Threatray 1'050 similar samples on MalwareBazaar
TLSH T1DF55BF2A1BEF4D01D16F83B1A7B514F85732F30AE7A2E329046E915F5D3138453A2FA9
File icon (PE):PE icon
dhash icon 36c29292b2e88c82 (54 x AgentTesla, 33 x RedLineStealer, 11 x Formbook)
Reporter abuse_ch
Tags:exe QuasarRAT RAT signed

Code Signing Certificate

Organisation:TEST
Issuer:TEST
Algorithm:sha1WithRSAEncryption
Valid from:2022-03-22T11:11:38Z
Valid to:2023-03-22T11:11:38Z
Serial number: 7b1566cbd4fe124d701029861a87d8aa
Thumbprint Algorithm:SHA256
Thumbprint: 4917fc561089a775736c8b70f1d464f430361a1f6408103fea2dd3058e413235
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
abuse_ch
QuasarRAT C2:
92.118.36.201:4782

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
92.118.36.201:4782 https://threatfox.abuse.ch/ioc/454785/

Intelligence

File Origin
# of uploads :
3
# of downloads :
344
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
f5a57218a5047acc47859185bfdb93ed8ad0ee4ad7475cae24ebffe518569146.exe
Verdict:
Malicious activity
Analysis date:
2022-03-26 20:56:12 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/3d4003e1-04e4-4f69-a978-19ccdd2c0d3e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
QuasarStealer
Create hunting rule
Link:
https://www.capesandbox.com/analysis/258089/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.1266.18232.8511.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Adding an access-denied ACE
Using the Windows Management Instrumentation requests
Launching a process
Creating a process with a hidden window
Creating a file in the Windows subdirectories
Unauthorized injection to a recently created process
Creating a file
Searching for the window
Sending a custom TCP request
Setting a keyboard event handler
DNS request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Setting a single autorun event
Adding exclusions to Windows Defender
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
cmd.exe msbuild.exe obfuscated overlay packed quasar tracker.exe
Link:
https://www.filescan.io/uploads/623f632ca19c6494129522ab/reports/eeec6d44-9f99-4f70-979e-e24f1370af59/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/98095423-5923-4a6c-a024-3ffae5997797
Result
Threat name:
Quasar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/965141
Signature
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to hide user accounts
Creates an autostart registry key pointing to binary in C:\Windows
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Bypass UAC via CMSTP
Sigma detected: File Created with System Process Name
Sigma detected: Suspcious CLR Logs Creation
Sigma detected: Suspect Svchost Activity
Sigma detected: System File Execution Location Anomaly
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AntiVM3
Yara detected Quasar RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 597622 Sample: rxFD7qnfIG.exe Startdate: 26/03/2022 Architecture: WINDOWS Score: 100 65 tools.keycdn.com 2->65 67 api.ipify.org.herokudns.com 2->67 69 api.ipify.org 2->69 81 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->81 83 Malicious sample detected (through community Yara rule) 2->83 85 Multi AV Scanner detection for submitted file 2->85 87 13 other signatures 2->87 8 svchost.exe 2->8         started        12 rxFD7qnfIG.exe 4 6 2->12         started        14 svchost.exe 2->14         started        16 10 other processes 2->16 signatures3 process4 dnsIp5 47 C:\Windows\Temp\ypd4vwdy.inf, Windows 8->47 dropped 49 C:\Users\user\AppData\...\svchost.exe.log, ASCII 8->49 dropped 95 System process connects to network (likely due to code injection or exploit) 8->95 97 Multi AV Scanner detection for dropped file 8->97 99 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 8->99 111 2 other signatures 8->111 19 svchost.exe 8->19         started        23 cmstp.exe 8->23         started        51 C:\Windows\Microsoft.NET\...\svchost.exe, PE32 12->51 dropped 53 C:\Users\user\AppData\...\rxFD7qnfIG.exe.log, ASCII 12->53 dropped 101 May check the online IP address of the machine 12->101 103 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 12->103 105 Creates an autostart registry key pointing to binary in C:\Windows 12->105 113 2 other signatures 12->113 25 rxFD7qnfIG.exe 12->25         started        27 powershell.exe 24 12->27         started        29 powershell.exe 25 12->29         started        35 2 other processes 12->35 107 Changes security center settings (notifications, updates, antivirus, firewall) 14->107 31 MpCmdRun.exe 14->31         started        61 127.0.0.1 unknown unknown 16->61 63 192.168.2.1 unknown unknown 16->63 55 C:\Windows\Temp\mip4jzko.inf, Windows 16->55 dropped 57 C:\Windows\Temp\42w30uok.inf, Windows 16->57 dropped 59 C:\Windows\Temp\3wplvvex.inf, Windows 16->59 dropped 109 Drops executables to the windows directory (C:\Windows) and starts them 16->109 33 cmstp.exe 16->33         started        37 6 other processes 16->37 file6 signatures7 process8 dnsIp9 71 52.20.78.240, 443, 49791, 49797 AMAZON-AESUS United States 19->71 73 api.ipify.org 19->73 89 System process connects to network (likely due to code injection or exploit) 19->89 91 Hides that the sample has been downloaded from the Internet (zone.identifier) 19->91 93 Installs a global keyboard hook 19->93 75 92.118.36.201, 4782, 49771, 49789 AS209132NL Romania 25->75 77 tools.keycdn.com 185.172.148.96, 443, 49774, 49790 PROINITYPROINITYDE Germany 25->77 79 2 other IPs or domains 25->79 39 conhost.exe 27->39         started        41 conhost.exe 29->41         started        43 conhost.exe 31->43         started        45 conhost.exe 35->45         started        signatures10 process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f5a57218a5047acc47859185bfdb93ed8ad0ee4ad7475cae24ebffe518569146/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-03-23 03:20:47 UTC
File Type:
PE (.Net Exe)
Extracted files:
4
AV detection:
18 of 42 (42.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6wsxegffar5myr4fsgc37w4t5wfnb3sk25dvzlre5p76kgcwsfda._file
Verdict:
malicious
Similar samples:
2acbe411d9169a8ea08c2f54cec03901956e3a1a5c80a0153ebe09792961b549
QuasarRAT
3659778cc75ed1428fe16a288b28095311ffdc650a1202482376b4f3c04b75f3
QuasarRAT
585e4146923404bbe11c2cf5a423e2650a5d133541e9baeacb64a4d675f6484d
QuasarRAT
7840f820c6a51c719f18de44d2f0bfb0f2b7e88c9ab2e3b7a2c310b98180dddb
QuasarRAT
8be3c7231a1d547531c3e669d380fd00b5b3e773da201b34bed04810062329c0
QuasarRAT
a33be1069f51683e3ef5290bedad88f032df7b67fde8955bf2ad72b2f8d5e647
QuasarRAT
e20da9ec0ddcfa71740b795beb5466204bbb1c2f82dcec35a5013fbfecbe49d5
QuasarRAT
+ 1'040 additional samples on MalwareBazaar
Result
Malware family:
quasar
Create hunting rule
Score:
  10/10
Tags:
family:quasar botnet:office04 evasion persistence spyware suricata trojan
Link:
https://tria.ge/reports/220326-xpsfqscfbl/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Suspicious use of SetThreadContext
Adds Run key to start application
Looks up external IP address via web service
Maps connected drives based on registry
Checks BIOS information in registry
Checks computer location settings
Windows security modification
Looks for VMWare Tools registry key
Looks for VirtualBox Guest Additions in registry
Quasar Payload
Quasar RAT
Windows security bypass
suricata: ET MALWARE Observed Malicious SSL Cert (Quasar CnC)
Malware Config
C2 Extraction:
92.118.36.201:4782
Unpacked files
SH256 hash:
c5fe8c017d81b1b387c74c918de26734096dbf07a414c541144e2db3eada433d
MD5 hash:
130101344989c62d57fe9e607eef81ba
SHA1 hash:
d94efe074bd80d4890a8b94b962eb243861bc3a8
Link:
https://www.unpac.me/results/1f8eae00-57e9-4ba2-a57f-ab82f6ca86af/
SH256 hash:
fd881ab2f5ecef3c264869d96ef7c98b0df2a28dc102aad4559635185de0d466
MD5 hash:
037c3321c5410c6a9b3394fb5524bcb4
SHA1 hash:
4565e98290c7e6986605c4df389dba0e6b4180e2
Link:
https://www.unpac.me/results/1f8eae00-57e9-4ba2-a57f-ab82f6ca86af/
SH256 hash:
c9b284c96042b163bad47972b8a398824b4435db79563146bcfd298272b80fe2
MD5 hash:
2d7cdfaba342866dd084d42972dfc971
SHA1 hash:
159af5f8698c05df28cb2f09551ec3c3052669c3
Link:
https://www.unpac.me/results/1f8eae00-57e9-4ba2-a57f-ab82f6ca86af/
SH256 hash:
70b785e5cb5b2e61c0f5da4a71ab0bbd14d9a0849387f037e0d75cc1ffe0a082
MD5 hash:
5951b52c9b4d11ca7f4f33e5a3fb2c31
SHA1 hash:
0bc54fd699fff7b93e5c447a141c0d904924ab0d
Link:
https://www.unpac.me/results/1f8eae00-57e9-4ba2-a57f-ab82f6ca86af/
SH256 hash:
f5a57218a5047acc47859185bfdb93ed8ad0ee4ad7475cae24ebffe518569146
MD5 hash:
7f0994266ca6932d6ffaef01fb46f3ea
SHA1 hash:
1729b91cbe1d8259c3f3addba06f9b4d8fafbfc6
Link:
https://www.unpac.me/results/1f8eae00-57e9-4ba2-a57f-ab82f6ca86af/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f5a57218a5047acc47859185bfdb93ed8ad0ee4ad7475cae24ebffe518569146

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
Author:ditekSHen
Description:Detects Windows executables referencing non-Windows User-Agents
Rule name:INDICATOR_SUSPICIOUS_GENInfoStealer
Create hunting rule
Author:ditekSHen
Description:Detects executables containing common artifcats observed in infostealers
Rule name:MALWARE_Win_QuasarStealer
Create hunting rule
Author:ditekshen
Description:Detects Quasar infostealer
Rule name:MAL_Lokibot_Stealer
Create hunting rule
Description:Detects Lokibot Stealer Variants
Rule name:MAL_QuasarRAT_May19_1
Create hunting rule
Author:Florian Roth
Description:Detects QuasarRAT malware
Reference:https://blog.ensilo.com/uncovering-new-activity-by-apt10
Rule name:MAL_QuasarRAT_May19_1_RID2E1E
Create hunting rule
Author:Florian Roth
Description:Detects QuasarRAT malware
Reference:https://blog.ensilo.com/uncovering-new-activity-by-apt10
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/258089/

Comments