QuirkyLoader - A New Malware Loader Delivering Infostealers and RATs

    Tuesday, August 26, 2025 In: Threat Research Print

    Date: 08/26/2025

    Severity: High

    Summary

    QuirkyLoader is a newly observed malware loader, active since November 2024, used to deliver various infostealers and remote access trojans (RATs) like Agent Tesla, AsyncRAT, FormBook, Remcos, and others. The infection begins with phishing emails containing malicious archives. These archives include a legitimate executable, an encrypted payload, and a malicious DLL. QuirkyLoader uses DLL side-loading to load the DLL via the legitimate app, which then decrypts and injects the final malware. The DLL is written in .NET and compiled ahead-of-time (AOT), making it resemble a C/C++ binary to evade detection.

    Indicators of Compromise (IOC) List

    URL/Domain

    catherinereynolds.info

    mail.catherinereynolds.info

    IP Address

    157.66.22.11

    103.75.77.90

    161.248.178.212

    Hash

    011257eb766f2539828bdd45f8aa4ce3c4048ac2699d988329783290a7b4a0d3

    0ea3a55141405ee0e2dfbf333de01fe93c12cf34555550e4f7bb3fdec2a7673b

    a64a99b8451038f2bbcd322fd729edf5e6ae0eb70a244e342b2f8eff12219d03

    9726e5c7f9800b36b671b064e89784fb10465210198fbbb75816224e85bd1306

    a1994ba84e255eb02a6140cab9fc4dd9a6371a84b1dd631bd649525ac247c111

    d954b235bde6ad02451cab6ee1138790eea569cf8fd0b95de9dc505957c533cd

    5d5b3e3b78aa25664fb2bfdbf061fc1190310f5046d969adab3e7565978b96ff

    6f53c1780b92f3d5affcf095ae0ad803974de6687a4938a2e1c9133bf1081eb6

    ea65cf2d5634a81f37d3241a77f9cd319e45c1b13ffbaf5f8a637b34141292eb

    1b8c6d3268a5706fb41ddfff99c8579ef029333057b911bb4905e24aacc05460

    d0a3a1ee914bcbfcf709d367417f8c85bd0a22d8ede0829a66e5be34e5e53bb9

    b22d878395ac2f2d927b78b16c9f5e9b98e006d6357c98dbe04b3fd78633ddde

    a83aa955608e9463f272adca205c9e1a7cbe9d1ced1e10c9d517b4d1177366f6

    3391b0f865f4c13dcd9f08c6d3e3be844e89fa3afbcd95b5d1a1c5abcacf41f4

    b2fdf10bd28c781ca354475be6db40b8834f33d395f7b5850be43ccace722c13

    bf3093f7453e4d0290511ea6a036cd3a66f456cd4a85b7ec8fbfea6b9c548504

    97aee6ca1bc79064d21e1eb7b86e497adb7ece6376f355e47b2ac60f366e843d

    b42bc8b2aeec39f25babdcbbdaab806c339e4397debfde2ff1b69dca5081eb44

    5aaf02e4348dc6e962ec54d5d31095f055bd7fb1e58317682003552fd6fe25dc

    8e0770383c03ce69210798799d543b10de088bac147dce4703f13f79620b68b1

    049ef50ec0fac1b99857a6d2beb8134be67ae67ae134f9a3c53699cdaa7c89ac

    cba8bb455d577314959602eb15edcaa34d0b164e2ef9d89b08733ed64381c6e0

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 : 

    domainname like "catherinereynolds.info" or siteurl like "catherinereynolds.info" or url like "catherinereynolds.info" or domainname like "mail.catherinereynolds.info" or siteurl like "mail.catherinereynolds.info" or url like "mail.catherinereynolds.info"

    Detection Query 2 :

    dstipaddress IN ("157.66.22.11","103.75.77.90","161.248.178.212") or srcipaddress IN ("157.66.22.11","103.75.77.90","161.248.178.212")

    Detection Query 3 :

    sha256hash IN ("b2fdf10bd28c781ca354475be6db40b8834f33d395f7b5850be43ccace722c13","b22d878395ac2f2d927b78b16c9f5e9b98e006d6357c98dbe04b3fd78633ddde","ea65cf2d5634a81f37d3241a77f9cd319e45c1b13ffbaf5f8a637b34141292eb","8e0770383c03ce69210798799d543b10de088bac147dce4703f13f79620b68b1","a64a99b8451038f2bbcd322fd729edf5e6ae0eb70a244e342b2f8eff12219d03","bf3093f7453e4d0290511ea6a036cd3a66f456cd4a85b7ec8fbfea6b9c548504","b42bc8b2aeec39f25babdcbbdaab806c339e4397debfde2ff1b69dca5081eb44","6f53c1780b92f3d5affcf095ae0ad803974de6687a4938a2e1c9133bf1081eb6","0ea3a55141405ee0e2dfbf333de01fe93c12cf34555550e4f7bb3fdec2a7673b","5d5b3e3b78aa25664fb2bfdbf061fc1190310f5046d969adab3e7565978b96ff","1b8c6d3268a5706fb41ddfff99c8579ef029333057b911bb4905e24aacc05460","d0a3a1ee914bcbfcf709d367417f8c85bd0a22d8ede0829a66e5be34e5e53bb9","97aee6ca1bc79064d21e1eb7b86e497adb7ece6376f355e47b2ac60f366e843d","d954b235bde6ad02451cab6ee1138790eea569cf8fd0b95de9dc505957c533cd","9726e5c7f9800b36b671b064e89784fb10465210198fbbb75816224e85bd1306","cba8bb455d577314959602eb15edcaa34d0b164e2ef9d89b08733ed64381c6e0","049ef50ec0fac1b99857a6d2beb8134be67ae67ae134f9a3c53699cdaa7c89ac","a1994ba84e255eb02a6140cab9fc4dd9a6371a84b1dd631bd649525ac247c111","011257eb766f2539828bdd45f8aa4ce3c4048ac2699d988329783290a7b4a0d3","3391b0f865f4c13dcd9f08c6d3e3be844e89fa3afbcd95b5d1a1c5abcacf41f4","5aaf02e4348dc6e962ec54d5d31095f055bd7fb1e58317682003552fd6fe25dc","a83aa955608e9463f272adca205c9e1a7cbe9d1ced1e10c9d517b4d1177366f6")

    Reference:    

    https://www.ibm.com/think/x-force/ibm-x-force-threat-analysis-quirkyloader


    Tags

    MalwareQuirkyLoaderInfostealerRATAgent TeslaAsyncRATFormBookREMCOSPhishingDLL

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.