MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ded12aa1047596d73fd663a8d297bdc36a70e56174e62eeaad3fad48f611890c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuasarRAT


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ded12aa1047596d73fd663a8d297bdc36a70e56174e62eeaad3fad48f611890c
SHA3-384 hash: 13a6dfdfb84544c2f8922f243d225074f01155a23261d321368fd0cf70200aba5f7330a851085fea4fca1cbf6d929b71
SHA1 hash: 2d3e9a26d8086919ff33f7fc3f70b0db281f8b57
MD5 hash: 29354d2d510ee72492bb0252ca22d169
humanhash: purple-bluebird-six-beryllium
File name:fumot.bat
Download: download sample
Signature QuasarRAT
Create hunting rule
File size:7'486'627 bytes
First seen:2025-02-25 11:41:23 UTC
Last seen:Never
File type:Batch (bat) bat
MIME type:text/x-msdos-batch
ssdeep 49152:iezSiTp3cjnB4r12+o5+y9BpQzeUK4lqdj2arYqAdWxeoUkcRPyBJphVl7fxUjfk:c
Threatray 161 similar samples on MalwareBazaar
TLSH T18D76332297BC1DEE0E9CA33BD5E9BB6D3B540A720455E4DB42D42AC746BFB026D33424
Magika powershell
Reporter JAMESWT_WT
Tags:149-50-97-147 bat QuasarRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
96
Origin country :
IT IT
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
fumot.bat
Verdict:
No threats detected
Analysis date:
2025-02-25 12:12:42 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/c8e52a38-2fd5-45d2-8ee0-bd2ada0766be

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
81.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67bdacb728ab76d43a5d0541
Tags:
vmdetect xtreme shell sage
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated
Link:
https://www.filescan.io/uploads/67bdac9e6222db7f23db01c8/reports/13ffd006-9778-437a-bb85-425eeefd5c4e/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/ded12aa1047596d73fd663a8d297bdc36a70e56174e62eeaad3fad48f611890c
Result
Verdict:
SUSPICIOUS
Details
Hidden Powershell
Detected a pivot to Powershell that utilizes commonly nefarious attributes such as '-windowstyle hidden'.
Result
Threat name:
Quasar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1623646
Signature
Allocates memory in foreign processes
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Creates files in the system32 config directory
Found large BAT file
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Installs a global keyboard hook
Installs new ROOT certificates
Joe Sandbox ML detected suspicious sample
Modifies the context of a thread in another process (thread injection)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive service information (via WMI, MSSMBios_RawSMBiosTables, often done to detect sandboxes)
Queries temperature or sensor information (via WMI often done to detect virtual machines)
Sigma detected: Potentially Suspicious PowerShell Child Processes
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Quasar RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1623646 Sample: fumot.bat Startdate: 25/02/2025 Architecture: WINDOWS Score: 100 40 ipwho.is 2->40 46 Suricata IDS alerts for network traffic 2->46 48 Yara detected Quasar RAT 2->48 50 Found large BAT file 2->50 52 2 other signatures 2->52 9 cmd.exe 1 2->9         started        signatures3 process4 signatures5 62 Suspicious powershell command line found 9->62 12 powershell.exe 22 31 9->12         started        16 powershell.exe 15 9->16         started        18 conhost.exe 9->18         started        20 cmd.exe 1 9->20         started        process6 dnsIp7 42 149.50.97.147, 4782, 49737, 49739 COGENT-174US United States 12->42 44 ipwho.is 195.201.57.90, 443, 49738 HETZNER-ASDE Germany 12->44 64 Writes to foreign memory regions 12->64 66 Modifies the context of a thread in another process (thread injection) 12->66 68 Hides that the sample has been downloaded from the Internet (zone.identifier) 12->68 74 3 other signatures 12->74 22 winlogon.exe 12->22 injected 25 schtasks.exe 12->25         started        70 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 16->70 72 Uses schtasks.exe or at.exe to add and modify task schedules 16->72 27 findstr.exe 1 16->27         started        signatures8 process9 signatures10 54 Injects code into the Windows Explorer (explorer.exe) 22->54 56 Contains functionality to inject code into remote processes 22->56 58 Writes to foreign memory regions 22->58 60 3 other signatures 22->60 29 svchost.exe 22->29 injected 32 lsass.exe 22->32 injected 34 OfficeClickToRun.exe 22->34 injected 38 32 other processes 22->38 36 conhost.exe 25->36         started        process11 signatures12 76 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 29->76 78 Queries sensitive service information (via WMI, MSSMBios_RawSMBiosTables, often done to detect sandboxes) 29->78 80 Queries temperature or sensor information (via WMI often done to detect virtual machines) 29->80 82 Installs new ROOT certificates 32->82 84 Writes to foreign memory regions 32->84 86 Creates files in the system32 config directory 34->86
Score:
71%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/ded12aa1047596d73fd663a8d297bdc36a70e56174e62eeaad3fad48f611890c
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ded12aa1047596d73fd663a8d297bdc36a70e56174e62eeaad3fad48f611890c/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=33isviieowlnop6wmounff55ynvhbzlbottc52vnh6wur5qrrega._file
Verdict:
malicious
Label(s):
r77
Create hunting rule
Similar samples:
0999322e8a2a984b5400544b31a91ae8dd49b362a2517fe497a8e1455de07d8f
QuasarRAT
24bbfa8d70a5d5e74791b0af93c77802df7e965b14b0649aaec2ab8dd0e0c999
QuasarRAT
39fa01d351c5cdb6de9c4155f0c7d4241578ea02e5fc735c19faae312487dc20
QuasarRAT
4e722641d45ec7ae5032e827a6b311a82a0e0551865caf00c19e7eab85487f54
QuasarRAT
ac0c9ad2975e52b69068d331e25c0f7e1aaa2976651794b1eeadf5a3529bcaf0
QuasarRAT
b871ed20d46a9be3a4aedb5facad152ab24289b6866076cb7ffc59721ca7525c
QuasarRAT
d829b8ffdb11832632e9799419d78b649481d7b9b261ec587c6fc0fc20a76eee
QuasarRAT
e12902c413b76be7f75f527a84c41823e4b96417495c264dc09e77761a105931
QuasarRAT
e27fbbd008427ab109877123d328bac58fabbf82febee4a36bf8412c28da73a4
QuasarRAT
e9b236e4b6ba598d2ae4be581c166cf486cbc86a47fffb87b7d05cb09d75073b
QuasarRAT
error
QuasarRAT
+ 151 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/250225-nt3ylawkz5/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ded12aa1047596d73fd663a8d297bdc36a70e56174e62eeaad3fad48f611890c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments