MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d4cdc7632ae0821d13906a9ca0b02a257997a0c2512c07f25053df70f92ea195. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuasarRAT


Vendor detections: 16


Intelligence 16 IOCs YARA 23 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d4cdc7632ae0821d13906a9ca0b02a257997a0c2512c07f25053df70f92ea195
SHA3-384 hash: 2b56fb0af597eae3c063d66a5d76bd4c0271ac3921de2c2f2cb523c82219c77f987d9f782e6c69a23c616fa91581638c
SHA1 hash: 713ab1b3ec50c2dcf7355088200f5a3138e10ce3
MD5 hash: 535bb6394cff394ab195b7a8bd073e01
humanhash: uranus-jig-alpha-freddie
File name:z54ComprobantedePago.exe
Download: download sample
Signature QuasarRAT
Create hunting rule
File size:3'801'088 bytes
First seen:2025-05-27 12:00:11 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 98304:ko+3RVXUtu3oB2dW72vniW2DLWqWGE+tl3DjU:koU3X6u3AGWCv2jWGEel3DjU
Threatray 38 similar samples on MalwareBazaar
TLSH T1780633FE7098432EEE564A33CD44D430E502DD6F4BC4839BA80E7D2BB639E1D6264D69
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
dhash icon 78c0db4cea7aa0fc (33 x AveMariaRAT, 23 x QuasarRAT, 1 x Loki)
Reporter FXOLabs
Tags:exe QuasarRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
580
Origin country :
BR BR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
z54ComprobantedePago.exe
Verdict:
Malicious activity
Analysis date:
2025-05-27 12:00:51 UTC
Tags:
auto-reg confuser crypto-regex
Link:
https://app.any.run/tasks/d9769920-f3b2-45a2-a2ae-861c0523f353

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/5837/
Detection(s):
Win.Malware.Mardom-9901704-0
Create hunting rule

PUA.Win.Packed.ConfuserEx-6582917-0
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6835aaecacf88f5815e791de
Tags:
autorun packed virus sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Creating a window
Сreating synchronization primitives
Creating a file in the %AppData% subdirectories
Launching a process
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
base64 confuser confuserex net obfuscated obfuscated packed packed packer_detected
Link:
https://www.filescan.io/uploads/6835a955fd02ed5e058a24aa/reports/4c63484c-ad8b-48fb-9b79-fa83095bc9cf/overview
Verdict:
Malicious
Labled as:
Jalapeno.Generic
Link:
https://www.hybrid-analysis.com/sample/d4cdc7632ae0821d13906a9ca0b02a257997a0c2512c07f25053df70f92ea195
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2ba57455-661e-45fc-b016-42320e5960a6
Result
Threat name:
Quasar
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1699775
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses threadpools to delay analysis
Yara detected Quasar RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1699775 Sample: z54ComprobantedePago.exe Startdate: 27/05/2025 Architecture: WINDOWS Score: 100 52 pbensoauptfouresdopsopsseead.ydns.eu 2->52 54 mjoatboating.ydns.eu 2->54 60 Found malware configuration 2->60 62 Malicious sample detected (through community Yara rule) 2->62 64 Antivirus / Scanner detection for submitted sample 2->64 66 6 other signatures 2->66 11 z54ComprobantedePago.exe 1 2->11         started        15 Client.exe 2->15         started        signatures3 process4 file5 50 C:\Users\...\z54ComprobantedePago.exe.log, ASCII 11->50 dropped 78 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 11->78 80 Uses schtasks.exe or at.exe to add and modify task schedules 11->80 82 Injects a PE file into a foreign processes 11->82 84 Uses threadpools to delay analysis 11->84 17 z54ComprobantedePago.exe 4 11->17         started        21 z54ComprobantedePago.exe 2 11->21         started        23 Client.exe 15->23         started        25 Client.exe 15->25         started        signatures6 process7 file8 48 C:\Users\user\AppData\Roaming\...\Client.exe, PE32 17->48 dropped 58 Hides that the sample has been downloaded from the Internet (zone.identifier) 17->58 27 Client.exe 1 17->27         started        30 schtasks.exe 1 17->30         started        32 WerFault.exe 23->32         started        signatures9 process10 signatures11 70 Antivirus detection for dropped file 27->70 72 Multi AV Scanner detection for dropped file 27->72 74 Injects a PE file into a foreign processes 27->74 76 Uses threadpools to delay analysis 27->76 34 Client.exe 2 27->34         started        38 Client.exe 27->38         started        40 conhost.exe 30->40         started        process12 dnsIp13 56 mjoatboating.ydns.eu 186.251.115.164, 4785, 49688, 49693 WEBNETCOMERCIODEEQUIPAMENTOSLTDABR Brazil 34->56 68 Hides that the sample has been downloaded from the Internet (zone.identifier) 34->68 42 schtasks.exe 34->42         started        44 WerFault.exe 2 38->44         started        signatures14 process15 process16 46 conhost.exe 42->46         started       
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/d4cdc7632ae0821d13906a9ca0b02a257997a0c2512c07f25053df70f92ea195
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d4cdc7632ae0821d13906a9ca0b02a257997a0c2512c07f25053df70f92ea195/
Threat name:
ByteCode-MSIL.Trojan.Jalapeno
Create hunting rule
Status:
Malicious
First seen:
2025-05-27 12:01:16 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2tg4oyzk4cbb2e4qnkokbmbkev4zpigckewap4sqkppxb6jougkq._file
Verdict:
malicious
Label(s):
quasarrat
Create hunting rule
Similar samples:
0901494ca99f6080fd12276cf98de5689cd4e0da9c797954d6d832492ac21e81
QuasarRAT
101786e62aeb6f62129bb39ea1b58cc587de9483a2409a1c95a61a32aa202627
QuasarRAT
1c1e6f8a36871157f3c8e9544ace1ce91fdd5cd11915650b92b3ec158c444072
QuasarRAT
903387d93c8c1a877a89e1c8cb95b56ae96762f8694b0f95ee05ec6676936aa1
QuasarRAT
d65862ab1d8dfcba06ab6e1fc40d109d9c644cac4e02ef0c8fb30f96ec199b61
QuasarRAT
e4826272c8040d809f0813cd2835821d40ae2744d13968d1860e62fae5e7ac37
QuasarRAT
error
QuasarRAT
+ 28 additional samples on MalwareBazaar
Result
Malware family:
quasar
Create hunting rule
Score:
  10/10
Tags:
family:quasar botnet:office05 discovery spyware trojan
Link:
https://tria.ge/reports/250527-n6efrsgk5z/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: AddClipboardFormatListener
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Program crash
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Executes dropped EXE
Quasar RAT
Quasar family
Quasar payload
Malware Config
C2 Extraction:
mjoatboating.ydns.eu:4785
pbensoauptfouresdopsopsseead.ydns.eu:4786
Verdict:
Malicious
Tags:
red_team_tool Win.Malware.Mardom-9901704-0
YARA:
SUSP_NET_NAME_ConfuserEx
Link:
https://app.threat.zone/submission/115b3dd2-f5cb-4604-b94b-93c6a88820a2
Unpacked files
SH256 hash:
d4cdc7632ae0821d13906a9ca0b02a257997a0c2512c07f25053df70f92ea195
MD5 hash:
535bb6394cff394ab195b7a8bd073e01
SHA1 hash:
713ab1b3ec50c2dcf7355088200f5a3138e10ce3
Link:
https://www.unpac.me/results/5a2da7a5-c151-43f6-9fe4-061856ce7703/
SH256 hash:
16668b68fe8634b020612e401fd815588d9068d0091bce9e86643573d1a024df
MD5 hash:
d3a306c500d9d05b00015fefa023c5c4
SHA1 hash:
23e5d5a4059b38eef3ae17dfa4e642e74da4f130
Detections:
QuasarRAT
Create hunting rule
cn_utf8_windows_terminal
Create hunting rule
malware_windows_xrat_quasarrat
Create hunting rule
MAL_QuasarRAT_May19_1
Create hunting rule
MAL_BackNet_Nov18_1
Create hunting rule
INDICATOR_EXE_Packed_Fody
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
Link:
https://www.unpac.me/results/5a2da7a5-c151-43f6-9fe4-061856ce7703/
SH256 hash:
7c884a0ac4350d7669ecddc4af1b2f2a9196f8d244466c6ed673f19d29359d2c
MD5 hash:
c84378022dd0e6841bcb694765ad9cc4
SHA1 hash:
3ba6a2a2c016d6fdf4304389852415fad3bda0c7
Link:
https://www.unpac.me/results/5a2da7a5-c151-43f6-9fe4-061856ce7703/
SH256 hash:
5b624a4824e8ab517524e6b007636dc3260ffbfeac563c3a25ee9e847017269e
MD5 hash:
ce805c75c391af97f0168b9798454fc4
SHA1 hash:
4989431a314c426e1151282a05fd0baf54b2b385
Detections:
SUSP_NET_NAME_ConfuserEx
Create hunting rule
INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
INDICATOR_EXE_Packed_ConfuserEx_Custom
Create hunting rule
Link:
https://www.unpac.me/results/5a2da7a5-c151-43f6-9fe4-061856ce7703/
SH256 hash:
60ca1574d0c916d1f5686bcf871488710a2677a68c94f65a2be47d707976c061
MD5 hash:
d8c04d4e36632b4d5fb0ffab446877ed
SHA1 hash:
6092ad4043c572c8a5616f8a1b343aa94bca25a3
Detections:
SUSP_NET_Large_Static_Array_In_Small_File_Jan24
Create hunting rule
HKTL_NET_GUID_Quasar
Create hunting rule
Link:
https://www.unpac.me/results/5a2da7a5-c151-43f6-9fe4-061856ce7703/
Parent samples :
d65862ab1d8dfcba06ab6e1fc40d109d9c644cac4e02ef0c8fb30f96ec199b61
969ae30c1e3ef08840b3fd85f4abe4ef6eef6eb41257bcb58be3126a5cfeb872
d4cdc7632ae0821d13906a9ca0b02a257997a0c2512c07f25053df70f92ea195
3a336deb4df669600491e2d9736f05f2b04b4eb11a25e082f3409a2fbfc12cf4
e66ca5568b7156f5d0d890b4a996705b103be6a14fe74673e980f4636de98ebb
337de3ec21865f342e56f5c6f1a831533050ccb46fe717b620b708853577b549
19575aa4bd61808dfe0ff0b2428cbd9e91ec74e49978f1ed7b95039f454b5d71
86e4f01efa31f2491341bcc774c318ef1bda2d1dcd1bbce13b463c2f1b517221
94e36ae9ccadc3ab6bdf0e2aa5be7d4927f61a9b2bc572bc78f06569372e5652
72408c6e85f34e8002d8e0439afef5823a5e6f45ef2cec0b6f8457365d56120c
ed943a94a73e12300c6fe833b553cddd1cefda33fd849300447e33d33c0758c7
da1725bbfd77ba1824cb501a5e6614c715531aa5b9d0e98151840173e9f26046
6c2b4ca9e169f3d71f3fa2962b947c0f7b1e358e2e7ce6c9ee12778e0679f6b1
0bdc4e6fdc8e32408990cff8e711a21a86e02007d6a1683b7129e76c2bc1ebbd
7e9868f4da3238a549866769de126d9ef902b19c4760701d8f883f54bf8961c0
511ace09e2e37545e0f12232fb3ad7da230f0c55ea803fa14ae84530257069b6
Malware family:
QuasarRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d4cdc7632ae0/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d4cdc7632ae0821d13906a9ca0b02a257997a0c2512c07f25053df70f92ea195

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Check_Dlls
Create hunting rule
Rule name:Costura_Protobuf
Create hunting rule
Author:@bartblaze
Description:Identifies Costura and Protobuf in .NET assemblies, respectively for storing resources and (de)serialization. Seen together might indicate a suspect binary.
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Thread
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Detect_PowerShell_Obfuscation
Create hunting rule
Author:daniyyell
Description:Detects obfuscated PowerShell commands commonly used in malicious scripts.
Rule name:INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod
Rule name:INDICATOR_EXE_Packed_ConfuserEx_Custom
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Custom; outside of GIT
Rule name:INDICATOR_EXE_Packed_Fody
Create hunting rule
Author:ditekSHen
Description:Detects executables manipulated with Fody
Rule name:INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
Author:ditekSHen
Description:Detects Windows executables referencing non-Windows User-Agents
Rule name:INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL
Create hunting rule
Author:ditekSHen
Description:Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion
Rule name:MAL_BackNet_Nov18_1
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects BackNet samples
Reference:https://github.com/valsov/BackNet
Rule name:MAL_BackNet_Nov18_1_RID2D6D
Create hunting rule
Author:Florian Roth
Description:Detects BackNet samples
Reference:https://github.com/valsov/BackNet
Rule name:MAL_QuasarRAT_May19_1
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects QuasarRAT malware
Reference:https://blog.ensilo.com/uncovering-new-activity-by-apt10
Rule name:MAL_QuasarRAT_May19_1_RID2E1E
Create hunting rule
Author:Florian Roth
Description:Detects QuasarRAT malware
Reference:https://blog.ensilo.com/uncovering-new-activity-by-apt10
Rule name:Multifamily_RAT_Detection
Create hunting rule
Author:Lucas Acha (http://www.lukeacha.com)
Description:Generic Detection for multiple RAT families, PUPs, Packers and suspicious executables
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

QuasarRAT

Executable exe d4cdc7632ae0821d13906a9ca0b02a257997a0c2512c07f25053df70f92ea195

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/5837/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments