YARAify Scan Results

You are viewing the YARAify database entry for the file with the SHA256 hash 8d953495331c58a2afdc5a467996f7b40c535ff2afe3b11ffbbd1b9a3f9a2df6.

Scan Results

SHA256 hash:	8d953495331c58a2afdc5a467996f7b40c535ff2afe3b11ffbbd1b9a3f9a2df6
File size:	1'950'720 bytes
File download:	Original
MIME type:	application/x-dosexec
MD5 hash:	3469978e3b9680cf3b21948a8a214a66
SHA1 hash:	8273520e24c74040bd15b8cc4b93e8636674c3f3
SHA3-384 hash:	00db8580cb52feda1a50debf4401eb9a96eb9a82ce22a76dca07b7e437753d1d63fce064514a68c1e044619ca5578a1d
First seen:	2026-06-08 19:47:17 UTC
Last seen:	Never
Sightings:	1
imphash :	f34d5f2d4577ed6d9ceec516c1f5a744 Create hunting rule
ssdeep :	49152:D2WE97rRFirm+Nn42KK8i7Ltwa+VVaSz2A/:D2WEhavNnoK8i7LtwbHJz2
TLSH :	n/a
telfhash :	n/a
gimphash :	n/a
dhash icon :	n/a

Tasks

There are 1 tasks on YARAify for this particular file. The 10 most recent ones are shown below.

Task Information

Task ID:	db462e13-6372-11f1-a8a0-42010aa4000b
File name:	3469978e3b9680cf3b21948a8a214a66
Task parameters:	ClamAV scan:	True
	Unpack:	False
	Share file:	True

ClamAV Results

The file matched the following open source and commercial ClamAV rules.

Signature:	ditekSHen.MALWARE.Win.Trojan.QuasarStealer.UNOFFICIAL Create hunting rule

Signature:	Win.Malware.Bulz-9933026-0 Create hunting rule

Signature:	Win.Malware.Generic-6623004-0 Create hunting rule

Signature:	Win.Malware.Generic-9883083-0 Create hunting rule

Signature:	YARA.SIGNATURE_BASE_MAL_Quasarrat_May19_1.UNOFFICIAL Create hunting rule

YARA Results

Static Analysis

The following YARA rules matched on the file (static analysis).

Rule name:	Check_Dlls Create hunting rule
TLP:	TLP:WHITE
Repository:

Rule name:	Costura_Protobuf Create hunting rule
Author:	@bartblaze
Description:	Identifies Costura and Protobuf in .NET assemblies, respectively for storing resources and (de)serialization. Seen together might indicate a suspect binary.
TLP:	TLP:WHITE
Repository:	bartblaze

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
TLP:	TLP:WHITE
Repository:	YARAify

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
TLP:	TLP:WHITE

Rule name:	DebuggerCheck__QueryInfo Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
TLP:	TLP:WHITE

Rule name:	DebuggerHiding__Thread Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
TLP:	TLP:WHITE

Rule name:	Detect_PowerShell_Obfuscation Create hunting rule
Author:	daniyyell
Description:	Detects obfuscated PowerShell commands commonly used in malicious scripts.
TLP:	TLP:WHITE
Repository:	YARAify

Rule name:	DetectEncryptedVariants Create hunting rule
Author:	Zinyth
Description:	Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
TLP:	TLP:WHITE
Repository:	YARAify

Rule name:	FreddyBearDropper Create hunting rule
Author:	Dwarozh Hoshiar
Description:	Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
TLP:	TLP:WHITE
Repository:	YARAify

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset
TLP:	TLP:WHITE
Repository:	YARAify

Rule name:	hunting_generic_win_rat Create hunting rule
Author:	Ajin Deepak, AD2001
Description:	Hunting RATS based on common patterns
TLP:	TLP:WHITE
Repository:	YARAify

Rule name:	INDICATOR_EXE_Packed_Fody Create hunting rule
Author:	ditekSHen
Description:	Detects executables manipulated with Fody
TLP:	TLP:WHITE
Repository:	diˈtekSHən

Rule name:	Indicator_MiniDumpWriteDump Create hunting rule
Author:	Obscurity Labs LLC
Description:	Detects PE files and PowerShell scripts that use MiniDumpWriteDump either through direct imports or string references
TLP:	TLP:WHITE

Rule name:	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA Create hunting rule
Author:	ditekSHen
Description:	Detects Windows executables referencing non-Windows User-Agents
TLP:	TLP:WHITE
Repository:	diˈtekSHən

Rule name:	INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL Create hunting rule
Author:	ditekSHen
Description:	Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion
TLP:	TLP:WHITE
Repository:	diˈtekSHən

Rule name:	MAL_BackNet_Nov18_1 Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects BackNet samples
Reference:	https://github.com/valsov/BackNet
TLP:	TLP:WHITE
Repository:	Neo23x0

Rule name:	MAL_BackNet_Nov18_1_RID2D6D Create hunting rule
Author:	Florian Roth
Description:	Detects BackNet samples
Reference:	https://github.com/valsov/BackNet
TLP:	TLP:WHITE

Rule name:	MAL_QuasarRAT_May19_1 Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects QuasarRAT malware
Reference:	https://blog.ensilo.com/uncovering-new-activity-by-apt10
TLP:	TLP:WHITE
Repository:	Neo23x0

Rule name:	MAL_QuasarRAT_May19_1 Create hunting rule
Description:	Detects QuasarRAT malware
TLP:	TLP:WHITE
Repository:	Neo23x0

Rule name:	MAL_QuasarRAT_May19_1_RID2E1E Create hunting rule
Author:	Florian Roth
Description:	Detects QuasarRAT malware
Reference:	https://blog.ensilo.com/uncovering-new-activity-by-apt10
TLP:	TLP:WHITE

Rule name:	Multifamily_RAT_Detection Create hunting rule
Author:	Lucas Acha (http://www.lukeacha.com)
Description:	Generic Detection for multiple RAT families, PUPs, Packers and suspicious executables
TLP:	TLP:WHITE
Repository:

Rule name:	NET Create hunting rule
Author:	malware-lu
TLP:	TLP:WHITE
Repository:

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu
TLP:	TLP:WHITE
Repository:

Rule name:	pe_imphash Create hunting rule
TLP:	TLP:WHITE
Repository:	MalwareBazaar

Rule name:	Pulsar_RAT Create hunting rule
Author:	@bartblaze
Description:	Identifies Pulsar RAT, based on Quasar RAT.
Reference:	https://malpedia.caad.fkie.fraunhofer.de/details/win.pulsar_rat
TLP:	TLP:WHITE
Repository:	bartblaze

Rule name:	RANSOMWARE Create hunting rule
Author:	ToroGuitar
TLP:	TLP:WHITE
Repository:	YARAify

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash
TLP:	TLP:WHITE
Repository:	MalwareBazaar

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
TLP:	TLP:WHITE
Repository:	YARAify

Rule name:	VECT_Ransomware Create hunting rule
Author:	Mustafa Bakhit
Description:	Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.
TLP:	TLP:WHITE
Repository:	YARAify

Rule name:	classified
Author:	classified
Description:	classified
TLP :	TLP:AMBER

Rule name:	classified
Author:	classified
Description:	classified
TLP :	TLP:AMBER

Unpacker

The following YARA rules matched on the unpacked file.

Disabled by submitter

Unpacked Files

The following files could be unpacked from this sample.