MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7a4b1c2b3a236bc7cac25c9aa07163d9eb19233065e88b7304ce6e46c6a36e0f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuasarRAT


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7a4b1c2b3a236bc7cac25c9aa07163d9eb19233065e88b7304ce6e46c6a36e0f
SHA3-384 hash: daf14cf4d30275506246bd6383873ae2e333b16443e32b6cc0b41e740b42e802d1ba9b0dc1311d973a4eefaf9660e41f
SHA1 hash: aa77eebba993f3e79b4971f5c135286e40b066a1
MD5 hash: 7fa95c2554a74e0805581e20305069d8
humanhash: princess-orange-mountain-undress
File name:GB-lesson-forms.dll
Download: download sample
Signature QuasarRAT
Create hunting rule
File size:71'680 bytes
First seen:2024-09-06 12:53:03 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash dae02f32a21e03ce65412f6e56942daa (123 x YellowCockatoo, 60 x CobaltStrike, 44 x JanelaRAT)
ssdeep 768:ZPTaoFDaqKkUESuNf/x7vHTV16S18fsnkKAm44eQcgr+7U2B2gZUd8Y51IZGTMhJ:ZTaqDaqKZbuNjq4NcgT2Rw1IeMhVix6
Threatray 338 similar samples on MalwareBazaar
TLSH T17B630A8DBE21DA66C66D0B77C417110781B74427D422F7AA5DDAADF20E3A728C20BF53
TrID 88.8% (.DLL) Generic .NET DLL/Assembly (236632/4/32)
3.9% (.EXE) Win64 Executable (generic) (10523/12/4)
2.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
1.6% (.EXE) Win32 Executable (generic) (4504/4/1)
0.7% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter NDA0E
Tags:dll geo GRC injector PiraeusBank QuasarRAT unpacked

Intelligence

File Origin
# of uploads :
1
# of downloads :
372
Origin country :
NL NL
Vendor Threat Intelligence
Detection(s):
Win.Packed.Msilheracles-10031801-0
Create hunting rule

Verdict:
Malicious
Score:
93.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66dafb30f3d7ccf99f902a52
Tags:
Packed
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated
Link:
https://www.filescan.io/uploads/66dafb785c270e35fa44c502/reports/58f6b20f-5a40-4366-99e5-b8aaaf2182bd/overview
Verdict:
Malicious
Labled as:
MSIL/Injector.VVB trojan
Link:
https://www.hybrid-analysis.com/sample/7a4b1c2b3a236bc7cac25c9aa07163d9eb19233065e88b7304ce6e46c6a36e0f
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/863277c1-5a68-4391-9ee1-968a83e13da3
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
56 / 100
Link:
https://www.joesandbox.com/analysis/1505596
Signature
.NET source code contains potential unpacker
AI detected suspicious sample
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1505596 Sample: GB-lesson-forms.dll Startdate: 06/09/2024 Architecture: WINDOWS Score: 56 15 Multi AV Scanner detection for submitted file 2->15 17 .NET source code contains potential unpacker 2->17 19 AI detected suspicious sample 2->19 7 loaddll32.exe 1 2->7         started        process3 process4 9 cmd.exe 1 7->9         started        11 conhost.exe 7->11         started        process5 13 rundll32.exe 9->13         started       
Score:
6%
Verdict:
Benign
File Type:
PE
Link:
https://malprob.io/report/7a4b1c2b3a236bc7cac25c9aa07163d9eb19233065e88b7304ce6e46c6a36e0f
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7a4b1c2b3a236bc7cac25c9aa07163d9eb19233065e88b7304ce6e46c6a36e0f/
Threat name:
Win32.Trojan.InjectorX
Create hunting rule
Status:
Malicious
First seen:
2024-09-05 15:10:43 UTC
File Type:
PE (.Net Dll)
AV detection:
12 of 24 (50.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pjfrykz2env4pswclsnka4ld3hvrsizqmxuiw4yezzxenrvdnyhq._file
Verdict:
unknown
Similar samples:
0f8e7a0dea80b398195c5b24326a61e51b5a6d5d7658c0a26e67213b24e36911
QuasarRAT
7a52724e8dd312054edb1fe92f4661be8a4696efe209edfec3f43b7fb8fac3c8
QuasarRAT
827b585be59db284704a585700546262b2e33b6ebecbf0fd9f95097af2068a64
QuasarRAT
df40a36c01c2a67d0343913950f8c79d0937dcb2e29d7fa4d12dba92128efc02
QuasarRAT
e2044dd132ed43d44de5f48a18f60d5eb804cbf568ab117002272172b8757da8
QuasarRAT
+ 328 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
discovery
Link:
https://tria.ge/reports/240906-p469faxbrl/
Behaviour
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Unpacked files
SH256 hash:
7a4b1c2b3a236bc7cac25c9aa07163d9eb19233065e88b7304ce6e46c6a36e0f
MD5 hash:
7fa95c2554a74e0805581e20305069d8
SHA1 hash:
aa77eebba993f3e79b4971f5c135286e40b066a1
Link:
https://www.unpac.me/results/dcceef25-579d-4da0-85f6-b7e4f48bbf96/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Quasar
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/7a4b1c2b3a236bc7cac25c9aa07163d9eb19233065e88b7304ce6e46c6a36e0f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:extracted_at_0x44b
Create hunting rule
Author:cb
Description:sample - file extracted_at_0x44b.exe
Reference:Internal Research
Rule name:NETDLLMicrosoft
Create hunting rule
Author:malware-lu

File information

The table below shows additional information about this malware sample such as delivery method and external references.

QuasarRAT

Executable exe c40f2fe5758bf18b22131930c426b2551b191d4ec50ea072a232895d006eace1

QuasarRAT

DLL dll 7a4b1c2b3a236bc7cac25c9aa07163d9eb19233065e88b7304ce6e46c6a36e0f

(this sample)

  
Dropped by
SHA256 c40f2fe5758bf18b22131930c426b2551b191d4ec50ea072a232895d006eace1
  
Dropped by
MD5 1e66ed26d089fb5a4070d6ed4706ef0c

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments