MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e4922484284c90de832ea50a4e2866490af799b31dfcb81f5d4034c3ce8b6bbf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuasarRAT


Vendor detections: 13


Intelligence 13 IOCs YARA 33 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e4922484284c90de832ea50a4e2866490af799b31dfcb81f5d4034c3ce8b6bbf
SHA3-384 hash: e69dcd7a8310cdb2cb22300a13392e0b2a6011ebded5bcb02b3a5c6b62dda2d2c2f1cb95c2887cbb1073857bdfeb47ca
SHA1 hash: 171abf989b319faca6b938ec7de15936a40fbc14
MD5 hash: efb9e2a66b26b9b22305ed1dab4e5c05
humanhash: yankee-football-monkey-lithium
File name:Same.dll
Download: download sample
Signature QuasarRAT
Create hunting rule
File size:10'622'528 bytes
First seen:2025-05-07 11:54:52 UTC
Last seen:2025-05-08 11:36:36 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash ccb27245a23c5bdda9bf357f4cd4e994 (2 x QuasarRAT)
ssdeep 98304:aGQkg0iG+/HtSoz/7DM7DxVsYjT7t2XvkOciIgZwBEgNH7sy:ukg0RKlz/PoP/jNicOhGrbz
Threatray 67 similar samples on MalwareBazaar
TLSH T1F4B6F71016B939E6D063463589FECD7095327D9A751C80AF0096BF1FBD32A439E39B3A
TrID 48.7% (.EXE) Win64 Executable (generic) (10522/11/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter SquiblydooBlog
Tags:exe QuasarRAT XTRA-Software-s-r-o

Intelligence

File Origin
# of uploads :
2
# of downloads :
424
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Same.dll
Verdict:
No threats detected
Analysis date:
2025-05-07 13:39:08 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/6160b90e-e0c7-4088-91d6-728c59c7cf61

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win64.MalwareX-gen.415.27732.UNOFFICIAL
Create hunting rule

Verdict:
Clean
Score:
89.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=681b4a6991991ead82b5cd0c
Tags:
n/a
Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a window
Сreating synchronization primitives
Creating a file in the %temp% directory
Running batch commands
Creating a process with a hidden window
Creating a file
Searching for the window
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
adaptive-context crypto fingerprint masquerade microsoft_visual_cc packed signed
Link:
https://www.filescan.io/uploads/681b4a2dd95f3e34e962f149/reports/c324d954-a9c8-463d-b213-7dbd85fb8824/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/e4922484284c90de832ea50a4e2866490af799b31dfcb81f5d4034c3ce8b6bbf
Malware family:
Rhadamanthys
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/02bb62cc-6565-4d9f-8b26-462d4d9ae248
Result
Threat name:
AsyncRAT, Quasar
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1683820
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Writes to foreign memory regions
Yara detected AsyncRAT
Yara detected Quasar RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1683820 Sample: Same.dll.exe Startdate: 08/05/2025 Architecture: WINDOWS Score: 100 35 Found malware configuration 2->35 37 Malicious sample detected (through community Yara rule) 2->37 39 Antivirus detection for dropped file 2->39 41 5 other signatures 2->41 9 Same.dll.exe 2->9         started        process3 signatures4 43 Writes to foreign memory regions 9->43 45 Allocates memory in foreign processes 9->45 47 Injects a PE file into a foreign processes 9->47 12 jsc.exe 5 9->12         started        process5 file6 29 C:\Users\user\AppData\...\1T4jFNh034EZ.bat, DOS 12->29 dropped 49 Hides that the sample has been downloaded from the Internet (zone.identifier) 12->49 16 cmd.exe 1 12->16         started        signatures7 process8 signatures9 31 Uses ping.exe to sleep 16->31 33 Uses ping.exe to check the status of other devices and networks 16->33 19 jsc.exe 1 16->19         started        21 conhost.exe 16->21         started        23 PING.EXE 1 16->23         started        25 chcp.com 1 16->25         started        process10 process11 27 conhost.exe 19->27         started       
Score:
81%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/e4922484284c90de832ea50a4e2866490af799b31dfcb81f5d4034c3ce8b6bbf
Detection:
quasar
Create hunting rule
Link:
https://mwdb.cert.pl/sample/e4922484284c90de832ea50a4e2866490af799b31dfcb81f5d4034c3ce8b6bbf/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4sjcjbbijsin5azouufe4kdgjefppgntdx6lqh25ia2mhtulno7q._file
Verdict:
malicious
Label(s):
quasarrat
Create hunting rule
Similar samples:
2bfbfbbdf7e25b14eff30cc07c26813e412260bc1dae49031267d67178c50cf4
QuasarRAT
2d9c25a814fafdf9a21265b9334bd85b2e743152321e36176caf3dd73114e07a
QuasarRAT
541839fe7623032434e20d98257721efe196caf10d55b53977cdd1c67c21977e
QuasarRAT
6d448e79ef62be1081ec91ff47410d6f287224b0f711e14a15fb9775d8e23327
QuasarRAT
cbd1f7fef1ed76517001dcca72689f7ac1f3fca1c47873e7284e8644d504b612
QuasarRAT
e4922484284c90de832ea50a4e2866490af799b31dfcb81f5d4034c3ce8b6bbf
QuasarRAT
error
QuasarRAT
+ 57 additional samples on MalwareBazaar
Result
Malware family:
quasar
Create hunting rule
Score:
  10/10
Tags:
family:quasar botnet:office04 discovery spyware trojan
Link:
https://tria.ge/reports/250507-n3myqstrt3/
Behaviour
Runs ping.exe
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Suspicious use of SetThreadContext
Quasar RAT
Quasar family
Quasar payload
Malware Config
C2 Extraction:
82.29.100.144:4782
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/c1cc19db-3d2d-4ee2-a47c-d84025892452
Unpacked files
SH256 hash:
e4922484284c90de832ea50a4e2866490af799b31dfcb81f5d4034c3ce8b6bbf
MD5 hash:
efb9e2a66b26b9b22305ed1dab4e5c05
SHA1 hash:
171abf989b319faca6b938ec7de15936a40fbc14
Link:
https://www.unpac.me/results/e505888a-4e18-4e3b-9503-f1049a538a1d/
Malware family:
QuasarRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e4922484284c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.93
Link:
https://yomi.yoroi.company/submissions/e4922484284c90de832ea50a4e2866490af799b31dfcb81f5d4034c3ce8b6bbf

