MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e9b236e4b6ba598d2ae4be581c166cf486cbc86a47fffb87b7d05cb09d75073b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuasarRAT


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e9b236e4b6ba598d2ae4be581c166cf486cbc86a47fffb87b7d05cb09d75073b
SHA3-384 hash: 4de4738ebaf50167d0ea743869e9a4c06b7ce7a8e2e395a991c8388f3e0041df9fac2badf447b65b30f94e6ea61ced9e
SHA1 hash: 85917bd9aa53b9bfb70f66df754b7726e9ac3d0f
MD5 hash: 084651b4a27fb177bec42799ff7bbbf6
humanhash: fruit-robert-comet-hotel
File name:UnityCrashHandler.bat
Download: download sample
Signature QuasarRAT
Create hunting rule
File size:6'732'722 bytes
First seen:2025-02-12 09:54:26 UTC
Last seen:Never
File type:Batch (bat) bat
MIME type:text/x-msdos-batch
ssdeep 49152:MjAWORGkxt/vOkHBhkgxS6XBqYLvxQEhBC1Xd/AMw2iU9Qq2yof6l4G8WqpCYzAR:W
TLSH T1D5663311FBB63FAB8198950ED9BF6F3D939EEE85444F6197A0D400C12ABFD121D3A016
Magika powershell
Reporter smica83
Tags:bat QuasarRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
106
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
UnityCrashHandler.bat
Verdict:
No threats detected
Analysis date:
2025-02-12 09:58:32 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/75e29954-8709-40d6-8412-ea75e86ad46e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
70%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67ac700a4f5583c4c4d8607b
Tags:
shell spawn sage
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated stealer
Link:
https://www.filescan.io/uploads/67ac700560d91452c5a07afc/reports/d4c92708-d1f3-427d-a3bf-7ddc98e08840/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/e9b236e4b6ba598d2ae4be581c166cf486cbc86a47fffb87b7d05cb09d75073b
Result
Verdict:
UNKNOWN
Result
Threat name:
Quasar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1612984
Signature
Allocates memory in foreign processes
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Found large BAT file
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Installs a global keyboard hook
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Writes to foreign memory regions
Yara detected Quasar RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1612984 Sample: UnityCrashHandler.bat Startdate: 12/02/2025 Architecture: WINDOWS Score: 100 50 ipwho.is 2->50 56 Suricata IDS alerts for network traffic 2->56 58 Malicious sample detected (through community Yara rule) 2->58 60 Yara detected Quasar RAT 2->60 62 2 other signatures 2->62 11 cmd.exe 1 2->11         started        signatures3 process4 signatures5 76 Suspicious powershell command line found 11->76 14 powershell.exe 12 11->14         started        17 conhost.exe 11->17         started        19 doskey.exe 1 11->19         started        21 7 other processes 11->21 process6 signatures7 86 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 14->86 23 cmd.exe 1 14->23         started        process8 signatures9 72 Suspicious powershell command line found 23->72 26 powershell.exe 29 30 23->26         started        30 powershell.exe 15 23->30         started        32 conhost.exe 23->32         started        34 11 other processes 23->34 process10 dnsIp11 52 80.76.49.19, 4872, 49783 CLOUDCOMPUTINGDE Bulgaria 26->52 54 ipwho.is 195.201.57.90, 443, 49789 HETZNER-ASDE Germany 26->54 78 Writes to foreign memory regions 26->78 80 Modifies the context of a thread in another process (thread injection) 26->80 82 Hides that the sample has been downloaded from the Internet (zone.identifier) 26->82 84 3 other signatures 26->84 36 winlogon.exe 26->36 injected 39 findstr.exe 1 30->39         started        signatures12 process13 signatures14 64 Injects code into the Windows Explorer (explorer.exe) 36->64 66 Contains functionality to inject code into remote processes 36->66 68 Writes to foreign memory regions 36->68 70 3 other signatures 36->70 41 lsass.exe 36->41 injected 44 svchost.exe 36->44 injected 46 dwm.exe 36->46 injected 48 15 other processes 36->48 process15 signatures16 74 Writes to foreign memory regions 41->74
Score:
76%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/e9b236e4b6ba598d2ae4be581c166cf486cbc86a47fffb87b7d05cb09d75073b
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e9b236e4b6ba598d2ae4be581c166cf486cbc86a47fffb87b7d05cb09d75073b/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5gzdnzfwxjmy2kxexzmbyftm6sdmxsdki777xb5x2bolbhlva45q._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery execution
Link:
https://tria.ge/reports/250212-lxw84swpfq/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e9b236e4b6ba598d2ae4be581c166cf486cbc86a47fffb87b7d05cb09d75073b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments