MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 678fec195529ac67002cf29197d43af393d9e1d27d42c29f1b9bc1635f1a2d00. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuasarRAT


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 678fec195529ac67002cf29197d43af393d9e1d27d42c29f1b9bc1635f1a2d00
SHA3-384 hash: 38b91a6aec54ea389a482c835762bf00da26c9751ed7922c2df0b80923af627235a648877557ef54dd789ddc2e9ace1c
SHA1 hash: 930dc113e52f4c69f9dc367400d089905ed94b40
MD5 hash: cc72d236927af1a5f8d64079c53a1374
humanhash: oxygen-sierra-bulldog-florida
File name:Client-built.bat
Download: download sample
Signature QuasarRAT
Create hunting rule
File size:2'325'815 bytes
First seen:2025-09-14 18:42:19 UTC
Last seen:Never
File type:Batch (bat) bat
MIME type:text/plain
ssdeep 24576:5mwZAa6rURfkwlGovUf9jMzxgM5dvgQN0jiifrmym0DAlmMEjZoa6yCq48NjX7P3:2XfSzyFGYrtCaeDeP7
Threatray 192 similar samples on MalwareBazaar
TLSH T187B5232B8B356FF90748092AB15E5E453EBE8DF2492F53C3D15634D13E8EA421C178AE
Magika csv
Reporter smica83
Tags:bat QuasarRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
64
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Client-built.bat
Verdict:
Malicious activity
Analysis date:
2025-09-14 18:44:50 UTC
Tags:
crypto-regex
Link:
https://app.any.run/tasks/8c70bef1-83f6-4a32-b8b5-07f379179d44

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/27429/
Verdict:
Suspicious
Score:
50%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68c70c9fe579c633a4b53a15
Tags:
proxy shell spawn sage
Verdict:
Suspicious
Labled as:
Trojan/BAT.Agent
Link:
https://www.hybrid-analysis.com/sample/678fec195529ac67002cf29197d43af393d9e1d27d42c29f1b9bc1635f1a2d00
Verdict:
Unknown
File Type:
ps1
Link:
https://opentip.kaspersky.com/678fec195529ac67002cf29197d43af393d9e1d27d42c29f1b9bc1635f1a2d00/results?tab=lookup
Result
Threat name:
Quasar
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1777405
Signature
.NET source code contains potential unpacker
Bypasses PowerShell execution policy
Found large BAT file
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Sample uses string decryption to hide its real strings
Sigma detected: HackTool - CrackMapExec PowerShell Obfuscation
Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
Sigma detected: Suspicious PowerShell Parameter Substring
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected Powershell decode and execute
Yara detected Powershell decrypt and execute
Yara detected Quasar RAT
Behaviour
Behavior Graph:
Download SVG
Score:
98%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/678fec195529ac67002cf29197d43af393d9e1d27d42c29f1b9bc1635f1a2d00
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/678fec195529ac67002cf29197d43af393d9e1d27d42c29f1b9bc1635f1a2d00/
Threat name:
Text.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-09-14 18:43:34 UTC
File Type:
Text (PowerShell)
AV detection:
4 of 24 (16.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=m6h6ygkvfgwgoabm6kizpvb26oj5tyospvbmfhy3tpawgxy2fuaa._file
Verdict:
malicious
Label(s):
quasarrat
Create hunting rule
Similar samples:
3662a8d4f950c9ebd0851e0b0713f2e48dfb7dd5ac3de02bae8acd1d6c4efd1d
QuasarRAT
3e336ef75dbb6d7168fc2dcbce4a139e3c23ca2be7459b10c0050cad9267a383
QuasarRAT
5bf621e8d7c8590e3a2a5bb9779b5458b28f85b8887076b4a4885d1ee3e2c7f0
QuasarRAT
6b67447d97fcaca79ed98bcd6461b06445e978be3d45d4b0e2637057da97c4c2
QuasarRAT
c30fdd073be8172d6975c53b1c6fa4955a0f20ebaef408228017540ba4d8ad62
QuasarRAT
c6e92bc1395d1865f41e0d10256f7de0fd6913a07c414b2489a191227b3730f6
QuasarRAT
e00aa14eab3def5c39e2be5d0f787d47caf495b1566f6c52d2771f4c4150f47a
QuasarRAT
error
QuasarRAT
+ 182 additional samples on MalwareBazaar
Result
Malware family:
quasar
Create hunting rule
Score:
  10/10
Tags:
family:quasar execution spyware trojan
Link:
https://tria.ge/reports/250914-xclsesem91/
Behaviour
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Badlisted process makes network request
Command and Scripting Interpreter: PowerShell
Quasar RAT
Quasar family
Quasar payload
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/678fec195529ac67002cf29197d43af393d9e1d27d42c29f1b9bc1635f1a2d00

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:botnet_plaintext_c2
Create hunting rule
Author:cip
Description:Attempts to match at least some of the strings used in some botnet variants which use plaintext communication protocols.
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/27429/

Comments