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:BLOWFISH_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for Blowfish constants
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__MemoryWorkingSet
Create hunting rule
Author:Fernando Mercês
Description:Anti-debug process memory working set size check
Reference:http://www.gironsec.com/blog/2015/06/anti-debugger-trick-quicky/
Rule name:Detect_PowerShell_Obfuscation
Create hunting rule
Author:daniyyell
Description:Detects obfuscated PowerShell commands commonly used in malicious scripts.
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
Author:ditekSHen
Description:Detects Windows executables referencing non-Windows User-Agents
Rule name:INDICATOR_SUSPICIOUS_GENInfoStealer
Create hunting rule
Author:ditekSHen
Description:Detects executables containing common artifacts observed in infostealers
Rule name:Lumma_Stealer_Detection
Create hunting rule
Author:ashizZz
Description:Detects a specific Lumma Stealer malware sample using unique strings and behaviors
Reference:https://seanthegeek.net/posts/compromized-store-spread-lumma-stealer-using-fake-captcha/
Rule name:MALWARE_Win_QuasarStealer
Create hunting rule
Author:ditekshen
Description:Detects Quasar infostealer
Rule name:MAL_QuasarRAT_May19_1
Create hunting rule
Description:Detects QuasarRAT malware
Rule name:MAL_QuasarRAT_May19_1_RID2E1E
Create hunting rule
Author:Florian Roth
Description:Detects QuasarRAT malware
Reference:https://blog.ensilo.com/uncovering-new-activity-by-apt10
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:Multifamily_RAT_Detection
Create hunting rule
Author:Lucas Acha (http://www.lukeacha.com)
Description:Generic Detection for multiple RAT families, PUPs, Packers and suspicious executables
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:quasarrat
Create hunting rule
Author:jeFF0Falltrades
Rule name:quasarrat_kingrat
Create hunting rule
Author:jeFF0Falltrades
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:RC6_Constants
Create hunting rule
Author:chort (@chort0)
Description:Look for RC6 magic constants in binary
Reference:https://twitter.com/mikko/status/417620511397400576
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Windows_Generic_Threat_803feff4
Create hunting rule
Author:Elastic Security
Rule name:win_quasar_rat_client
Create hunting rule
Author:Matthew @ Embee_Research
Description:Detects strings present in Quasar Rat Samples.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high
Reviews
IDCapabilitiesEvidence
NCRYPT_APIUses NCrypt APIncrypt.dll::NCryptImportKey
ncrypt.dll::NCryptOpenKey
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::AdjustTokenPrivileges
WIN32_PROCESS_APICan Create Process and ThreadsADVAPI32.dll::OpenProcessToken
KERNEL32.dll::OpenProcess
KERNEL32.dll::VirtualAllocExNuma
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetSystemInfo
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::ReadConsoleW
KERNEL32.dll::GetConsoleMode
KERNEL32.dll::GetConsoleOutputCP
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::GetSystemDirectoryW
WIN_BASE_USER_APIRetrieves Account InformationADVAPI32.dll::LookupPrivilegeValueW
WIN_BCRYPT_APICan Encrypt Filesbcrypt.dll::BCryptDestroyKey
bcrypt.dll::BCryptExportKey
bcrypt.dll::BCryptGenRandom
bcrypt.dll::BCryptGetProperty
bcrypt.dll::BCryptImportKeyPair
bcrypt.dll::BCryptOpenAlgorithmProvider
WIN_CRYPT_APIUses Windows Crypt APICRYPT32.dll::CertDuplicateCertificateContext
CRYPT32.dll::CertEnumCertificatesInStore
CRYPT32.dll::CertFreeCertificateChain
CRYPT32.dll::CertFreeCertificateContext
CRYPT32.dll::CertGetCertificateChain
CRYPT32.dll::CertGetCertificateContextProperty
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExW
ADVAPI32.dll::RegOpenKeyExW
ADVAPI32.dll::RegQueryValueExW
ADVAPI32.dll::RegSetValueExW

Comments