MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 54e199788100b76b9d2344c39a0807146ed4d2346eab14f61707b7814b907d97. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

DarkTortilla

Vendor detections: 17

Intelligence 17 IOCs YARA 3 File information Comments

SHA256 hash:	54e199788100b76b9d2344c39a0807146ed4d2346eab14f61707b7814b907d97
SHA3-384 hash:	ab1e4d3fb3dbdff5ddc671ac5c6b8accf0280a2699185f91672925ca76a9cb4cb4ce303a2fe09651c5ce6052749700dd
SHA1 hash:	22c6f32d63323f11d029b6415204beedd3054737
MD5 hash:	90f98d4093807d838b1224e41e64a7f9
humanhash:	arkansas-red-lithium-blossom
File name:	54e199788100b76b9d2344c39a0807146ed4d2346eab14f61707b7814b907d97
Download:	download sample
Signature	DarkTortilla Create hunting rule
File size:	5'536'256 bytes
First seen:	2025-08-12 14:55:02 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep	98304:V/wmKB526pCSP7GImvSyrdD1nU9Q37PE4rm:V0LCSPKLKyrs9Ibr
Threatray	1'178 similar samples on MalwareBazaar
TLSH	T1F446236A3781BC04E13E8BB5E424E4C237F292CA5B42C75D3DE643D87F0229BBB51656
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10522/11/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4504/4/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika	pebin
Reporter	adrian__luca
Tags:	DarkTortilla exe

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware family:

quasar

ID:

File name:

54e199788100b76b9d2344c39a0807146ed4d2346eab14f61707b7814b907d97

Verdict:

Malicious activity

Analysis date:

2025-08-12 23:47:03 UTC

Tags:

auto-reg quasar

Link:

https://app.any.run/tasks/0b74ef2c-1942-4710-98ad-f0e9b0d1c4e5

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

QuasarStealer

Link:

https://www.capesandbox.com/analysis/20867/

Verdict:

Malicious

Score:

96.5%

Link:

https://cyber-fortress.com/docs/result/index.php?id=689b5a19fca70bd90e8f1e68

Tags:

virus msil remo

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Unauthorized injection to a recently created process

Restart of the analyzed sample

Launching a process

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

crypt formbook obfuscated obfuscated obfuscated vbnet

Link:

https://www.filescan.io/uploads/689b73c3397fd3ce6fa669cf/reports/764b0ff2-c13a-4339-9133-2278b5a44b67/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/54e199788100b76b9d2344c39a0807146ed4d2346eab14f61707b7814b907d97

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/418402c3-d7f0-477a-bec9-2e0e6a97fd7f

Score:

99%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/54e199788100b76b9d2344c39a0807146ed4d2346eab14f61707b7814b907d97

Gathering data

Threat name:

Win32.Backdoor.Quasar

Status:

Malicious

First seen:

2025-07-30 05:08:45 UTC

File Type:

PE (.Net Exe)

Extracted files:

303

AV detection:

27 of 38 (71.05%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ktqzs6ebac3wxhjditbzucahcrxnjurun2vrj5qxa63ycs4qpwlq._file

Verdict:

malicious

Label(s):

quasarrat

DarkTortilla

457e291dc62946ab2dc1cb558ffca2e90e5ebbd4a27013c5a23930339aedb978

DarkTortilla

468ba790ac48bf4dd494f11153ee26a5ea5a34da611a7f294f6917fa7ec107c4

DarkTortilla

7a62db0392b21129e68eccf0dc5e49981e7f93e73d3de7325d721745c21694d0

DarkTortilla

fabdbed3ca32060b91bb42fa91805c87a811ce4487ebcec656bac9cbb8ad1a3e

DarkTortilla

+ 1'168 additional samples on MalwareBazaar

Result

Malware family:

quasar

Score:

10/10

Tags:

family:darktortilla family:quasar botnet:sim crypter discovery execution loader persistence spyware trojan

Link:

https://tria.ge/reports/250812-vg51rafk9x/

Behaviour

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Executes dropped EXE

Darktortilla

Darktortilla family

Detects Darktortilla crypter.

Quasar RAT

Quasar family

Quasar payload

Malware Config

C2 Extraction:

yuba.ydns.eu:6921

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/a1aa68fa-3fc1-4d73-83c0-7f4aa88c0129

Unpacked files

SH256 hash:

54e199788100b76b9d2344c39a0807146ed4d2346eab14f61707b7814b907d97

MD5 hash:

90f98d4093807d838b1224e41e64a7f9

SHA1 hash:

22c6f32d63323f11d029b6415204beedd3054737

Link:

https://www.unpac.me/results/8e9224ae-1e9f-4065-8ea7-1fcbcf2075ef/

SH256 hash:

20fc4e9db71293bc9d2cbbbc6afcca00ab3a03f8914c59ecc20728a3b6b2e25c

MD5 hash:

4db77020a487727af0479cfee8497e07

SHA1 hash:

1d58ab80c9be1fd15cbc895fbc987ff283cd738a

Link:

https://www.unpac.me/results/8e9224ae-1e9f-4065-8ea7-1fcbcf2075ef/

SH256 hash:

da4cb91d96214c7134a9e8799fdf241bd6b8103eecd4efb1b8c228ca3c8e7e91

MD5 hash:

9a06e083cd0531927dcd616b9b601ffa

SHA1 hash:

9584f7e1c8ab7be5900762abcaedf20cb92e4ae7

Link:

https://www.unpac.me/results/8e9224ae-1e9f-4065-8ea7-1fcbcf2075ef/

SH256 hash:

2cb5b8fbcd0994c8371837858c1f6dfe8e0de017e86437c7aee38d710209f10a

MD5 hash:

4f5880d558000b383fbb6efb21100997

SHA1 hash:

d2ceb9140d797b0f4db46a0a02c274e4fe89f349

Link:

https://www.unpac.me/results/8e9224ae-1e9f-4065-8ea7-1fcbcf2075ef/

SH256 hash:

50a6915e6bc15f11b5f7a5ff8a6dc3dce2863baba6a64482dc2c477041479789

MD5 hash:

6a809860c4708c7c7aad2fa0b4a7eac1

SHA1 hash:

e751027a71698f11b13fc1bad46a87de0e96e0aa

Detections:

QuasarRAT

cn_utf8_windows_terminal

malware_windows_xrat_quasarrat

MAL_QuasarRAT_May19_1

win_quasarrat_j2

win_quasar_rat_client

INDICATOR_SUSPICIOUS_Binary_References_Browsers

INDICATOR_SUSPICIOUS_GENInfoStealer

INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA

MALWARE_Win_QuasarStealer

Link:

https://www.unpac.me/results/8e9224ae-1e9f-4065-8ea7-1fcbcf2075ef/

Parent samples :

6af042955207ac4aa13b739d44ab6292af8892ac013444326d15ead0fefdfabe
7085e3a803cd04ff43f726c07816734eb4fcf9499b432d67e35c193c663cde1b
54e199788100b76b9d2344c39a0807146ed4d2346eab14f61707b7814b907d97
d25df8d5b45fe5cd79e2b45896459838b06ccc9abf6358d97232af011d273976
50a6915e6bc15f11b5f7a5ff8a6dc3dce2863baba6a64482dc2c477041479789

Malware family:

QuasarRAT

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/54e199788100/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

iSpy Keylogger

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/54e199788100b76b9d2344c39a0807146ed4d2346eab14f61707b7814b907d97

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/20867/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (GUARD_CF)	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample