MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fc5c1fef582e46905c462d4d905fbdfb3b70b5a571e182dabac3a4b9b8f57c9c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

QuirkyLoader

Vendor detections: 11

Intelligence 11 IOCs YARA 11 File information Comments

SHA256 hash:	fc5c1fef582e46905c462d4d905fbdfb3b70b5a571e182dabac3a4b9b8f57c9c
SHA3-384 hash:	0445ec3e6c532ba33c98a27f8e9152c73014639f49aaafaffda528004c6f0a00e5fd910f92eed4e430c7da5035549109
SHA1 hash:	f7f09fe42a583e4d2df13630ab7ace2ca4d2bdff
MD5 hash:	2408f1d3ef58993ec079df823e3faa26
humanhash:	virginia-whiskey-moon-sixteen
File name:	libpsl-5.dll
Download:	download sample
Signature	QuirkyLoader Create hunting rule
File size:	4'077'568 bytes
First seen:	2026-03-16 14:11:53 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	529c2374bb6d2fe0c7653bcd00767eaf (1 x QuirkyLoader)
ssdeep	98304:ZofqIV4fQx85+FtOl2Xk/uFmJ1Z4q6fYrz1mafvpO0Dwn8+LCH0y8D:ZYqIV4Yxi2U/uC34BfwpOl8UCUbD
TLSH	T13D16BE56B3C819A9D526CA38C744E333C1B2B9634B76D18B1A9AD7061F779528F3FB00
TrID	70.9% (.EXE) InstallShield setup (43053/19/16) 10.7% (.EXE) Win64 Executable (generic) (6522/11/2) 8.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 3.3% (.EXE) OS/2 Executable (generic) (2029/13) 3.3% (.EXE) Generic Win/DOS Executable (2002/3)
Magika	pebin
Reporter	JAMESWT_WT
Tags:	asmweosiqsaaw-com booking ClickFix exe QuirkyLoader

Intelligence

File Origin

# of uploads :

# of downloads :

133

Origin country :

Vendor Threat Intelligence

No detections

Malware family:

n/a

ID:

File name:

libpsl-5.dll

Verdict:

No threats detected

Analysis date:

2026-03-16 14:13:02 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/b8eed037-df05-48f2-b98e-88b2634e2712

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/57652/

Verdict:

Malicious

Score:

90.2%

Link:

https://cyber-fortress.com/docs/result/index.php?id=69b80fc188c80c01586ac907

Tags:

emotet virus

Result

Verdict:

Clean

Maliciousness:

Gathering data

Verdict:

Malicious

Labled as:

Ulise.Generic

Link:

https://www.hybrid-analysis.com/sample/fc5c1fef582e46905c462d4d905fbdfb3b70b5a571e182dabac3a4b9b8f57c9c

Verdict:

Malicious

File Type:

dll x64

Detections:

HEUR:Trojan.Win64.Generic HEUR:Trojan.Win64.Convagent.gen

Link:

https://opentip.kaspersky.com/fc5c1fef582e46905c462d4d905fbdfb3b70b5a571e182dabac3a4b9b8f57c9c/results?tab=lookup

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/23e48969-300a-4ec2-944d-3514e82b07bd

Score:

92%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/fc5c1fef582e46905c462d4d905fbdfb3b70b5a571e182dabac3a4b9b8f57c9c

Verdict:

inconclusive

YARA:

5 match(es)

Tags:

Executable PE (Portable Executable) PE File Layout Win 64 Exe x64

Link:

https://app.malva.re/file/2408f1d3ef58993ec079df823e3faa26

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/fc5c1fef582e46905c462d4d905fbdfb3b70b5a571e182dabac3a4b9b8f57c9c/

Verdict:

Malicious

Threat:

Trojan.Win64.Convagent

Link:

https://tip.neiki.dev/file/fc5c1fef582e46905c462d4d905fbdfb3b70b5a571e182dabac3a4b9b8f57c9c

Threat name:

Win64.Trojan.Ulise

Status:

Malicious

First seen:

2026-03-16 14:11:35 UTC

File Type:

PE+ (Dll)

AV detection:

13 of 24 (54.17%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=7rob732yfzdjaxcgfvgzax557m5xbnnfohqyfwv2yosltohvpsoa._file

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/260316-rhwa6abv4m/

Unpacked files

SH256 hash:

fc5c1fef582e46905c462d4d905fbdfb3b70b5a571e182dabac3a4b9b8f57c9c

MD5 hash:

2408f1d3ef58993ec079df823e3faa26

SHA1 hash:

f7f09fe42a583e4d2df13630ab7ace2ca4d2bdff

Detections:

win_quirkyloader_auto

Link:

https://www.unpac.me/results/5c066603-56f2-4a68-970b-329f245a9034/

Malware family:

QuirkyLoader

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/fc5c1fef582e/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/fc5c1fef582e46905c462d4d905fbdfb3b70b5a571e182dabac3a4b9b8f57c9c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

Rule name:	DebuggerCheck__MemoryWorkingSet Create hunting rule
Author:	Fernando Mercês
Description:	Anti-debug process memory working set size check
Reference:	http://www.gironsec.com/blog/2015/06/anti-debugger-trick-quicky/

Rule name:	DebuggerCheck__QueryInfo Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	RIPEMD160_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for RIPEMD-160 constants

Rule name:	SEH__vectored Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	SHA1_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA1 constants

Rule name:	ThreadControl__Context Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	win_quirkyloader_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.quirkyloader.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/57652/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample