MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 30d27ff95354ee56096e7f06f5eb0f64d895c996f6ff8e45c781f1c14b542373. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuasarRAT


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 30d27ff95354ee56096e7f06f5eb0f64d895c996f6ff8e45c781f1c14b542373
SHA3-384 hash: dc88b87d4e63e949d045a012475d7792c2a534741d05a2aa6f6295917879b161a2c9e9eacbd586244db9e4309e4bd833
SHA1 hash: 7a3d784e4f737786b54a177c80275a91ee7076c2
MD5 hash: 5289d05b6525f474898a5541ff32adfd
humanhash: tennessee-johnny-spaghetti-echo
File name:Tyrone.dll
Download: download sample
Signature QuasarRAT
Create hunting rule
File size:3'534'848 bytes
First seen:2024-09-06 12:53:22 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash dae02f32a21e03ce65412f6e56942daa (123 x YellowCockatoo, 60 x CobaltStrike, 44 x JanelaRAT)
ssdeep 98304:Uv98fGTl6Cy5XAtd9D+5p4w0GE7aGtUM:Uv92R5X+FBIGtT
Threatray 2'090 similar samples on MalwareBazaar
TLSH T1BCF52216EA90DB6FCAD651B3C5E52810C3A59A03D50EE717350570E39D133EFAE0A2EB
TrID 87.2% (.DLL) Generic .NET DLL/Assembly (236632/4/32)
3.8% (.EXE) Win64 Executable (generic) (10523/12/4)
2.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
1.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.6% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter NDA0E
Tags:dll geo GRC PiraeusBank QuasarRAT unpacked

Intelligence

File Origin
# of uploads :
1
# of downloads :
372
Origin country :
NL NL
Vendor Threat Intelligence
Detection(s):
Win.Malware.Zusy-10009321-0
Create hunting rule

Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66dafb6c8e12b8124ac95dc0
Tags:
n/a
Result
Verdict:
Malware
Maliciousness:
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed vbnet
Link:
https://www.filescan.io/uploads/66dafb7a5c270e35fa44c504/reports/2cbe0325-55b5-4ed4-a166-16e41bc2fbe5/overview
Verdict:
Malicious
Labled as:
Jalapeno.Generic
Link:
https://www.hybrid-analysis.com/sample/30d27ff95354ee56096e7f06f5eb0f64d895c996f6ff8e45c781f1c14b542373
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/32c8f9fa-db43-42e5-a38f-5d81582116d8
Result
Threat name:
n/a
Detection:
malicious
Classification:
n/a
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/1505599
Signature
Antivirus / Scanner detection for submitted sample
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1505599 Sample: Tyrone.dll Startdate: 06/09/2024 Architecture: WINDOWS Score: 60 15 Antivirus / Scanner detection for submitted sample 2->15 17 Multi AV Scanner detection for submitted file 2->17 19 Machine Learning detection for sample 2->19 7 loaddll32.exe 1 2->7         started        process3 process4 9 cmd.exe 1 7->9         started        11 conhost.exe 7->11         started        process5 13 rundll32.exe 9->13         started       
Score:
91%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/30d27ff95354ee56096e7f06f5eb0f64d895c996f6ff8e45c781f1c14b542373
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/30d27ff95354ee56096e7f06f5eb0f64d895c996f6ff8e45c781f1c14b542373/
Threat name:
Win32.Trojan.Jalapeno
Create hunting rule
Status:
Malicious
First seen:
2024-09-06 12:54:05 UTC
File Type:
PE (.Net Dll)
Extracted files:
6
AV detection:
22 of 38 (57.89%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gdjh76ktktxfmclop4dpl2ypmtmjlsmw637y4rohqhy4cs2uenzq._file
Verdict:
malicious
Similar samples:
035b784824ed07c31f8d100b3d92777b5c83ca9113d882a75f13e8b0e283892d
QuasarRAT
2a346621e42f809c9cbfaf01bd2baa682838165f5e24c7c945f855671fc457e4
QuasarRAT
78fa533a638b518f838be240f431580d19df296894c35a0cfb3f652312d7d2aa
QuasarRAT
cbe4153add0b29b67e77346f502369fd6430c3903dd15f66109169653a77a320
QuasarRAT
+ 2'080 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
discovery
Link:
https://tria.ge/reports/240906-p47j7sxhkg/
Behaviour
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Unpacked files
SH256 hash:
30d27ff95354ee56096e7f06f5eb0f64d895c996f6ff8e45c781f1c14b542373
MD5 hash:
5289d05b6525f474898a5541ff32adfd
SHA1 hash:
7a3d784e4f737786b54a177c80275a91ee7076c2
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/6b70e436-eb7d-40d3-b42f-eb1c675349ec/
Parent samples :
c40f2fe5758bf18b22131930c426b2551b191d4ec50ea072a232895d006eace1
30d27ff95354ee56096e7f06f5eb0f64d895c996f6ff8e45c781f1c14b542373
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Quasar
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/30d27ff95354ee56096e7f06f5eb0f64d895c996f6ff8e45c781f1c14b542373

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Detect_PowerShell_Obfuscation
Create hunting rule
Author:daniyyell
Description:Detects obfuscated PowerShell commands commonly used in malicious scripts.
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar

File information

The table below shows additional information about this malware sample such as delivery method and external references.

QuasarRAT

Executable exe c40f2fe5758bf18b22131930c426b2551b191d4ec50ea072a232895d006eace1

QuasarRAT

DLL dll 30d27ff95354ee56096e7f06f5eb0f64d895c996f6ff8e45c781f1c14b542373

(this sample)

  
Dropped by
SHA256 c40f2fe5758bf18b22131930c426b2551b191d4ec50ea072a232895d006eace1
  
Dropped by
MD5 1e66ed26d089fb5a4070d6ed4706ef0c

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments