MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 04bf1d08978c90bfc106df524a0dcdd7b54f10bf2f3c336616a379ffd4c8048c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

QuasarRAT

Vendor detections: 11

Intelligence 11 IOCs YARA File information Comments

SHA256 hash:	04bf1d08978c90bfc106df524a0dcdd7b54f10bf2f3c336616a379ffd4c8048c
SHA3-384 hash:	0f3dd8119fabec148a488d3c4faedb307a66aca466e834cd4e6fa1a456ed5e14226771baf13a067082096c76740ce2cd
SHA1 hash:	d28d0b00a098a21a39c2e2f0bd2ae2ca7cc8d481
MD5 hash:	fab6bd4140c123b7b7a8e17b02c8c4a0
humanhash:	nevada-blossom-beer-oregon
File name:	msedge.vbs
Download:	download sample
Signature	QuasarRAT Create hunting rule
File size:	16'426 bytes
First seen:	2025-07-09 02:21:00 UTC
Last seen:	2025-07-09 07:47:19 UTC
File type:	vbs
MIME type:	text/plain
ssdeep	384:VVvnuUcprxAyCs5Z+KmY+uwuoLuR2I4LT4FKTDhqQVf:LnuTt2CZ+ZMAYKf
Threatray	83 similar samples on MalwareBazaar
TLSH	T11872EE39A7589FF00B6B32E4925B3D0130A51322EA35DD7EA4D7887C3F666148FA50EC
Magika	vba
Reporter	skocherhan
Tags:	github-mwona QuasarRAT vbs

skocherhan

https://github.com/mwona/dlikg/raw/refs/heads/main/msedge.vbs

Intelligence

File Origin

# of uploads :

2

# of downloads :

42

Origin country :

GB

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/13611/

Detection(s):

TwinWave.EvilVBA.LostAtSeaFuncInDirection.20240306.UNOFFICIAL

Verdict:

Malicious

Score:

94.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=686dd226c9eb97473767c2e4

Tags:

obfuscate xtreme shell

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

base64 obfuscated obfuscated powershell

Link:

https://www.filescan.io/uploads/686dd22861f15fb42a35f42f/reports/3404abf6-8bb9-4d66-b3d4-6759faafb3d4/overview

Verdict:

Malicious

Labled as:

Trojan/VBS.GuLoader

Link:

https://www.hybrid-analysis.com/sample/04bf1d08978c90bfc106df524a0dcdd7b54f10bf2f3c336616a379ffd4c8048c

Score:

99%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/04bf1d08978c90bfc106df524a0dcdd7b54f10bf2f3c336616a379ffd4c8048c

Verdict:

Malware

YARA:

1 match(es)

Tags:

DeObfuscated Obfuscated T1059.005 VBScript WScript.Network

Link:

https://app.malva.re/file/fab6bd4140c123b7b7a8e17b02c8c4a0

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/04bf1d08978c90bfc106df524a0dcdd7b54f10bf2f3c336616a379ffd4c8048c/

Threat name:

Script-WScript.Backdoor.Remcos

Status:

Malicious

First seen:

2025-07-09 02:21:24 UTC

File Type:

Text (VBS)

AV detection:

8 of 24 (33.33%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=as7r2cexrsil7qig35jeudon262u6ef7f46dgzqwun477vgiasga._file

Verdict:

malicious

Label(s):

quasarrat

Similar samples:

2c9a9dad74ed9892e2d73dc8a1bbfcdd46d6d9d54a4625a803842d734a5a8ec2

2d8821983c48f3fb813804c6ff14ed75253b272aff98eb01c4070d4067e09fac

460aee4c6279b5f331b977efbe7484cfb7333dc4a028e9843fca3ab12195f2fd

4a5598e056a1f35b8638a606f9870ad2f05f00bd38076e5cf66fc99cb6309b19

4e40a4f48a6143ff7ab5b87cb65babba42c5704e65f0002109249f1b50194be7

e5eafff4d2ee9c74bf0a7d6ac2606211ca572a6ab0e06e5a279b6a4031e5f515

e7078c1080db9dafe06ac8258d4d685cbdef80ab0363ac7438dcef8c3bf554b1

+ 73 additional samples on MalwareBazaar

Result

Malware family:

quasar

Score:

10/10

Tags:

family:quasar botnet:inmg1 defense_evasion discovery execution persistence spyware trojan

Link:

https://tria.ge/reports/250709-cs6sbasnx9/

Behaviour

Kills process with taskkill

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Adds Run key to start application

Legitimate hosting services abused for malware hosting/C2

Checks computer location settings

Blocklisted process makes network request

Command and Scripting Interpreter: PowerShell

Quasar RAT

Quasar family

Quasar payload

Malware Config

C2 Extraction:

194.37.81.104:4782

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/04bf1d08978c90bfc106df524a0dcdd7b54f10bf2f3c336616a379ffd4c8048c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

Cape

https://www.capesandbox.com/analysis/13611/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample