MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fd3eaadc11db033a3dc38941890021e99456fc14f694917fb8f09dda279790df. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuirkyLoader


Vendor detections: 6


Intelligence 6 IOCs YARA 34 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fd3eaadc11db033a3dc38941890021e99456fc14f694917fb8f09dda279790df
SHA3-384 hash: 645093fafc1dd8b94dd28009ce59cb8a901a4f2afc52abadaa0398227208390ebb73642336e7ac28ad894cd9a8aca4a9
SHA1 hash: 562c427465bb16abba1a4ef5e1de45efcbe868be
MD5 hash: 1f75d4cf40aea5ed2ff7a1946f67a129
humanhash: fish-lemon-oranges-virginia
File name:asfixsoftwaredev.zip
Download: download sample
Signature QuirkyLoader
Create hunting rule
File size:7'066'111 bytes
First seen:2026-03-18 14:01:38 UTC
Last seen:Never
File type: zip
MIME type:application/zip
ssdeep 196608:+ZfthiC1tafzN87Ao7hbl0uU+HB/OGUElH6XU8YYlbHXUs:+B/CLsAo7hRrU+h/PUEl0U8YYlbEs
TLSH T1B3663377F4381AC4E42BE4BEB0601BD287A1231DE483D539D09239D871E2BCA5D9D69F
Magika zip
Reporter JAMESWT_WT
Tags:asmweosiqsaaw-com booking ClickFix FakeCaptcha QuirkyLoader

Intelligence

File Origin
# of uploads :
1
# of downloads :
130
Origin country :
IT IT
File Archive Information

This file archive contains 12 file(s), sorted by their relevance:

File name:psl.exe
File size:66'144 bytes
SHA256 hash: 12c931dbfa907d4e394fb928f3a8a27ed7e5bf203578dabcd65bb2dd5f2f1280
MD5 hash: f83c15cdcf054820008944d8366b6f24
MIME type:application/x-dosexec
Signature QuirkyLoader
File name:libintl-8.dll
File size:311'976 bytes
SHA256 hash: 014537629d17e625e3f3052e59b5aaad80233af0191b950367b7db06228b46de
MD5 hash: 5ff474738f95cd79dfad97305ff6c6fd
MIME type:application/x-dosexec
Signature QuirkyLoader
File name:libidn2-0.dll
File size:257'408 bytes
SHA256 hash: c6296ac4f38ab5f6b66ccea54f337eb61e4b4c64c6cbef9b422d40906102ed23
MD5 hash: dd739331842b79885453706d874a4366
MIME type:application/x-dosexec
Signature QuirkyLoader
File name:msys-intl-8.dll
File size:121'856 bytes
SHA256 hash: 9517978d663b324f80b3ad454e0f6a99db9cbd5022e98cea93808ddd64630aed
MD5 hash: 07bb931d03cfaf310b0369175797c719
MIME type:application/x-dosexec
Signature QuirkyLoader
File name:libunistring-5.dll
File size:2'236'904 bytes
SHA256 hash: 351ab6db834de03308e468a660dd93cb76d1e60aa213c7fce1c36603c431b7ba
MD5 hash: f6027bba63f798a5db8ce3f43bfda60e
MIME type:application/x-dosexec
Signature QuirkyLoader
File name:msys-2.0.dll
File size:3'371'536 bytes
SHA256 hash: 7ad917358bf910168a051aa46670fc5fbe300cd5e63fa2691ca6909237332118
MD5 hash: 8e727844e0eed3e4b14d2d87195d71b8
MIME type:application/x-dosexec
Signature QuirkyLoader
File name:msys-iconv-2.dll
File size:1'108'800 bytes
SHA256 hash: b76044939dd5d6c6b7cf0d0cf877db6a2d8d7fd433212b78c837ba58f77a1775
MD5 hash: c29ee585eb10ad99a3a87aad2a772517
MIME type:application/x-dosexec
Signature QuirkyLoader
File name:msys-psl-5.dll
File size:83'128 bytes
SHA256 hash: 465a677a62faf17255a910e52ec595e277831acf471048e84229a60417f0e7d1
MD5 hash: fbef212371b36a54980ac886bee50b4e
MIME type:application/x-dosexec
Signature QuirkyLoader
File name:libiconv-2.dll
File size:1'146'840 bytes
SHA256 hash: 9740c8a8351587206aff71a976b9fea7457e59126807216b2e76f68a41579ed4
MD5 hash: 9a47e690745d2abf439b3466abb0ec16
MIME type:application/x-dosexec
Signature QuirkyLoader
File name:msys-unistring-5.dll
File size:2'074'976 bytes
SHA256 hash: 7c6c656d2413d2398f99de4616416319eaea0d9f91ab8a6efa953b2fe7def760
MD5 hash: 5374fcf8f138a6a0f84cfa8a3602e59c
MIME type:application/x-dosexec
Signature QuirkyLoader
File name:msys-idn2-0.dll
File size:207'760 bytes
SHA256 hash: 7912f8204e5b57fe00d59f9b346fcc04137237c879e0af48d2e6167fc21cb937
MD5 hash: fd464b8caab9e46e6a917f490b6b8643
MIME type:application/x-dosexec
Signature QuirkyLoader
File name:libpsl-5.dll
File size:4'048'896 bytes
SHA256 hash: ef4bda77b3391e7d6a36a1d927fc81b1499c36f3d65322ed5f274a3742e07ebe
MD5 hash: 50c66833facf937641edf9c471854ad8
MIME type:application/x-dosexec
Signature QuirkyLoader
Vendor Threat Intelligence
Details
Link:
https://research.acce.ciphertechsolutions.com/results/12b67bf8-4b79-4535-9993-863e8f0400a6/
Verdict:
Clean
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69a74030002d37d5c98341b2
Tags:
n/a
Result
Verdict:
Unknown
File Type:
PE File
Link:
https://app.docguard.net/fd3eaadc11db033a3dc38941890021e99456fc14f694917fb8f09dda279790df/results/dashboard
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/fd3eaadc11db033a3dc38941890021e99456fc14f694917fb8f09dda279790df
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/fd3eaadc11db033a3dc38941890021e99456fc14f694917fb8f09dda279790df
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Score:
92%
Verdict:
Malware
File Type:
ARCHIVE
Link:
https://malprob.io/report/fd3eaadc11db033a3dc38941890021e99456fc14f694917fb8f09dda279790df
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fd3eaadc11db033a3dc38941890021e99456fc14f694917fb8f09dda279790df/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7u7kvxar3mbtupodrfaysabb5gkfn7au62kjc75y6co5uj4xsdpq._file
Gathering data
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fd3eaadc11db033a3dc38941890021e99456fc14f694917fb8f09dda279790df

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Check_OutputDebugStringA_iat
Create hunting rule
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__MemoryWorkingSet
Create hunting rule
Author:Fernando Mercês
Description:Anti-debug process memory working set size check
Reference:http://www.gironsec.com/blog/2015/06/anti-debugger-trick-quicky/
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__ConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Thread
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:ldpreload
Create hunting rule
Author:xorseed
Reference:https://stuff.rop.io/
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:telebot_framework
Create hunting rule
Author:vietdx.mb
Rule name:test_Malaysia
Create hunting rule
Author:rectifyq
Description:Detects file containing malaysia string
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:TH_AntiVM_MassHunt_Win_Malware_2026_CYFARE
Create hunting rule
Author:CYFARE
Description:Detects Windows malware employing anti-VM / anti-sandbox evasion techniques across VMware, VirtualBox, Hyper-V, QEMU, Xen, and generic sandbox environments
Reference:https://cyfare.net/
Rule name:VECT_Ransomware
Create hunting rule
Author:Mustafa Bakhit
Description:Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.
Rule name:win_quirkyloader_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.quirkyloader.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

QuirkyLoader

zip fd3eaadc11db033a3dc38941890021e99456fc14f694917fb8f09dda279790df

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3793775/
  
Delivery method
Distributed via web download

Comments