MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d78baa99cdaa1c5037167f9a0b2f4aa65f694ac32af8c84d71e152542a970850. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SHA256 hash:	d78baa99cdaa1c5037167f9a0b2f4aa65f694ac32af8c84d71e152542a970850
SHA3-384 hash:	1618ee41e14e6f4cd938835b133637a6458ca03b74ee781fecc41562d251e188034aa8b9392bc2fb8fa21ef05b4cc3b7
SHA1 hash:	64db0245d31874f1b1378300708acc3fdd0c4c41
MD5 hash:	46606f39941acbcfe136254053a7685c
humanhash:	fillet-aspen-uranus-kitten
File name:	Zamówienie_89118___Metal-Constructions.pdf (1).lzh
Download:	download sample
Signature	QuasarRAT Alert Create hunting rule
File size:	3'912'635 bytes
First seen:	2024-11-12 08:52:33 UTC
Last seen:	Never
File type:	rar
MIME type:	application/x-rar
ssdeep	98304:bT8OQIbUfRIoAGEp4Jg5YNzJ3J+bsixXprsq328FC+cSBUR0p249:dAfRP96YVJMHxXpYq3LU4UR0E8
TLSH	T1990633604259B1EC5C3978C2CB42AA183C1BE35791D3C32AB7E4B96F2B52B61D037E5D
TrID	61.5% (.RAR) RAR compressed archive (v5.0) (8000/1) 38.4% (.RAR) RAR compressed archive (gen) (5000/1)
Magika	rar
Reporter	nfsec_pl
Tags:	exe pdf QuasarRAT rar

Intelligence

---

File Origin

# of uploads :

1

# of downloads :

513

Origin country :

PL

File Archive Information

This file archive contains 2 file(s), sorted by their relevance:

Relevant files 2

File name:	Zamówienie 89118 _ Metal-Constructions.pdf.com
File size:	4'089'344 bytes
SHA256 hash:	94ebfdfd713a28f05375cb3db05fa5223f67ef6d0e79d724c1d1fb808476227b
MD5 hash:	00ffe69dfb698299710ce724102c38d0
MIME type:	application/x-dosexec
Signature	QuasarRAT

File name:	32512
File size:	20 bytes
SHA256 hash:	f92b2e6fdab489931fa1c9d4eb2ca0550be38b6b883780ff7664ff47788999da
MD5 hash:	7dd9d92965b042af3e6ff7a9631fe629
MIME type:	application/octet-stream
Signature	QuasarRAT

Vendor Threat Intelligence

CyberFortress Malicious

Verdict:

Malicious

Score:

96.5%

Link:

https://cyber-fortress.com/docs/result/index.php?id=673317acaf2d3dc89feee169

Tags:

infosteal autorun gumen

Hybrid Analysis Mal/DrodRar

Verdict:

Malicious

Labled as:

Mal/DrodRar

Link:

https://www.hybrid-analysis.com/sample/d78baa99cdaa1c5037167f9a0b2f4aa65f694ac32af8c84d71e152542a970850

CERT.PL MWDB

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/d78baa99cdaa1c5037167f9a0b2f4aa65f694ac32af8c84d71e152542a970850/

ReversingLabs TitaniumCloud ByteCode-MSIL.Trojan.Perseus

Threat name:

ByteCode-MSIL.Trojan.Perseus

Alert

Create hunting rule

Status:

Malicious

First seen:

2024-11-12 09:08:37 UTC

File Type:

Binary (Archive)

Extracted files:

25

AV detection:

18 of 38 (47.37%)

Threat level:

  5/5

Spamhaus Hash Blocklist Suspicious file

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=26f2vgonviofanywp6nawl2kuzpwsswdfl4mqtlr4fjfikuxbbia._file

Hatching Triage quasar

Result

Malware family:

quasar

Alert

Create hunting rule

Score:

  10/10

Tags:

family:quasar botnet:code discovery spyware trojan

Link:

https://tria.ge/reports/241112-k42lqszalj/

Behaviour

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Executes dropped EXE

Loads dropped DLL

Quasar RAT

Quasar family

Quasar payload

Malware Config

C2 Extraction:

twart.myfirewall.org:9792
rency.ydns.eu:5287
wqo9.firewall-gateway.de:8841

VirusTotal

Please note that we are no longer able to provide a coverage score for Virus Total.

YOROI YOMI Malicious File

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/d78baa99cdaa1c5037167f9a0b2f4aa65f694ac32af8c84d71e152542a970850