MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3ddbcff678c3056b7ed840e1bff73c75856af1b3b29f7c49c218109cf7aff7d8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuasarRAT


Vendor detections: 17


Intelligence 17 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3ddbcff678c3056b7ed840e1bff73c75856af1b3b29f7c49c218109cf7aff7d8
SHA3-384 hash: ddabc8668397bdcae223a3b3d78692ba8212e2e6934d3b89972359efd1ba626c833c7d6535abb4c8d616a67d6c91c47a
SHA1 hash: 6d704765f42692ef27543724af0c44f5a70d0b11
MD5 hash: cdbec867b35a3e945d1c4930b9c54c5f
humanhash: artist-apart-quebec-carolina
File name:DDoSEm.exe
Download: download sample
Signature QuasarRAT
Create hunting rule
File size:1'979'392 bytes
First seen:2025-07-27 15:47:06 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'656 x AgentTesla, 19'464 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 49152:GJwYW0IBwVUagdAepq6LK7oa2aO+z+4Eq4ZTi4RtTysusxVBJ:UJfVUagdAeI9/O+z+fTi4husDBJ
TLSH T151953357D1F99250D4AE57B3B1EDE5CC6CD60A0E3983B2B4F6C01A3BF47A0C96228467
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
dhash icon cc3333714d4c8e8e (1 x QuasarRAT)
Reporter abuse_ch
Tags:exe QuasarRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
32
Origin country :
SE SE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
DDoSEm.exe
Verdict:
Malicious activity
Analysis date:
2025-07-27 14:41:21 UTC
Tags:
crypto-regex
Link:
https://app.any.run/tasks/ed9bcc2c-2521-4e60-a9f3-be53ca39a8ff

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/17174/
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68863a90af3050dc8d318c66
Tags:
vmdetect quasar lien
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a file in the %AppData% directory
Creating a process from a recently created file
Creating a file
Creating a window
Searching for synchronization primitives
Creating a file in the %AppData% subdirectories
Connection attempt to an infection source
Sending a custom TCP request
Unauthorized injection to a recently created process
Query of malicious DNS domain
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed packed packer_detected vbnet
Link:
https://www.filescan.io/uploads/68864a0817928df64943168a/reports/a62264c6-baa8-4523-b365-218fd40e0133/overview
Verdict:
Malicious
Labled as:
Jalapeno.Generic
Link:
https://www.hybrid-analysis.com/sample/3ddbcff678c3056b7ed840e1bff73c75856af1b3b29f7c49c218109cf7aff7d8
Malware family:
ModernLoader
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/89a94cf9-0dad-474d-8cf0-c45620f3dcb1
Result
Threat name:
Quasar
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1744990
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected Quasar RAT
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/3ddbcff678c3056b7ed840e1bff73c75856af1b3b29f7c49c218109cf7aff7d8
Verdict:
inconclusive
YARA:
10 match(es)
Tags:
.Net Executable PE (Portable Executable) SOS: 0.18 Win 32 Exe x86
Link:
https://app.malva.re/file/cdbec867b35a3e945d1c4930b9c54c5f
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3ddbcff678c3056b7ed840e1bff73c75856af1b3b29f7c49c218109cf7aff7d8/
Verdict:
Malicious
Threat:
ByteCode-MSIL.Malware.Heuristic
Link:
https://tip.neiki.dev/file/3ddbcff678c3056b7ed840e1bff73c75856af1b3b29f7c49c218109cf7aff7d8
Threat name:
ByteCode-MSIL.Spyware.AsyncRAT
Create hunting rule
Status:
Malicious
First seen:
2025-07-27 14:41:29 UTC
File Type:
PE (.Net Exe)
Extracted files:
6
AV detection:
20 of 23 (86.96%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hxn475tyymcww7wyidq375z4owcwv4ntwkpxysocdaijz55p67ma._file
Verdict:
malicious
Label(s):
quasarrat
Create hunting rule
Similar samples:
error
QuasarRAT
Result
Malware family:
quasar
Create hunting rule
Score:
  10/10
Tags:
family:quasar botnet:office04 discovery spyware trojan
Link:
https://tria.ge/reports/250727-s8b6mszscz/
Behaviour
Suspicious behavior: AddClipboardFormatListener
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Checks computer location settings
Executes dropped EXE
Quasar RAT
Quasar family
Quasar payload
Malware Config
C2 Extraction:
learn-springfield.gl.at.ply.gg:35685
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/818e93d5-fb9b-473c-b48b-b6dddbef4870
Unpacked files
SH256 hash:
3ddbcff678c3056b7ed840e1bff73c75856af1b3b29f7c49c218109cf7aff7d8
MD5 hash:
cdbec867b35a3e945d1c4930b9c54c5f
SHA1 hash:
6d704765f42692ef27543724af0c44f5a70d0b11
Link:
https://www.unpac.me/results/d2aec603-12fd-4e0d-9237-846cc86b0404/
SH256 hash:
b772677df97054577823d713937fda4801d06bfa6f471c00991aa66fa3577faf
MD5 hash:
fc81bd684b17ffcd26c322381701b398
SHA1 hash:
55d5df8ede31ea101f4efaaa790cc1b7f7ca0e01
Link:
https://www.unpac.me/results/d2aec603-12fd-4e0d-9237-846cc86b0404/
SH256 hash:
d5235265564f0bfd23b7279d7bdccc9ea6383ed07c5d0bfdf6c99029af9a2c0c
MD5 hash:
1d3dd9fcc077e6b4f88c05b9aef53ee6
SHA1 hash:
12b33858bc84f54b8aa8dbcb5a0ec2da043a6f66
Link:
https://www.unpac.me/results/d2aec603-12fd-4e0d-9237-846cc86b0404/
SH256 hash:
6185d78b8a0cade9e6a7eeb728d4194d8d60b30275827fef2f3842e9e4508676
MD5 hash:
f2e9a3062b992c95e02bdfcd77f1f8a6
SHA1 hash:
12cee4da129fe7056ddf1e58e026e2a2de754f45
Detections:
SUSP_NET_Large_Static_Array_In_Small_File_Jan24
Create hunting rule
HKTL_NET_GUID_Quasar
Create hunting rule
Link:
https://www.unpac.me/results/d2aec603-12fd-4e0d-9237-846cc86b0404/
Parent samples :
6ce2462286dc687b1ccab7592a3a68c0504b2639e28cfb8a849e0cd12763fea0
4da64245a16f4a93f5d7d3762addc79a0b997fae82a9cb1dc11fec12334bccff
9019276cf50b5e8397a04c81e75faf35308f2dd7b480db9a060e1c50e66678f2
3ddbcff678c3056b7ed840e1bff73c75856af1b3b29f7c49c218109cf7aff7d8
4d99b92df452a113bafe2af82d237225ff93afe39fae138305b8201b179357c1
45b69051833ba880b6a9cdededab6249034c7b469dc2be4a5540760250f2f107
5c4c1acbf68da3339d49b855aff31b564faadfaa93fb923fc0ac88ccf2afdea9
c69f207f155799c56a2c5894e1ac532803b5308ada2711090b1f7d6c3cde1e54
SH256 hash:
d2300ead1f9941428d1e9c831c50280fef9f00f106e947555a90e121b827f397
MD5 hash:
3a03e2c709e5444f149a3c184a08a08a
SHA1 hash:
24261bab043a71517db98262ceecf2d0a1523ff3
Link:
https://www.unpac.me/results/d2aec603-12fd-4e0d-9237-846cc86b0404/
SH256 hash:
563605ae1c4bed451f4053ffa520ee4ed1f61893a8a45db9292205538459bb63
MD5 hash:
fc9a3846326989549b0924f91c1479b0
SHA1 hash:
48c11e692486a5ae5f99810948b028eb7cd6259d
Link:
https://www.unpac.me/results/d2aec603-12fd-4e0d-9237-846cc86b0404/
SH256 hash:
ceed689891874eed41295189b2db3c187aabcfc90add5a1d2af96f078bcb4811
MD5 hash:
026a5bafe4ac686c01e9d56e00a87ab1
SHA1 hash:
a6ff2228e8114a2b4040d0ca137c4b544ff034f4
Link:
https://www.unpac.me/results/d2aec603-12fd-4e0d-9237-846cc86b0404/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3ddbcff678c3056b7ed840e1bff73c75856af1b3b29f7c49c218109cf7aff7d8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/17174/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments