MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cdc2106e6e47fe9e06e5c1b655b8428706cf3db33e31b854ddf3e1269d9c7978. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuasarRAT


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cdc2106e6e47fe9e06e5c1b655b8428706cf3db33e31b854ddf3e1269d9c7978
SHA3-384 hash: b8ea507f116dcc1458fe516e5d6e68fc243670b9784a0466a334c56f59cfa00c06565fb384b54cad010a5d6b229499f6
SHA1 hash: 28aafd5139784deda4ab303c30e782b8b03044cf
MD5 hash: 05e21b9d9c6966a4997a4ec7fcd205bd
humanhash: east-romeo-one-utah
File name:NEW QUOTE_2.vbs
Download: download sample
Signature QuasarRAT
Create hunting rule
File size:8'938'658 bytes
First seen:2025-04-03 16:13:33 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 192:0y7yTy7yTy7yTy7yTy7yTy7yTy7yTy7yTy7yTy7yTy7yTy7yTy7yTy7yTy7yTy7P:IxO7k0hAJM+K
Threatray 33 similar samples on MalwareBazaar
TLSH T11796C8013BFC2A417AFB4F87157615216ABF3CA58E38863C43A104590E75E86EE74B7B
TrID 66.6% (.TXT) Text - UTF-16 (LE) encoded (2000/1)
33.3% (.MP3) MP3 audio (1000/1)
Magika unknown
Reporter abuse_ch
Tags:QuasarRAT vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
63
Origin country :
NL NL
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/361/
Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67ed02ddcfd0a37f830c31b6
Tags:
autorun dropper shell sage
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
evasive powershell
Link:
https://www.filescan.io/uploads/67eeb3ddb070fb3f945e56dd/reports/a7058d40-586e-46ea-b25b-99309eb69b48/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/cdc2106e6e47fe9e06e5c1b655b8428706cf3db33e31b854ddf3e1269d9c7978
Result
Threat name:
n/a
Detection:
malicious
Classification:
spre.troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1655857
Signature
Bypasses PowerShell execution policy
Connects to a pastebin service (likely for C&C)
Creates autostart registry keys with suspicious names
Creates autostart registry keys with suspicious values (likely registry only malware)
Encrypted powershell cmdline option found
Found suspicious powershell code related to unpacking or dynamic code loading
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Potential dropper URLs found in powershell memory
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Paste sharing url in reverse order
Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
Sigma detected: Potential Startup Shortcut Persistence Via PowerShell.EXE
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript called in batch mode (surpress errors)
Wscript starts Powershell (via cmd or directly)
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1655857 Sample: NEW QUOTE_2.vbs Startdate: 03/04/2025 Architecture: WINDOWS Score: 100 82 textbin.net 2->82 84 paste.ee 2->84 94 Malicious sample detected (through community Yara rule) 2->94 96 Multi AV Scanner detection for submitted file 2->96 98 Sigma detected: Paste sharing url in reverse order 2->98 102 12 other signatures 2->102 11 wscript.exe 1 2->11         started        14 powershell.exe 2->14         started        16 powershell.exe 2->16         started        18 2 other processes 2->18 signatures3 100 Connects to a pastebin service (likely for C&C) 84->100 process4 dnsIp5 122 Suspicious powershell command line found 11->122 124 Wscript starts Powershell (via cmd or directly) 11->124 126 Uses schtasks.exe or at.exe to add and modify task schedules 11->126 130 2 other signatures 11->130 21 powershell.exe 7 11->21         started        24 schtasks.exe 1 11->24         started        26 schtasks.exe 1 11->26         started        28 wscript.exe 14->28         started        30 conhost.exe 14->30         started        32 wscript.exe 16->32         started        34 conhost.exe 16->34         started        86 127.0.0.1 unknown unknown 18->86 128 Wscript called in batch mode (surpress errors) 18->128 36 conhost.exe 1 18->36         started        38 wscript.exe 18->38         started        signatures6 process7 signatures8 104 Suspicious powershell command line found 21->104 106 Encrypted powershell cmdline option found 21->106 108 Bypasses PowerShell execution policy 21->108 112 2 other signatures 21->112 40 powershell.exe 14 19 21->40         started        45 conhost.exe 21->45         started        47 conhost.exe 24->47         started        49 conhost.exe 26->49         started        110 Wscript starts Powershell (via cmd or directly) 28->110 51 powershell.exe 28->51         started        53 powershell.exe 32->53         started        process9 dnsIp10 88 paste.ee 23.186.113.60, 443, 49682, 49689 KLAYER-GLOBALNL Reserved 40->88 90 textbin.net 104.21.32.1, 443, 49681, 49688 CLOUDFLARENETUS United States 40->90 80 C:\Users\user\AppData\Local\Temp\dll03.ps1, Unicode 40->80 dropped 118 Potential dropper URLs found in powershell memory 40->118 55 powershell.exe 13 40->55         started        120 Wscript called in batch mode (surpress errors) 51->120 58 conhost.exe 51->58         started        60 wscript.exe 51->60         started        62 conhost.exe 53->62         started        64 wscript.exe 53->64         started        file11 signatures12 process13 file14 76 __________________...________-------.lnk, MS 55->76 dropped 78 C:\Users\user\AppData\Local\Temp\xx2.vbs, ASCII 55->78 dropped 66 powershell.exe 23 55->66         started        69 powershell.exe 9 55->69         started        71 powershell.exe 55->71         started        process15 signatures16 92 Loading BitLocker PowerShell Module 66->92 73 powershell.exe 1 9 66->73         started        process17 signatures18 114 Creates autostart registry keys with suspicious values (likely registry only malware) 73->114 116 Creates autostart registry keys with suspicious names 73->116
Score:
98%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/cdc2106e6e47fe9e06e5c1b655b8428706cf3db33e31b854ddf3e1269d9c7978
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cdc2106e6e47fe9e06e5c1b655b8428706cf3db33e31b854ddf3e1269d9c7978/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-04-02 09:26:54 UTC
File Type:
Text (VBS)
AV detection:
7 of 36 (19.44%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zxbba3toi77j4bxfyg3floccq4dm6pnthyy3qvg56pqsnhm4pf4a._file
Verdict:
malicious
Label(s):
quasarrat
Create hunting rule
Similar samples:
144aceb7df9d01346ecbae3be8b94dccc23378d93936db251f6ccd6e60be9c99
QuasarRAT
17dd3793d4bbf9e90e53df26678489a7b82e65d1eeecf396eb088b444a164f85
QuasarRAT
19b9972f970ca207cf8494582bdf8c68b8a1f9cbbc9a8df0151d05c26cb9b3a1
QuasarRAT
2810c06ccf0230a24179363862bfd4e88dab05b1b39fb229d75b8f01973fdb80
QuasarRAT
3a07acb9e24dace059cea1a5c9c90f457e3c0d3e823805ae2fd0241d75917fc2
QuasarRAT
3c313c19ce509197f848990ef3837d2fdf55ed5d9eb2ddf2f1cd9f35e41bd664
QuasarRAT
82f69d218791526f3724c1e6fcf7e73272182067c80f4d037557289863a241aa
QuasarRAT
8efa4b4e70869e4c2c7119e5c1518c8166141e6376d7d95768b932fe083bc1ae
QuasarRAT
cdff410d32d5b177320f80eb8bc6be51de994bd11cc17e7013ae400e1947ca6f
QuasarRAT
error
QuasarRAT
+ 23 additional samples on MalwareBazaar
Result
Malware family:
quasar
Create hunting rule
Score:
  10/10
Tags:
family:quasar botnet:office04 defense_evasion discovery execution persistence spyware trojan
Link:
https://tria.ge/reports/250403-tqd3ys1pz6/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Adds Run key to start application
Hide Artifacts: Hidden Window
Checks computer location settings
Drops startup file
Executes dropped EXE
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Quasar RAT
Quasar family
Quasar payload
Malware Config
C2 Extraction:
michiko.linkpc.net:4447
Dropper Extraction:
https://textbin.net/raw/ezjmofz3s6
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cdc2106e6e47fe9e06e5c1b655b8428706cf3db33e31b854ddf3e1269d9c7978

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/361/

Comments