MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b60bf8c65bfee063e53cb392d5c8c62e63a5bd08cc4ea9494d35cafec918e372. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



QuimaRAT


Vendor detections: 7


Intelligence 7 IOCs YARA 5 File information Comments

SHA256 hash: b60bf8c65bfee063e53cb392d5c8c62e63a5bd08cc4ea9494d35cafec918e372
SHA3-384 hash: 97039266e4a42aa6ad22d4aece926f23c8ec58f5c07c51ae0b8c248eb7bc2bc72aefd7a95488ee7d9a99e76eee001e3b
SHA1 hash: 32ff469b1b845de37babb1dbddf43a6142aa9c3b
MD5 hash: 431e9c678364bff9f3dafbfc8d685329
humanhash: orange-august-bakerloo-aspen
File name:ssa_document.vbs
Download: download sample
Signature QuimaRAT
File size:5'356'070 bytes
First seen:2026-07-09 09:36:42 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 49152:/2QeVQaRm1w57xCKHYL/lwZuOfxqOXq9lp8nNN9xQGV5LUTw0lgNz9Cqv/9T:e
TLSH T1EF4602F493EC3ECE27ACBA15F694BF2D8D9892C7145C034F6E4D64812AE36259C93C94
Magika vba
Reporter smica83
Tags:QuimaRAT vbs

Intelligence


File Origin
# of uploads :
1
# of downloads :
71
Origin country :
HU HU
Vendor Threat Intelligence
No detections
Verdict:
Malicious
Score:
90.2%
Tags:
shell spawn java sage
Result
Threat name:
QuimaRAT
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Signature
Bypasses PowerShell execution policy
Creates an undocumented autostart registry key
Creates autostart registry keys to launch java
Creates processes via WMI
Encrypted powershell cmdline option found
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Multi AV Scanner detection for submitted file
Potential evasive VBS script found (sleep loop)
Queries DNS domain through GetComputerNameExW (potential sandbox evasion)
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Sigma detected: Potential Persistence Via Logon Scripts - CommandLine
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: PowerShell Base64 Encoded Invoke Keyword
Sigma detected: PowerShell Base64 Encoded WMI Classes
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious PowerShell Parameter Substring
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Uses cmd line tools excessively to alter registry or file data
Uses WMIC command to query system information (often done to detect virtual machines)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript called in batch mode (surpress errors)
WScript reads language and country specific registry keys (likely country aware script)
Yara detected QuimaRAT
Behaviour
Behavior Graph:
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1939819 Sample: ssa_document.vbs Startdate: 09/07/2026 Architecture: WINDOWS Score: 100 73 ipinfo.io 2->73 75 ip-api.com 2->75 89 Multi AV Scanner detection for submitted file 2->89 91 Yara detected QuimaRAT 2->91 93 Sigma detected: PowerShell Base64 Encoded Invoke Keyword 2->93 95 14 other signatures 2->95 10 wscript.exe 5 2->10         started        13 javaw.exe 2->13         started        15 javaw.exe 2->15         started        signatures3 process4 signatures5 111 Windows Scripting host queries suspicious COM object (likely to drop second stage) 10->111 113 Suspicious execution chain found 10->113 115 WScript reads language and country specific registry keys (likely country aware script) 10->115 17 javaw.exe 6 10->17         started        20 cmd.exe 1 10->20         started        22 cmd.exe 1 10->22         started        24 MpCmdRun.exe 10->24         started        process6 file7 69 C:\Users\user\AppData\...\ssa_document.lib, Zip 17->69 dropped 26 javaw.exe 18 17->26         started        31 certutil.exe 2 20->31         started        33 conhost.exe 20->33         started        35 conhost.exe 22->35         started        37 where.exe 1 22->37         started        39 conhost.exe 24->39         started        process8 dnsIp9 77 ip-api.com 208.95.112.1, 49702, 80 TUT-AS-TotalUptimeTechnologiesLLCUS United States 26->77 79 147.124.222.192, 4445, 49696 MAJESTIC-HOSTING-01-MajesticHostingSolutionsLLCUS United States 26->79 81 2 other IPs or domains 26->81 71 C:\Users\user\AppData\Roaming\...\sys_wd.vbs, ASCII 26->71 dropped 117 Suspicious powershell command line found 26->117 119 Uses cmd line tools excessively to alter registry or file data 26->119 121 Encrypted powershell cmdline option found 26->121 123 Uses WMIC command to query system information (often done to detect virtual machines) 26->123 41 powershell.exe 11 26->41         started        44 cmd.exe 1 26->44         started        46 cmd.exe 26->46         started        48 3 other processes 26->48 125 Queries DNS domain through GetComputerNameExW (potential sandbox evasion) 31->125 file10 signatures11 process12 signatures13 97 Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines) 41->97 99 Creates processes via WMI 41->99 101 Wscript called in batch mode (surpress errors) 41->101 50 wscript.exe 41->50         started        53 conhost.exe 41->53         started        103 Uses cmd line tools excessively to alter registry or file data 44->103 105 Uses WMIC command to query system information (often done to detect virtual machines) 44->105 55 reg.exe 1 1 44->55         started        57 conhost.exe 44->57         started        59 WMIC.exe 46->59         started        61 conhost.exe 46->61         started        107 Creates an undocumented autostart registry key 48->107 109 Loading BitLocker PowerShell Module 48->109 63 conhost.exe 48->63         started        65 conhost.exe 48->65         started        67 conhost.exe 48->67         started        process14 signatures15 83 Windows Scripting host queries suspicious COM object (likely to drop second stage) 50->83 85 Creates autostart registry keys to launch java 55->85 87 Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines) 59->87
Gathering data
Result
Malware family:
n/a
Score:
  10/10
Tags:
adware defense_evasion execution persistence ransomware spyware
Behaviour
Checks SCSI registry key(s)
Modifies Internet Explorer settings
Modifies registry class
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy WMI provider
Uses Volume Shadow Copy service COM API
Enumerates physical storage devices
Hide Artifacts: Ignore Process Interrupts
Adds Run key to start application
Deobfuscate/Decode Files or Information
Enumerates connected drives
Looks up external IP address via web service
Checks computer location settings
Registers new Windows logon scripts automatically executed at logon.
Boot or Logon Autostart Execution: Active Setup
Command and Scripting Interpreter: PowerShell
Process spawned unexpected child process
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_Script_Inject_Detector
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:detect_tiny_vbs
Author:daniyyell
Description:Detects tiny VBS delivery technique
Rule name:telebot_framework
Author:vietdx.mb
Rule name:Warp
Author:Seth Hardy
Description:Warp
Rule name:WarpStrings
Author:Seth Hardy
Description:Warp Identifying Strings

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments