YARAify Task Results

YARAify scan results for task ID 3cef1d43-e022-11f0-9df4-42010aa4000b.

Scan Results

Task ID:3cef1d43-e022-11f0-9df4-42010aa4000b
Task parameters:clamav_scan:True
unpack:True
share_file:True
Submission time:2025-12-23 17:10:10 UTC
Scan time:Scan took 14 seconds
File name:Python.exe
File size:3'266'560 bytes
File download: Original Unpacked
MIME type:application/x-dosexec
SHA256 hash: f27bb91b7989b0de1e3ebe9f1378e27f9cccf0a71590db04f12db9d5151fe6e3
MD5 hash: 423246b097e0b9abc5e3499de2b4fc01
SHA1 hash: 63bf39d01d0fdf29fb17f0fccef6d341c94e7b6a
SHA3-384 hash: 0a1e85601a8fa5ab4b0b714be39b9db767429f7151c7cb477cd6692935e19c33aad88bdcde22fe676b00c150e70e2b1a
First seen:2025-12-23 17:10:10 UTC
Last seen:2025-12-24 07:19:47 UTC
Sightings:4
imphash : f34d5f2d4577ed6d9ceec516c1f5a744
Create hunting rule
ssdeep : 49152:Zv9zn3r24paQe+GPhlz1Tt6U7PkDDQRJ6MbR3LoGdT3THHB72eh2NT:ZvFr24paQe+GPhlz1TwU7PkDDQRJ6W
TLSH :n/a
telfhash :n/a
dhash icon :n/a

YARA Results

Static Analysis

The following YARA rules matched on the file (static analysis).

Rule name:BLOWFISH_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for Blowfish constants
TLP:TLP:WHITE
Repository:
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
TLP:TLP:WHITE
Repository:YARAify
Rule name:Detect_PowerShell_Obfuscation
Create hunting rule
Author:daniyyell
Description:Detects obfuscated PowerShell commands commonly used in malicious scripts.
TLP:TLP:WHITE
Repository:YARAify
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
TLP:TLP:WHITE
Repository:YARAify
Rule name:Diff_QuasarRAT_01
Create hunting rule
Author:schmidtsz
Description:Identify QuasarRAT samples
TLP:TLP:WHITE
Repository:YARAify
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
TLP:TLP:WHITE
Repository:YARAify
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
TLP:TLP:WHITE
Repository:diˈtekSHən
Rule name:INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
Author:ditekSHen
Description:Detects Windows executables referencing non-Windows User-Agents
TLP:TLP:WHITE
Repository:diˈtekSHən
Rule name:INDICATOR_SUSPICIOUS_GENInfoStealer
Create hunting rule
Author:ditekSHen
Description:Detects executables containing common artifacts observed in infostealers
TLP:TLP:WHITE
Repository:diˈtekSHən
Rule name:Lumma_Stealer_Detection
Create hunting rule
Author:ashizZz
Description:Detects a specific Lumma Stealer malware sample using unique strings and behaviors
Reference:https://seanthegeek.net/posts/compromized-store-spread-lumma-stealer-using-fake-captcha/
TLP:TLP:WHITE
Repository:YARAify
Rule name:MAL_QuasarRAT_May19_1
Create hunting rule
Description:Detects QuasarRAT malware
TLP:TLP:WHITE
Repository:Neo23x0
Rule name:MAL_QuasarRAT_May19_1
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects QuasarRAT malware
Reference:https://blog.ensilo.com/uncovering-new-activity-by-apt10
TLP:TLP:WHITE
Repository:Neo23x0
Rule name:MAL_QuasarRAT_May19_1_RID2E1E
Create hunting rule
Author:Florian Roth
Description:Detects QuasarRAT malware
Reference:https://blog.ensilo.com/uncovering-new-activity-by-apt10
TLP:TLP:WHITE
Rule name:MALWARE_Win_QuasarStealer
Create hunting rule
Author:ditekshen
Description:Detects Quasar infostealer
TLP:TLP:WHITE
Repository:diˈtekSHən
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
TLP:TLP:WHITE
Repository:
Rule name:Multifamily_RAT_Detection
Create hunting rule
Author:Lucas Acha (http://www.lukeacha.com)
Description:Generic Detection for multiple RAT families, PUPs, Packers and suspicious executables
TLP:TLP:WHITE
Repository:
Rule name:NET
Create hunting rule
Author:malware-lu
TLP:TLP:WHITE
Repository:
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
TLP:TLP:WHITE
Repository:
Rule name:pe_imphash
Create hunting rule
TLP:TLP:WHITE
Repository:MalwareBazaar
Rule name:quasarrat
Create hunting rule
Author:jeFF0Falltrades
TLP:TLP:WHITE
Repository:YARAify
Rule name:quasarrat_kingrat
Create hunting rule
Author:jeFF0Falltrades
TLP:TLP:WHITE
Repository:CAPE
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
TLP:TLP:WHITE
Repository:YARAify
Rule name:RC6_Constants
Create hunting rule
Author:chort (@chort0)
Description:Look for RC6 magic constants in binary
Reference:https://twitter.com/mikko/status/417620511397400576
TLP:TLP:WHITE
Repository:
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
TLP:TLP:WHITE
Repository:
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
TLP:TLP:WHITE
Repository:
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
TLP:TLP:WHITE
Repository:
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
TLP:TLP:WHITE
Repository:MalwareBazaar
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
TLP:TLP:WHITE
Repository:YARAify
Rule name:win_quasar_rat_client
Create hunting rule
Author:Matthew @ Embee_Research
Description:Detects strings present in Quasar Rat Samples.
TLP:TLP:WHITE
Repository:YARAify
Rule name:classified
Author:classified
Description:classified
TLP :TLP:AMBER
Rule name:classified
Author:classified
Description:classified
TLP :TLP:AMBER
Rule name:Windows_Generic_Threat_803feff4
Create hunting rule
Author:Elastic Security
TLP:TLP:WHITE
Repository:elastic

Unpacker

The following YARA rules matched on the unpacked file.

ClamAV Results

The file matched the following open source and commercial ClamAV rules.

Signature:ditekSHen.MALWARE.Win.Trojan.QuasarStealer.UNOFFICIAL
Create hunting rule
Signature:Win.Malware.Generic-9883083-0
Create hunting rule
Signature:Win.Malware.Msilheracles-9900242-0
Create hunting rule
Signature:Win.Packed.Downeks-6898097-0
Create hunting rule