MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c2b78e277970e1607c23f03bf7facfb77a1dd50798acc078fd942abe59baca6f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuasarRAT


Vendor detections: 13


Maldoc score: 23


Intelligence 13 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c2b78e277970e1607c23f03bf7facfb77a1dd50798acc078fd942abe59baca6f
SHA3-384 hash: 73cd25432dbe93bdc536bb5c5a553d3f4510e21e12a736bb559b2b249130f7e2d078406ccbef4b15ef030416e97e5fac
SHA1 hash: 49242579f4ecd4aa17cb00bfcd50987b915d4a6d
MD5 hash: b5582db7d1beaabff94af7b08641c973
humanhash: glucose-triple-echo-robin
File name:PO061225.docm
Download: download sample
Signature QuasarRAT
Create hunting rule
File size:22'423 bytes
First seen:2025-06-14 13:17:05 UTC
Last seen:Never
File type:Word file docm
MIME type:application/vnd.openxmlformats-officedocument.wordprocessingml.document
ssdeep 384:/iheaMwMtqxn2d4nVGrdA78NrPc9LPnuM3McdPCXcPg7VfRlFdM0krlL+:/MebfGnVud886LPuRcccPg9B8pa
TLSH T138A2DF5EDB01B93BE6EFD0BB046117D3F60D4512E5741D3A0228B7AD8E8152B1B92CCB
TrID 53.6% (.DOCM) Word Microsoft Office Open XML Format document (with Macro) (52000/1/9)
24.2% (.DOCX) Word Microsoft Office Open XML Format document (23500/1/4)
18.0% (.ZIP) Open Packaging Conventions container (17500/1/4)
4.1% (.ZIP) ZIP compressed archive (4000/1)
Magika docx
Reporter abuse_ch
Tags:docm QuasarRAT

Office OLE Information

This malware samples appears to be an Office document. The following table provides more information about this document using oletools and oledump.

OLE id
Maldoc score: 23
OLE dump

MalwareBazaar was able to identify 10 sections in this file using oledump:

Section IDSection sizeSection name
A1440 bytesPROJECT
A241 bytesPROJECTwm
A36104 bytesVBA/ThisDocument
A42945 bytesVBA/_VBA_PROJECT
A52304 bytesVBA/__SRP_0
A6129 bytesVBA/__SRP_1
A71532 bytesVBA/__SRP_2
A8195 bytesVBA/__SRP_3
A9523 bytesVBA/dir
OLE vba

MalwareBazaar was able to extract and deobfuscate VBA script(s) the following information from OLE objects embedded in this file using olevba:

TypeKeywordDescription
AutoExecDocument_OpenRuns when the Word or Publisher document is opened
IOCmicrosoft.vbsExecutable file name
IOCwscript.exeExecutable file name
SuspiciousEnvironMay read system environment variables
SuspiciousOpenMay open a file
SuspiciousWriteMay write to a file (if combined with Open)
SuspiciousCopyHereMay copy a file
SuspiciousADODB.StreamMay create a text file
SuspiciousSaveToFileMay create a text file
SuspiciousShellMay run an executable file or a system command
SuspiciousvbNormalFocusMay run an executable file or a system command
SuspiciousCreateObjectMay create an OLE object
SuspiciousShell.ApplicationMay run an application (if combined with CreateObject)
SuspiciousDownloadFileMay download files from the Internet using PowerShell

Intelligence

File Origin
# of uploads :
1
# of downloads :
2'518
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PO061225.docm
Verdict:
No threats detected
Analysis date:
2025-06-14 13:25:54 UTC
Tags:
macros macros-on-open
Link:
https://app.any.run/tasks/7a226943-a6ef-411c-a659-91126bef9e1d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=684d76818bd5d68a12e89d0e
Tags:
office macro micro
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
DNS request
Creating a file in the %temp% directory
Searching for synchronization primitives
Searching for the window
Using the Windows Management Instrumentation requests
Connection attempt
Sending a custom TCP request
Creating a file in the %AppData% subdirectories
Moving a file to the %AppData% subdirectory
Running batch commands
Creating a process with a hidden window
Launching a process
Creating a file
Connection attempt by exploiting the app vulnerability
Using BITS transfer job for data transfer
Sending a custom TCP request by exploiting the app vulnerability
Creating a process from a recently created file
Result
Verdict:
Malicious
File Type:
Word File with Macro
Link:
https://app.docguard.net/c2b78e277970e1607c23f03bf7facfb77a1dd50798acc078fd942abe59baca6f/results/dashboard
Behaviour
BlacklistAPI detected
Verdict:
Malicious
Labled as:
Msoffice/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/c2b78e277970e1607c23f03bf7facfb77a1dd50798acc078fd942abe59baca6f
Label:
Benign
Suspicious Score:
/10
Score Malicious:
%
Score Benign:
1%
Link:
https://www.malware.ai/gui/files/?id=25315189-c57a-4222-a7c5-131d81aa9d8d
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/c2b78e277970e1607c23f03bf7facfb77a1dd50798acc078fd942abe59baca6f
Details
Macro with Startup Hook
Detected macro logic that will automatically execute on document open. Most malware contains some execution hook.
Macro with File System Write
Detected macro logic that can write data to the file system.
Document With No Content
Document contains little or no semantic information.
Macro Execution Coercion in Document
Detected a document that appears to social engineer the user into activating embedded logic.
Shell.Application Object
Detected the instantiation of Shell Application object within the macro.
Macro Contains Suspicious String
Detected a macro with a suspicious string. Suspicious strings include privileged function calls, obfuscations, odd registry keys, etc...
Result
Threat name:
Quasar
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1714449
Signature
.NET source code references suspicious native API functions
Antivirus / Scanner detection for submitted sample
Bypasses PowerShell execution policy
Connects to a pastebin service (likely for C&C)
Document contains an embedded VBA macro which may execute processes
Document contains an embedded VBA macro with suspicious strings
Document contains an embedded VBA with functions possibly related to ADO stream file operations
Document contains an embedded VBA with functions possibly related to HTTP operations
Document exploit detected (creates forbidden files)
Document exploit detected (process start blacklist hit)
Found malware configuration
Found suspicious ZIP file
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Microsoft Office drops suspicious files
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Office process queries suspicious COM object (likely to drop second stage)
Potential malicious VBS script found (has network functionality)
Powershell uses Background Intelligent Transfer Service (BITS)
Sample uses string decryption to hide its real strings
Sigma detected: Legitimate Application Dropped Archive
Sigma detected: Office product drops script at suspicious location
Sigma detected: Register Wscript In Run Key
Sigma detected: Script Initiated Connection to Non-Local Network
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Invoke-WebRequest Execution
Sigma detected: Suspicious Microsoft Office Child Process
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
System process connects to network (likely due to code injection or exploit)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected MalBat
Yara detected Quasar RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1714449 Sample: PO061225.docm Startdate: 14/06/2025 Architecture: WINDOWS Score: 100 84 pastebin.com 2->84 86 raw.githubusercontent.com 2->86 88 ipwho.is 2->88 98 Sigma detected: Register Wscript In Run Key 2->98 100 Found malware configuration 2->100 102 Malicious sample detected (through community Yara rule) 2->102 106 22 other signatures 2->106 11 WINWORD.EXE 162 115 2->11         started        16 wscript.exe 2->16         started        18 wscript.exe 2->18         started        signatures3 104 Connects to a pastebin service (likely for C&C) 84->104 process4 dnsIp5 90 raw.githubusercontent.com 185.199.108.133, 443, 49695, 49697 FASTLYUS Netherlands 11->90 78 C:\Users\user\Desktop\PO061225.docm (copy), Microsoft 11->78 dropped 80 C:\Users\user\AppData\Local\...\microsoft.vbs, ASCII 11->80 dropped 82 C:\Users\user\AppData\Local\Temp\file.zip, Zip 11->82 dropped 128 Document exploit detected (creates forbidden files) 11->128 130 Office process queries suspicious COM object (likely to drop second stage) 11->130 132 Microsoft Office drops suspicious files 11->132 20 wscript.exe 5 11->20         started        134 Wscript starts Powershell (via cmd or directly) 16->134 136 Windows Scripting host queries suspicious COM object (likely to drop second stage) 16->136 138 Suspicious execution chain found 16->138 24 powershell.exe 16->24         started        26 powershell.exe 18->26         started        file6 signatures7 process8 file9 70 C:\Users\user\AppData\Roaming\...\log.txt, DOS 20->70 dropped 72 C:\Users\user\AppData\Roaming\...\config.txt, DOS 20->72 dropped 108 System process connects to network (likely due to code injection or exploit) 20->108 110 Wscript starts Powershell (via cmd or directly) 20->110 112 Bypasses PowerShell execution policy 20->112 118 2 other signatures 20->118 28 cmd.exe 8 20->28         started        31 conhost.exe 20->31         started        33 conhost.exe 24->33         started        35 taskkill.exe 24->35         started        37 taskkill.exe 24->37         started        39 AddInProcess32.exe 24->39         started        114 Writes to foreign memory regions 26->114 116 Injects a PE file into a foreign processes 26->116 41 conhost.exe 26->41         started        43 taskkill.exe 26->43         started        45 3 other processes 26->45 signatures10 process11 signatures12 124 Suspicious powershell command line found 28->124 126 Wscript starts Powershell (via cmd or directly) 28->126 47 wscript.exe 28->47         started        50 powershell.exe 27 28->50         started        52 powershell.exe 27 28->52         started        54 11 other processes 28->54 process13 file14 142 Wscript starts Powershell (via cmd or directly) 47->142 57 powershell.exe 47->57         started        144 Powershell uses Background Intelligent Transfer Service (BITS) 50->144 146 Loading BitLocker PowerShell Module 50->146 74 C:\Users\user\AppData\Roaming\...\strt_n.vbs, ASCII 54->74 dropped 76 C:\Users\user\AppData\Roaming\...\n_main.txt, Unicode 54->76 dropped signatures15 process16 signatures17 120 Writes to foreign memory regions 57->120 122 Injects a PE file into a foreign processes 57->122 60 AddInProcess32.exe 57->60         started        64 conhost.exe 57->64         started        66 taskkill.exe 57->66         started        68 AddInProcess32.exe 57->68         started        process18 dnsIp19 92 109.207.171.238, 49716, 49720, 7000 NPO-AIDMA-ASRU Russian Federation 60->92 94 ipwho.is 15.204.213.5, 443, 49718 HP-INTERNET-ASUS United States 60->94 96 pastebin.com 104.22.68.199, 443, 49715 CLOUDFLARENETUS United States 60->96 140 Hides that the sample has been downloaded from the Internet (zone.identifier) 60->140 signatures20
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c2b78e277970e1607c23f03bf7facfb77a1dd50798acc078fd942abe59baca6f/
Threat name:
Win32.Trojan.Suschil
Create hunting rule
Status:
Malicious
First seen:
2025-06-13 01:28:02 UTC
File Type:
Document
Extracted files:
24
AV detection:
15 of 38 (39.47%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=yk3y4j3zodqwa7bd6a57p6wpw55b3vihtcwma6h5sqvl4wn2zjxq._file
Result
Malware family:
quasar
Create hunting rule
Score:
  10/10
Tags:
family:quasar botnet:office04 discovery execution macro persistence spyware trojan
Link:
https://tria.ge/reports/250614-qjnf9shp2v/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Enumerates system info in registry
Kills process with taskkill
Script User-Agent
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Checks computer location settings
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Process spawned unexpected child process
Quasar RAT
Quasar family
Quasar payload
Malware Config
C2 Extraction:
https://pastebin.com/raw/fEnyPjn0
Dropper Extraction:
https://raw.githubusercontent.com/kevin536376/documnets/refs/heads/main/encoded8.txt
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/e788aff6-4996-41a6-a92c-ade1290c9c03
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c2b78e277970/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c2b78e277970e1607c23f03bf7facfb77a1dd50798acc078fd942abe59baca6f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Detect_PowerShell_Obfuscation
Create hunting rule
Author:daniyyell
Description:Detects obfuscated PowerShell commands commonly used in malicious scripts.
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:informational_win_ole_protected
Create hunting rule
Author:Jeff White (karttoon@gmail.com) @noottrak
Description:Identify OLE Project protection within documents.
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:vbaproject_bin
Create hunting rule
Author:CD_R0M_
Description:{76 62 61 50 72 6f 6a 65 63 74 2e 62 69 6e} is hex for vbaproject.bin. Macros are often used by threat actors. Work in progress - Ran out of time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments