MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8efa4b4e70869e4c2c7119e5c1518c8166141e6376d7d95768b932fe083bc1ae. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuasarRAT


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8efa4b4e70869e4c2c7119e5c1518c8166141e6376d7d95768b932fe083bc1ae
SHA3-384 hash: d66d7ae238c8cd142c2031bb81807863809592340f8803d75ba238aeb16edbbc38a94333c3e19e29a4143a8ee8c8f096
SHA1 hash: 489c1c05832a9017537b960ad22942e288b3e926
MD5 hash: a3a854066345e14b4b463782320d9a0d
humanhash: golf-eighteen-cardinal-failed
File name:quotation REQ.vbs
Download: download sample
Signature QuasarRAT
Create hunting rule
File size:8'938'658 bytes
First seen:2025-04-03 16:13:25 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 192:34W4u4W4u4W4u4W4u4W4u4W4u4W4u4W4u4W4u4W4u4W4u4W4u4W4u4W4u4W4u4Wa:3xO7k0hAeVb
TLSH T11696C8C531EE5081FAB77F029932B5145E3E7983AD3EC6AC4845921989B7E04CCF2B67
TrID 66.6% (.TXT) Text - UTF-16 (LE) encoded (2000/1)
33.3% (.MP3) MP3 audio (1000/1)
Magika vba
Reporter abuse_ch
Tags:QuasarRAT vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
63
Origin country :
NL NL
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/359/
Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67eeb6f7855e5ec5240d12a5
Tags:
autorun dropper shell sage
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
evasive powershell
Link:
https://www.filescan.io/uploads/67eeb3da9a455902911505b8/reports/2b02d8da-91d6-434e-8153-4df6b271ed9a/overview
Verdict:
Malicious
Labled as:
HEUR_Trojan_Script_Generic
Link:
https://www.hybrid-analysis.com/sample/8efa4b4e70869e4c2c7119e5c1518c8166141e6376d7d95768b932fe083bc1ae
Result
Threat name:
n/a
Detection:
malicious
Classification:
spre.troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1655859
Signature
Bypasses PowerShell execution policy
Connects to a pastebin service (likely for C&C)
Creates autostart registry keys with suspicious names
Creates autostart registry keys with suspicious values (likely registry only malware)
Encrypted powershell cmdline option found
Found suspicious powershell code related to unpacking or dynamic code loading
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Potential dropper URLs found in powershell memory
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Paste sharing url in reverse order
Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
Sigma detected: Potential Startup Shortcut Persistence Via PowerShell.EXE
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript called in batch mode (surpress errors)
Wscript starts Powershell (via cmd or directly)
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1655859 Sample: quotation REQ.vbs Startdate: 03/04/2025 Architecture: WINDOWS Score: 100 81 textbin.net 2->81 83 paste.ee 2->83 91 Malicious sample detected (through community Yara rule) 2->91 93 Multi AV Scanner detection for submitted file 2->93 95 Sigma detected: Paste sharing url in reverse order 2->95 99 12 other signatures 2->99 11 wscript.exe 1 2->11         started        14 powershell.exe 2->14         started        16 powershell.exe 2->16         started        18 powershell.exe 11 2->18         started        signatures3 97 Connects to a pastebin service (likely for C&C) 83->97 process4 signatures5 119 Suspicious powershell command line found 11->119 121 Wscript starts Powershell (via cmd or directly) 11->121 123 Uses schtasks.exe or at.exe to add and modify task schedules 11->123 127 2 other signatures 11->127 20 powershell.exe 7 11->20         started        23 schtasks.exe 1 11->23         started        25 schtasks.exe 1 11->25         started        27 wscript.exe 14->27         started        29 conhost.exe 14->29         started        31 wscript.exe 16->31         started        33 conhost.exe 16->33         started        125 Wscript called in batch mode (surpress errors) 18->125 35 conhost.exe 18->35         started        37 wscript.exe 18->37         started        process6 signatures7 101 Suspicious powershell command line found 20->101 103 Encrypted powershell cmdline option found 20->103 105 Bypasses PowerShell execution policy 20->105 109 2 other signatures 20->109 39 powershell.exe 14 19 20->39         started        44 conhost.exe 20->44         started        46 conhost.exe 23->46         started        48 conhost.exe 25->48         started        107 Wscript starts Powershell (via cmd or directly) 27->107 50 powershell.exe 27->50         started        52 powershell.exe 31->52         started        process8 dnsIp9 85 paste.ee 23.186.113.60, 443, 49715, 49717 KLAYER-GLOBALNL Reserved 39->85 87 textbin.net 104.21.96.1, 443, 49714, 49716 CLOUDFLARENETUS United States 39->87 79 C:\Users\user\AppData\Local\Temp\dll03.ps1, Unicode 39->79 dropped 115 Potential dropper URLs found in powershell memory 39->115 54 powershell.exe 15 39->54         started        117 Wscript called in batch mode (surpress errors) 50->117 57 conhost.exe 50->57         started        59 wscript.exe 50->59         started        61 conhost.exe 52->61         started        63 wscript.exe 52->63         started        file10 signatures11 process12 file13 75 __________________...________-------.lnk, MS 54->75 dropped 77 C:\Users\user\AppData\Local\Temp\xx2.vbs, ASCII 54->77 dropped 65 powershell.exe 23 54->65         started        68 powershell.exe 11 54->68         started        70 powershell.exe 54->70         started        process14 signatures15 89 Loading BitLocker PowerShell Module 65->89 72 powershell.exe 1 11 65->72         started        process16 signatures17 111 Creates autostart registry keys with suspicious values (likely registry only malware) 72->111 113 Creates autostart registry keys with suspicious names 72->113
Score:
75%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/8efa4b4e70869e4c2c7119e5c1518c8166141e6376d7d95768b932fe083bc1ae
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8efa4b4e70869e4c2c7119e5c1518c8166141e6376d7d95768b932fe083bc1ae/
Threat name:
Script.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-04-02 19:15:00 UTC
File Type:
Text (VBS)
AV detection:
4 of 36 (11.11%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=r35ewttqq2peyldrdhs4cummqftbihtdo3l5sv3ixezp4cb3ygxa._file
Result
Malware family:
quasar
Create hunting rule
Score:
  10/10
Tags:
family:quasar botnet:office04 defense_evasion discovery execution persistence spyware trojan
Link:
https://tria.ge/reports/250403-tp9s8syxbw/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Adds Run key to start application
Hide Artifacts: Hidden Window
Checks computer location settings
Drops startup file
Executes dropped EXE
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Quasar RAT
Quasar family
Quasar payload
Malware Config
C2 Extraction:
michiko.linkpc.net:4447
Dropper Extraction:
https://textbin.net/raw/ezjmofz3s6
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8efa4b4e70869e4c2c7119e5c1518c8166141e6376d7d95768b932fe083bc1ae

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/359/

Comments