MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d3a49cdef256d313ae4245701b15a9767f208dbadbd18d9f36870b3829a9f91c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

QuasarRAT

Vendor detections: 5

Intelligence 5 IOCs YARA 5 File information Comments

SHA256 hash:	d3a49cdef256d313ae4245701b15a9767f208dbadbd18d9f36870b3829a9f91c
SHA3-384 hash:	04dc330b404a78b24f8268a79481a941a9e3e9ccc00f5a9cfd165cd8f6f6f8a24cae533d6724d7519844829b2b6c44ae
SHA1 hash:	86ebc3b38cd1bc666f187a67e08fcdfdee0c35b1
MD5 hash:	6f51f83a9614f8cbd061227813ad55c5
humanhash:	fruit-arizona-kentucky-uniform
File name:	Full_Unboxing_Process_Inspection_Record.zip
Download:	download sample
Signature	QuasarRAT Create hunting rule
File size:	103'252'407 bytes
First seen:	2026-05-27 11:15:36 UTC
Last seen:	Never
File type:	zip
MIME type:	application/zip
ssdeep	3145728:Q8IieNUx84MS/S/MiVx44hXhMOLiQCnbvQslQD/cw9QL:Q8IiuUu4MJ/P44HMUiQUJlKVQL
TLSH	T1F938333BC5A93A5561F3E8521EE62B4B021D85E0613FC5D9C91751884BF4BABCE2FB30
Magika	zip
Reporter	JAMESWT_WT
Tags:	QuasarRAT sharedrivedocuments-com zip

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

File Archive Information

This file archive contains 6 file(s), sorted by their relevance:

File name:	vcruntime140_1.dll
File size:	49'776 bytes
SHA256 hash:	6a99bc0128e0c7d6cbbf615fcc26909565e17d4ca3451b97f8987f9c6acbc6c8
MD5 hash:	c0c0b4c611561f94798b62eb43097722
MIME type:	application/x-dosexec
Signature	QuasarRAT

File name:	USERENV.dll
File size:	104'857'600 bytes
SHA256 hash:	37defe4f6bf4f1ae62eda25f06dae43d337fd2fb3939e531246814d7ff405536
MD5 hash:	9de2797c8ca6180b99e06f452188a3bf
MIME type:	application/x-dosexec
Signature	QuasarRAT

File name:	config.dat
File size:	16'059'412 bytes
SHA256 hash:	bb7575dfa84314fc58f49675aef0ea51ef6020ee1d70866b6b4ba4412b7fdbad
MD5 hash:	5b9361f7f13adae0a221b942743f9c34
MIME type:	application/zip
Signature	QuasarRAT

File name:	vcruntime140.dll
File size:	120'400 bytes
SHA256 hash:	052ad6a20d375957e82aa6a3c441ea548d89be0981516ca7eb306e063d5027f4
MD5 hash:	32da96115c9d783a0769312c0482a62d
MIME type:	application/x-dosexec
Signature	QuasarRAT

File name:	Full_Unboxing_Process_Inspection_Record.exe
File size:	1'042'824 bytes
SHA256 hash:	e60134d5e7774c5d7e35f2de0f81bf5ad07d8b1bd93e32112be12a12291293ec
MD5 hash:	ab44a68a77d4953c1c8204848ca3f537
MIME type:	application/x-dosexec
Signature	QuasarRAT

File name:	msvcp140.dll
File size:	575'568 bytes
SHA256 hash:	b99eb28a471311113f5c4109cb3c463f39cfd9bdb3b07f706204dedddb4516a1
MD5 hash:	7acbc57d268a691247b4a94fecfa42b4
MIME type:	application/x-dosexec
Signature	QuasarRAT

Vendor Threat Intelligence

Details

Link:

https://research.acce.ciphertechsolutions.com/results/4b71ac34-6248-4562-b1b3-282f7f16c437/

Verdict:

Suspicious

Score:

50%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6a16cef55d76862ef9483be7

Tags:

injection dropper core

Result

Verdict:

Clean

File Type:

PE File

Link:

https://app.docguard.net/d3a49cdef256d313ae4245701b15a9767f208dbadbd18d9f36870b3829a9f91c/results/dashboard

Verdict:

Unknown

Link:

https://www.hybrid-analysis.com/sample/d3a49cdef256d313ae4245701b15a9767f208dbadbd18d9f36870b3829a9f91c

Score:

Verdict:

Benign

File Type:

Result

Malware family:

quasar

Score:

10/10

Tags:

family:quasar adware defense_evasion discovery link pdf persistence privilege_escalation spyware trojan

Link:

https://tria.ge/reports/260527-rm44vshx3y/

Behaviour

Checks processor information in registry

Enumerates system info in registry

Kills process with taskkill

Modifies data under HKEY_USERS

Modifies registry class

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Browser Information Discovery

System Location Discovery: System Language Discovery

System Time Discovery

Drops file in Program Files directory

Drops file in Windows directory

Executes dropped EXE

Loads dropped DLL

Enumerates processes with tasklist

Adds Run key to start application

Family: Quasar RAT

Quasar payload

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	VECT_Ransomware Create hunting rule
Author:	Mustafa Bakhit
Description:	Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample