MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 439029a463f3c7f9151420d749e3f71b0642ea939cb5b733934f8eabb292e07d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuasarRAT


Vendor detections: 18


Intelligence 18 IOCs YARA 24 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 439029a463f3c7f9151420d749e3f71b0642ea939cb5b733934f8eabb292e07d
SHA3-384 hash: b47ee5e1e6a3f0a280b34faf61802309b2ea6933d37d424af804f7232963c3a46a825f47d4bfd5b697526f5106fcc274
SHA1 hash: ff81c617c884de1d736e28e397a6c02d1c3bf1bd
MD5 hash: c96e68d0c43fe10bd7da2cc804f7ebc2
humanhash: virginia-pizza-mockingbird-fillet
File name:Especificación de pedido n.° 202590058.pdf(48KB).com
Download: download sample
Signature QuasarRAT
Create hunting rule
File size:5'881'344 bytes
First seen:2025-05-14 06:02:36 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 98304:pGym0uE5GHx8Iu+ToUy4GBml8EXnPU91K52kPdm:pGym0u9x8IpoUyhUHfsI2z
Threatray 40 similar samples on MalwareBazaar
TLSH T16446236A3BD75404C1BD4FB2C83409846771E6D22A4AEB7E35D913FC4E9369BE602363
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter lowmal3
Tags:exe QuasarRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
446
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
quasar
Create hunting rule
ID:
1
File name:
Especificación de pedido n.° 202590058.pdf(48KB).com
Verdict:
Malicious activity
Analysis date:
2025-05-14 06:05:14 UTC
Tags:
netreactor auto-reg rat quasar remote evasion
Link:
https://app.any.run/tasks/6e707024-2a3f-4542-a9d3-632aa74fa63b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.MalwareX-gen.22740.15795.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
95.7%
Link:
https://cyber-fortress.com/docs/result/index.php?id=682432db4a59e5a2ce0463f2
Tags:
virus remo
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a process from a recently created file
Creating a file
Сreating synchronization primitives
Creating a file in the %AppData% subdirectories
Launching a process
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
masquerade obfuscated obfuscated vbnet
Link:
https://www.filescan.io/uploads/6824321d0e63989625839913/reports/385dfbb9-74d4-4bba-aa8d-4bbfca0969e6/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/439029a463f3c7f9151420d749e3f71b0642ea939cb5b733934f8eabb292e07d
Malware family:
Quasar RAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/163c4a92-34ea-4fd0-8dcb-59bdbc3c3e83
Result
Threat name:
AsyncRAT, DarkTortilla, Quasar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1689596
Signature
.NET source code contains method to dynamically call methods (often used by packers)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Suricata IDS alerts for network traffic
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected AsyncRAT
Yara detected DarkTortilla Crypter
Yara detected Quasar RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1689596 Sample: Especificaci#U00f3n de pedi... Startdate: 14/05/2025 Architecture: WINDOWS Score: 100 42 twart.myfirewall.org 2->42 44 ipwho.is 2->44 46 edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com 2->46 54 Suricata IDS alerts for network traffic 2->54 56 Found malware configuration 2->56 58 Malicious sample detected (through community Yara rule) 2->58 60 10 other signatures 2->60 11 Especificaci#U00f3n de pedido n.#U00b0 202590058.pdf(48KB).com.exe 3 2->11         started        15 Excelbook.exe 2 2->15         started        signatures3 process4 file5 40 Especificaci#U00f3...f(48KB).com.exe.log, ASCII 11->40 dropped 68 Hides that the sample has been downloaded from the Internet (zone.identifier) 11->68 70 Injects a PE file into a foreign processes 11->70 17 Especificaci#U00f3n de pedido n.#U00b0 202590058.pdf(48KB).com.exe 4 11->17         started        21 Excelbook.exe 15->21         started        signatures6 process7 file8 38 C:\Users\user\AppData\...xcelbook.exe, PE32 17->38 dropped 52 Hides that the sample has been downloaded from the Internet (zone.identifier) 17->52 23 Excelbook.exe 3 17->23         started        26 schtasks.exe 1 17->26         started        signatures9 process10 signatures11 62 Multi AV Scanner detection for dropped file 23->62 64 Hides that the sample has been downloaded from the Internet (zone.identifier) 23->64 66 Injects a PE file into a foreign processes 23->66 28 Excelbook.exe 15 2 23->28         started        32 conhost.exe 26->32         started        process12 dnsIp13 48 ipwho.is 108.181.47.111, 443, 49725 ASN852CA Canada 28->48 50 twart.myfirewall.org 107.150.0.72, 49723, 9792 ASN-QUADRANET-GLOBALUS United States 28->50 72 Hides that the sample has been downloaded from the Internet (zone.identifier) 28->72 74 Installs a global keyboard hook 28->74 34 schtasks.exe 28->34         started        signatures14 process15 process16 36 conhost.exe 34->36         started       
Score:
97%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/439029a463f3c7f9151420d749e3f71b0642ea939cb5b733934f8eabb292e07d
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/439029a463f3c7f9151420d749e3f71b0642ea939cb5b733934f8eabb292e07d/
Threat name:
Win32.Trojan.Kepavll
Create hunting rule
Status:
Malicious
First seen:
2025-05-13 11:46:58 UTC
File Type:
PE (.Net Exe)
Extracted files:
216
AV detection:
24 of 37 (64.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ioictjdd6pd7sfiuedluty7xdmdef2utts23om4tj6hkxmus4b6q._file
Verdict:
malicious
Label(s):
quasarrat
Create hunting rule
Similar samples:
0b84e664c8b592aa0220d52841629b2accb41f1f624720331000ab5f2f0ed628
QuasarRAT
2259304db67dd25fa5ce47bde5b1c8cffab23292c2cec7d3bc2a0c303aace85b
QuasarRAT
32aa4355cbed96bc5f95b9e18425fcfa9e3191007e13e2e6764eb8355f276c8d
QuasarRAT
3dbbe5d8d72bb915d2a7788665c1db4ae5d461dbea63ac7a4ec00f0581880dac
QuasarRAT
4a23db5ce6616e586397a0ac25de51cc1450f4217009715f8ac809b20d377b39
QuasarRAT
4d45801772b476bb53a0fed32db423b19b97310d6c5ec2779b108cdcdf1ced6a
QuasarRAT
7f3ce13c39b8aa0202357579138c56a684a5c0aad61b8b5c1f3fd20f12afa916
QuasarRAT
dc20017aaf4eeba0943edb41bbc0296b6d08d996eb3a86562347d7c33e2a7f5c
QuasarRAT
error
QuasarRAT
ffbf3107cf8103f738975e913dbaf5acac850e5c498ec7329ef40d566b9502ab
QuasarRAT
+ 30 additional samples on MalwareBazaar
Result
Malware family:
quasar
Create hunting rule
Score:
  10/10
Tags:
family:quasar botnet:may 13 discovery spyware trojan
Link:
https://tria.ge/reports/250514-gr4nsavkt6/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Executes dropped EXE
Quasar RAT
Quasar family
Quasar payload
Malware Config
C2 Extraction:
twart.myfirewall.org:9792
rency.ydns.eu:5287
wqo9.firewall-gateway.de:8841
code1.ydns.eu:5287
wqo9.firewall-gateway.de:9792
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/febe98a3-09cb-4cc7-bfb7-5ec171ad122f
Unpacked files
SH256 hash:
439029a463f3c7f9151420d749e3f71b0642ea939cb5b733934f8eabb292e07d
MD5 hash:
c96e68d0c43fe10bd7da2cc804f7ebc2
SHA1 hash:
ff81c617c884de1d736e28e397a6c02d1c3bf1bd
Link:
https://www.unpac.me/results/9103df08-31fa-4864-8a3b-9f613b533c4f/
SH256 hash:
5aeb83beafb0f856088558f81793ee01a41c354e6dc21a2be1751369996cb0ae
MD5 hash:
1fa3281d6775c0e1655cb8dd18283a36
SHA1 hash:
baa6cd9cf98bea4cbd77b6723199f4462ce462f8
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
INDICATOR_EXE_Packed_DotNetReactor
Create hunting rule
Link:
https://www.unpac.me/results/9103df08-31fa-4864-8a3b-9f613b533c4f/
Parent samples :
25e7b4a4506156b21627a511e0435f2d270b3fdf593661fc731a40d33a85f8ae
439029a463f3c7f9151420d749e3f71b0642ea939cb5b733934f8eabb292e07d
c28e2c53bc6c36944f7b3fd5265b3fbe614ef947024457930610490e8dcd49ea
8ef7abfdd24d21c93e8eea69b21c11e77ecfd54f2bd7cd2b96828c60ad26791b
dafdb8d5e55223962a8da88583c50ab4c9f774402744bafbe9d7440a96f3fa18
ae78caabec6a4241c64357ca5ca05de2e181fe253963de528807bf051fc3608e
Malware family:
QuasarRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/439029a463f3/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Quasar
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/439029a463f3c7f9151420d749e3f71b0642ea939cb5b733934f8eabb292e07d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BLOWFISH_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for Blowfish constants
Rule name:Detect_PowerShell_Obfuscation
Create hunting rule
Author:daniyyell
Description:Detects obfuscated PowerShell commands commonly used in malicious scripts.
Rule name:Diff_QuasarRAT_01
Create hunting rule
Author:schmidtsz
Description:Identify QuasarRAT samples
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
Author:ditekSHen
Description:Detects Windows executables referencing non-Windows User-Agents
Rule name:INDICATOR_SUSPICIOUS_GENInfoStealer
Create hunting rule
Author:ditekSHen
Description:Detects executables containing common artifacts observed in infostealers
Rule name:Lumma_Stealer_Detection
Create hunting rule
Author:ashizZz
Description:Detects a specific Lumma Stealer malware sample using unique strings and behaviors
Reference:https://seanthegeek.net/posts/compromized-store-spread-lumma-stealer-using-fake-captcha/
Rule name:MALWARE_Win_QuasarStealer
Create hunting rule
Author:ditekshen
Description:Detects Quasar infostealer
Rule name:MAL_QuasarRAT_May19_1
Create hunting rule
Description:Detects QuasarRAT malware
Rule name:MAL_QuasarRAT_May19_1_RID2E1E
Create hunting rule
Author:Florian Roth
Description:Detects QuasarRAT malware
Reference:https://blog.ensilo.com/uncovering-new-activity-by-apt10
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:Multifamily_RAT_Detection
Create hunting rule
Author:Lucas Acha (http://www.lukeacha.com)
Description:Generic Detection for multiple RAT families, PUPs, Packers and suspicious executables
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:quasarrat
Create hunting rule
Author:jeFF0Falltrades
Rule name:quasarrat_kingrat
Create hunting rule
Author:jeFF0Falltrades
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:RC6_Constants
Create hunting rule
Author:chort (@chort0)
Description:Look for RC6 magic constants in binary
Reference:https://twitter.com/mikko/status/417620511397400576
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Windows_Generic_Threat_803feff4
Create hunting rule
Author:Elastic Security
Rule name:win_quasar_rat_client
Create hunting rule
Author:Matthew @ Embee_Research
Description:Detects strings present in Quasar Rat Samples.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

QuasarRAT

Executable exe 439029a463f3c7f9151420d749e3f71b0642ea939cb5b733934f8eabb292e07d

(this sample)

  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments