MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ce54308e4ba6119f23d6e430e936d1f7dc5f8156c61003e05883c7adbf94e9d9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuasarRAT


Vendor detections: 19


Intelligence 19 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ce54308e4ba6119f23d6e430e936d1f7dc5f8156c61003e05883c7adbf94e9d9
SHA3-384 hash: 6555f24ebada8b3017f586c3ba9a705e329f73ae6756a41863793093d3be270059e0f158a6ab5447e07bd77ba86711eb
SHA1 hash: fe47d1646972e85667408a28d8db2f2c17b7a313
MD5 hash: 07a4d2a1981e4159e744e3f0bb8d655f
humanhash: five-table-idaho-oxygen
File name:Quote RFQ #00926720250204.pdf(39kb).com
Download: download sample
Signature QuasarRAT
Create hunting rule
File size:3'786'752 bytes
First seen:2025-02-11 17:27:17 UTC
Last seen:2025-02-11 18:44:39 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 98304:6inq/fUlXQu4UB5uq8yPk4KVJgGSg/RSpSTddPTC:3q/fyD4UAlyfKV7Sg/QwTrP
Threatray 1'091 similar samples on MalwareBazaar
TLSH T1230633D03216F306ED661630D925EDB452E81CE8F101B6E39FDE3B97B9D9205A91CF22
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
File icon (PE):PE icon
dhash icon 40e1f8ecc4c46969 (13 x Formbook, 5 x MassLogger, 3 x AgentTesla)
Reporter abuse_ch
Tags:com exe QuasarRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
480
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
f22d1f55-034f-4121-9ef4-544d1f8aa74a.zip
Verdict:
No threats detected
Analysis date:
2025-02-10 23:55:26 UTC
Tags:
arch-email
Link:
https://app.any.run/tasks/24a68540-6741-4fe5-a200-f9b2833bf2ea

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.3221.13202.15321.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67aa17f749f32dfb0d82da37
Tags:
autorun virus sage remo
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Restart of the analyzed sample
Creating a file
Сreating synchronization primitives
Creating a file in the %AppData% subdirectories
Launching a process
Enabling the 'hidden' option for recently created files
Creating a process from a recently created file
DNS request
Setting a keyboard event handler
Connection attempt
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-vm masquerade obfuscated obfuscated packed packed packer_detected
Link:
https://www.filescan.io/uploads/67ab88b9feebe5d008ea01c1/reports/3f0f17a9-886a-4181-ad0c-953c8b4b00f9/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/ce54308e4ba6119f23d6e430e936d1f7dc5f8156c61003e05883c7adbf94e9d9
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d10d19ca-d49b-4d5a-88fe-a3c2860b035c
Result
Threat name:
Quasar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1612340
Signature
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Joe Sandbox ML detected suspicious sample
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Suricata IDS alerts for network traffic
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected Quasar RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1612340 Sample: Quote RFQ #00926720250204.p... Startdate: 11/02/2025 Architecture: WINDOWS Score: 100 52 twart.myfirewall.org 2->52 54 ipwho.is 2->54 62 Suricata IDS alerts for network traffic 2->62 64 Found malware configuration 2->64 66 Malicious sample detected (through community Yara rule) 2->66 68 10 other signatures 2->68 11 Quote RFQ #00926720250204.pdf(39kb).com.exe 3 2->11         started        15 Excelworkbook.exe 2 2->15         started        signatures3 process4 file5 50 Quote RFQ #0092672...f(39kb).com.exe.log, ASCII 11->50 dropped 74 Injects a PE file into a foreign processes 11->74 17 Quote RFQ #00926720250204.pdf(39kb).com.exe 4 11->17         started        21 Quote RFQ #00926720250204.pdf(39kb).com.exe 11->21         started        23 Quote RFQ #00926720250204.pdf(39kb).com.exe 11->23         started        25 Excelworkbook.exe 2 15->25         started        27 Excelworkbook.exe 15->27         started        29 Excelworkbook.exe 15->29         started        signatures6 process7 file8 48 C:\Users\user\AppData\...xcelworkbook.exe, PE32 17->48 dropped 60 Hides that the sample has been downloaded from the Internet (zone.identifier) 17->60 31 Excelworkbook.exe 3 17->31         started        34 schtasks.exe 1 17->34         started        signatures9 process10 signatures11 76 Multi AV Scanner detection for dropped file 31->76 78 Machine Learning detection for dropped file 31->78 80 Injects a PE file into a foreign processes 31->80 36 Excelworkbook.exe 15 2 31->36         started        40 Excelworkbook.exe 31->40         started        42 conhost.exe 34->42         started        process12 dnsIp13 56 twart.myfirewall.org 94.156.177.117, 49736, 9792 NET1-ASBG Bulgaria 36->56 58 ipwho.is 195.201.57.90, 443, 49737 HETZNER-ASDE Germany 36->58 70 Hides that the sample has been downloaded from the Internet (zone.identifier) 36->70 72 Installs a global keyboard hook 36->72 44 schtasks.exe 1 36->44         started        signatures14 process15 process16 46 conhost.exe 44->46         started       
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/ce54308e4ba6119f23d6e430e936d1f7dc5f8156c61003e05883c7adbf94e9d9
Detection:
quasar
Create hunting rule
Link:
https://mwdb.cert.pl/sample/ce54308e4ba6119f23d6e430e936d1f7dc5f8156c61003e05883c7adbf94e9d9/
Threat name:
ByteCode-MSIL.Backdoor.FormBook
Create hunting rule
Status:
Malicious
First seen:
2025-02-10 07:22:23 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
23 of 37 (62.16%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zzkdbdsluyiz6i6w4qyosnwr67of7akwyyiahycyqpd23p4u5hmq._file
Verdict:
malicious
Label(s):
unknown_loader_037
Create hunting rule
quasarrat
Create hunting rule
Similar samples:
2234c3a3350dbeba11b7564dc52d5aa1252777f9ffe8dcf4027dcb54fc4542aa
QuasarRAT
94ebfdfd713a28f05375cb3db05fa5223f67ef6d0e79d724c1d1fb808476227b
QuasarRAT
a1ba76a8c187d43080d95acfb939a54d1b1c83546bbb4547990bbfcafd88c307
QuasarRAT
error
QuasarRAT
fd12d28d6b8030ec8e3d28c13ce562dc0f42b085806401b02a1155a6f44eb19c
QuasarRAT
fd3b039df3e9a565b6964276f98c61d4555f3f3dabf1a9d76604f9ff4d4b3fb7
QuasarRAT
+ 1'081 additional samples on MalwareBazaar
Result
Malware family:
quasar
Create hunting rule
Score:
  10/10
Tags:
family:quasar botnet:es code discovery spyware trojan
Link:
https://tria.ge/reports/250211-v1mzaatqaq/
Behaviour
Runs ping.exe
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Suspicious use of SetThreadContext
Looks up external IP address via web service
Executes dropped EXE
Loads dropped DLL
Quasar RAT
Quasar family
Quasar payload
Malware Config
C2 Extraction:
twart.myfirewall.org:9792
rency.ydns.eu:5287
wqo9.firewall-gateway.de:8841
code1.ydns.eu:5287
wqo9.firewall-gateway.de:9792
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/f4ff8367-f33f-494e-8baf-6b52ab192f2a
Unpacked files
SH256 hash:
ce54308e4ba6119f23d6e430e936d1f7dc5f8156c61003e05883c7adbf94e9d9
MD5 hash:
07a4d2a1981e4159e744e3f0bb8d655f
SHA1 hash:
fe47d1646972e85667408a28d8db2f2c17b7a313
Link:
https://www.unpac.me/results/ed0eef94-fb92-42bb-859d-ea4bb522ea48/
SH256 hash:
831112cfe94663f82c37e9248b5f2ef550df73acc45b48aaf8e887075d65ef43
MD5 hash:
d4a9f59b6d54011b5f7fd3a43a19e554
SHA1 hash:
457b4e5ace081542c184cc5fdeb20f5595d538ba
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/ed0eef94-fb92-42bb-859d-ea4bb522ea48/
SH256 hash:
f0746fe2f3afe1bbd0c39066154070d44db4ce53f09fcad46fab631516bc632f
MD5 hash:
23a64ff7fd9b41474f76e81a2274fa27
SHA1 hash:
8b0c8b9f1399392e5b98d95f54dc1e82d469697b
Detections:
QuasarRAT
Create hunting rule
cn_utf8_windows_terminal
Create hunting rule
malware_windows_xrat_quasarrat
Create hunting rule
MAL_QuasarRAT_May19_1
Create hunting rule
win_quasarrat_j2
Create hunting rule
win_quasar_rat_client
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_GENInfoStealer
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
MALWARE_Win_QuasarStealer
Create hunting rule
Link:
https://www.unpac.me/results/ed0eef94-fb92-42bb-859d-ea4bb522ea48/
Parent samples :
7300535ef26158bdb916366b717390fc36eb570473ed7805c18b101367c68af5
cce6d7fc922f75d8a904e74b48dfbac2ecf4e332792522985422902d34100bd1
0d6a9673eb3db83be393b8e85fceb372b5fbad79ce1c56bd92ea4b6b3166f657
ce54308e4ba6119f23d6e430e936d1f7dc5f8156c61003e05883c7adbf94e9d9
f332c9615a0633c97e162e3a76c4c75d3a9c64492a3656d0c6d3f06f89383928
SH256 hash:
e712bcd56fe64742c0f674f3acff83490f8103c260ea3389f56151b5066b7cd3
MD5 hash:
7bad4197d1ae020c9049a782eb9a71d2
SHA1 hash:
e1253047ea92beb7d161b106765ad8b03bc86b1e
Link:
https://www.unpac.me/results/ed0eef94-fb92-42bb-859d-ea4bb522ea48/
Malware family:
QuasarRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ce54308e4ba6/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ce54308e4ba6119f23d6e430e936d1f7dc5f8156c61003e05883c7adbf94e9d9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments