MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0455ebce0a62e2413a730a8e172cde5e6171d2a3569c4620c7e10a6ff04a3710. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuasarRAT


Vendor detections: 15


Intelligence 15 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0455ebce0a62e2413a730a8e172cde5e6171d2a3569c4620c7e10a6ff04a3710
SHA3-384 hash: 3928bdb21308c6b96df5b3ec6e24385c4542c932661182b3e2d09ffdd4295ea30d3ee4d4aacec05ea62f65cd02f54f29
SHA1 hash: cd941d3783ddd7c270b0c8d0074f25bdc5953a47
MD5 hash: fe65fcf9c990d86ae6d509427faed729
humanhash: salami-lamp-sodium-thirteen
File name:LAYRE Injector.bat
Download: download sample
Signature QuasarRAT
Create hunting rule
File size:5'056'419 bytes
First seen:2025-11-14 20:59:15 UTC
Last seen:Never
File type:Batch (bat) bat
MIME type:text/x-msdos-batch
ssdeep 24576:KA0XTVl4dgr6EvDuGkOuu2B0xQwzQgPx3oPSJOJSSQGWn0cPnTQcDQvF4ymfiKGU:W
Threatray 21 similar samples on MalwareBazaar
TLSH T13936EFE634A5B894DDEFD25F84AE8B79B35E0682D707218A131F1D58866340F3E849CF
Magika batch
Reporter burger
Tags:bat donutloader QuasarRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
54
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
LAYREInjector.bat
Verdict:
Malicious activity
Analysis date:
2025-11-14 20:59:02 UTC
Tags:
auto-reg susp-powershell
Link:
https://app.any.run/tasks/d50b31d3-94fa-4539-8d68-4bd0613a42a3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/38250/
Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69179817434cd67b17c165c1
Tags:
ransomware dropper emotet sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching cmd.exe command interpreter
Launching a process
Creating a file in the %AppData% subdirectories
Creating a process from a recently created file
Changing the Zone.Identifier stream
Creating a file
Сreating synchronization primitives
Creating a file in the %temp% subdirectories
Creating a process with a hidden window
Creating a window
Searching for synchronization primitives
Connecting to a non-recommended domain
Connection attempt
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Gathering data
Verdict:
Malicious
Labled as:
BAT/TrojanDropper.Agent
Link:
https://www.hybrid-analysis.com/sample/0455ebce0a62e2413a730a8e172cde5e6171d2a3569c4620c7e10a6ff04a3710
Verdict:
Malicious
File Type:
unix shell
First seen:
2025-11-13T22:09:00Z UTC
Last seen:
2025-11-16T15:38:00Z UTC
Hits:
~10
Detections:
Trojan.Win64.DonutInjector.sb Trojan.Win32.Shellcode.sb HEUR:Trojan.BAT.Alien.gen Trojan.MSIL.Quasar.a Trojan.MSIL.Agent.sb Backdoor.MSIL.Agent.sb Trojan-PSW.MSIL.Agent.sb Trojan.Win64.Donut.sb Trojan.Win32.Vimditator.sb Trojan.Win32.Agent.sb Trojan.PowerShell.Cobalt.sb Backdoor.Win32.Androm Backdoor.MSIL.Cardinal.sb PDM:Trojan.Win32.Generic Trojan-Dropper.Win32.Injector.sb HEUR:Backdoor.MSIL.Agent.gen
Link:
https://opentip.kaspersky.com/0455ebce0a62e2413a730a8e172cde5e6171d2a3569c4620c7e10a6ff04a3710/results?tab=lookup
Result
Threat name:
DonutLoader
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1814476
Signature
.NET source code contains potential unpacker
Benign windows process drops PE files
Bypasses PowerShell execution policy
Connects to many ports of the same IP (likely port scanning)
Creates a thread in another existing process (thread injection)
Creates autostart registry keys with suspicious names
Encrypted powershell cmdline option found
Found large BAT file
Found suspicious powershell code related to unpacking or dynamic code loading
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects code into the Windows Explorer (explorer.exe)
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Suspicious powershell command line found
System process connects to network (likely due to code injection or exploit)
Uses cmd line tools excessively to alter registry or file data
Writes to foreign memory regions
Yara detected DonutLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1814476 Sample: LAYRE Injector.bat Startdate: 14/11/2025 Architecture: WINDOWS Score: 100 79 ipwho.is 2->79 95 Malicious sample detected (through community Yara rule) 2->95 97 Multi AV Scanner detection for submitted file 2->97 99 Yara detected DonutLoader 2->99 101 10 other signatures 2->101 10 cmd.exe 1 2->10         started        13 cmd.exe 1 2->13         started        15 cmd.exe 2->15         started        17 svchost.exe 1 1 2->17         started        signatures3 process4 dnsIp5 115 Suspicious powershell command line found 10->115 117 Uses cmd line tools excessively to alter registry or file data 10->117 119 Encrypted powershell cmdline option found 10->119 121 Bypasses PowerShell execution policy 10->121 20 cmd.exe 4 10->20         started        24 conhost.exe 10->24         started        26 cmd.exe 1 13->26         started        28 conhost.exe 13->28         started        30 cmd.exe 15->30         started        32 conhost.exe 15->32         started        77 127.0.0.1 unknown unknown 17->77 signatures6 process7 file8 63 C:\Users\user\...\05f88d6e1f6b69f2.bat, DOS 20->63 dropped 103 Suspicious powershell command line found 20->103 105 Uses cmd line tools excessively to alter registry or file data 20->105 107 Encrypted powershell cmdline option found 20->107 34 powershell.exe 23 20->34         started        37 powershell.exe 11 20->37         started        39 reg.exe 1 1 20->39         started        47 3 other processes 20->47 41 powershell.exe 15 26->41         started        43 conhost.exe 26->43         started        50 2 other processes 26->50 45 conhost.exe 30->45         started        52 3 other processes 30->52 signatures9 process10 file11 85 Injects code into the Windows Explorer (explorer.exe) 34->85 87 Writes to foreign memory regions 34->87 89 Creates a thread in another existing process (thread injection) 34->89 54 explorer.exe 42 29 34->54 injected 59 csc.exe 3 34->59         started        91 Found suspicious powershell code related to unpacking or dynamic code loading 37->91 93 Creates autostart registry keys with suspicious names 39->93 75 C:\Users\user\AppData\...\ps_6d3cfd89.ps1, Unicode 47->75 dropped signatures12 process13 dnsIp14 81 185.196.8.72, 38241, 49700, 49705 SIMPLECARRER2IT Switzerland 54->81 83 ipwho.is 15.204.213.5, 443, 49702 HP-INTERNET-ASUS United States 54->83 65 C:\Users\user\AppData\Roaming\...\SharpDX.dll, PE32 54->65 dropped 67 C:\Users\user\...\SharpDX.Mathematics.dll, PE32 54->67 dropped 69 C:\Users\user\...\SharpDX.Direct3D11.dll, PE32 54->69 dropped 73 11 other files (none is malicious) 54->73 dropped 109 System process connects to network (likely due to code injection or exploit) 54->109 111 Benign windows process drops PE files 54->111 113 Hides that the sample has been downloaded from the Internet (zone.identifier) 54->113 71 C:\Users\user\AppData\Local\...\21bf2yov.dll, PE32 59->71 dropped 61 cvtres.exe 1 59->61         started        file15 signatures16 process17
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/0455ebce0a62e2413a730a8e172cde5e6171d2a3569c4620c7e10a6ff04a3710
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0455ebce0a62e2413a730a8e172cde5e6171d2a3569c4620c7e10a6ff04a3710/
Verdict:
Malicious
Threat:
Family.DONUTLOADER
Link:
https://tip.neiki.dev/file/0455ebce0a62e2413a730a8e172cde5e6171d2a3569c4620c7e10a6ff04a3710
Threat name:
Win32.Trojan.Egairtigado
Create hunting rule
Status:
Malicious
First seen:
2025-11-13 21:59:33 UTC
File Type:
Text (Batch)
AV detection:
9 of 37 (24.32%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ark6xtqkmlrecottbkhbolg6lzqxduvdk2oemigh4efg74ckg4ia._file
Verdict:
malicious
Label(s):
quasarrat
Create hunting rule
donutloader
Create hunting rule
Similar samples:
2da636aa556256d9634ac820779f84cdac7f767f2a92be6e5424862d8fcffd85
QuasarRAT
4efe314b3ef2de0406754664e6fe12a3bd9c25965fcff10a76ca39dc4050212e
QuasarRAT
5796230cdd9dac9064551b7e0aeecd62ff2c25808dfe854e774c54815f66c741
QuasarRAT
6a95f54230338584556d3dc370e1da5d4e326aab83c20413d446ab71a8f43d37
QuasarRAT
7830e7c10b53bf790efd4c6b5d52e0c31cb83d86378c2aeef96d7dc8d726f245
QuasarRAT
d3ef0e594e1984dfb2a32349c2ca01cecc9de210b3cc4358516a5ee5046b42f7
QuasarRAT
error
QuasarRAT
+ 11 additional samples on MalwareBazaar
Result
Malware family:
quasar
Create hunting rule
Score:
  10/10
Tags:
family:donutloader family:quasar defense_evasion execution loader persistence spyware trojan
Link:
https://tria.ge/reports/251114-zsxkzasnel/
Behaviour
NTFS ADS
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Views/modifies file attributes
Adds Run key to start application
Command and Scripting Interpreter: PowerShell
Detects DonutLoader
DonutLoader
Donutloader family
Quasar RAT
Quasar family
Quasar payload
Malware family:
QuasarRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/0455ebce0a62/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0455ebce0a62e2413a730a8e172cde5e6171d2a3569c4620c7e10a6ff04a3710

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Base64_Encoded_Powershell_Directives
Create hunting rule
Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:SUSP_Base64
Create hunting rule
Author:Eslam Hassan
Description:Detects hex encoded code that has been base64 encoded
Reference:Internal Research
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

QuasarRAT

Batch (bat) bat 0455ebce0a62e2413a730a8e172cde5e6171d2a3569c4620c7e10a6ff04a3710

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/38250/
  
URLhaus
https://urlhaus.abuse.ch/url/3707815/
  
Delivery method
Distributed via web download

Comments