MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 c9b1c0660b49eeaea761b489d5c00235f7a597b4a5b244643418d6375e436b42. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
QuasarRAT
Vendor detections: 15
| SHA256 hash: | c9b1c0660b49eeaea761b489d5c00235f7a597b4a5b244643418d6375e436b42 |
|---|---|
| SHA3-384 hash: | aa559707081b9bfae83eb9cb91f5e3e163c5bac7d9ac8e95af42b9c831e615135bf2573dabaa83962111e55d55d11a1e |
| SHA1 hash: | d2c836f53856030ebbddcc7cb3b330830c8a2a08 |
| MD5 hash: | baa80521acada137d15e7f6597b604f8 |
| humanhash: | tennis-tango-fish-wolfram |
| File name: | z1Comprobante_de_Transferencia_15_09_2025.exe |
| Download: | download sample |
| Signature | QuasarRAT |
| File size: | 4'089'344 bytes |
| First seen: | 2025-09-19 02:30:11 UTC |
| Last seen: | Never |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | f34d5f2d4577ed6d9ceec516c1f5a744 (48'653 x AgentTesla, 19'464 x Formbook, 12'205 x SnakeKeylogger) |
| ssdeep | 98304:p6QrYAZY52zt3j7eCdymyjUVyJvaUr8HEOrxiO+Efw:p6kymtz7TVydpOdi1N |
| TLSH | T1F11623CC36503AEEC803CC705A641DA896476E677B0B32039D1B796BB63F8C79E554B2 |
| TrID | 28.5% (.EXE) Win64 Executable (generic) (10522/11/4) 17.8% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 13.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 12.2% (.EXE) Win32 Executable (generic) (4504/4/1) 5.6% (.EXE) Win16/32 Executable Delphi generic (2072/23) |
| Magika | pebin |
| Reporter |  FXOLabs |
| Tags: | exe QuasarRAT |
Intelligence
File Origin
# of uploads :
1
# of downloads :
113
Origin country :
BRVendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
2ddf7b3900eb0f6eb9a41357a7ad093ff5747f7672cebcaf00e0fe0bc06a6859.zip
Verdict:
Malicious activity
Analysis date:
2025-09-18 03:20:07 UTC
Tags:
arch-exec auto-reg crypto-regex confuser
Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Verdict:
Malicious
Score:
94.9%
Tags:
autorun packed spawn sage
Result
Verdict:
Malware
Maliciousness:
Behaviour
Restart of the analyzed sample
Creating a file
Creating a window
Сreating synchronization primitives
Creating a file in the %AppData% subdirectories
Launching a process
Enabling the 'hidden' option for recently created files
Creating a process from a recently created file
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
7.5/10
Confidence:
100%
Tags:
confuser confuserex net obfuscated obfuscated obfuscated packed packed packer_detected vbnet zusy
Verdict:
Malicious
Labled as:
Zusy.Generic
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-09-17T14:04:00Z UTC
Last seen:
2025-09-17T14:04:00Z UTC
Hits:
~1000
Verdict:
Unknown
Score:
99%
Verdict:
Malware
File Type:
PE
Verdict:
inconclusive
YARA:
10 match(es)
Tags:
.Net Executable Managed .NET PE (Portable Executable) PE File Layout SOS: 1.00 Win 32 Exe x86
Threat name:
Win32.Trojan.Znyonm
Status:
Malicious
First seen:
2025-09-17 17:48:23 UTC
File Type:
PE (.Net Exe)
Extracted files:
11
AV detection:
27 of 36 (75.00%)
Threat level:
5/5
Detection(s):
Malicious file
Result
Malware family:
quasar
Score:
10/10
Tags:
family:quasar botnet:silver01 discovery execution persistence spyware trojan
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: AddClipboardFormatListener
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Program crash
System Location Discovery: System Language Discovery
ConfuserEx .NET packer
Suspicious use of SetThreadContext
Executes dropped EXE
Quasar RAT
Quasar family
Quasar payload
Malware Config
C2 Extraction:
onanothertry.ydns.eu:4799
asesorarcolom.crabdance.com:4898
asesorarcolom.crabdance.com:4898
Verdict:
Suspicious
Tags:
red_team_tool
YARA:
SUSP_NET_NAME_ConfuserEx
Unpacked files
SH256 hash:
c9b1c0660b49eeaea761b489d5c00235f7a597b4a5b244643418d6375e436b42
MD5 hash:
baa80521acada137d15e7f6597b604f8
SHA1 hash:
d2c836f53856030ebbddcc7cb3b330830c8a2a08
SH256 hash:
3f06a2cca7095ae765f0d29d1c7998dbbd901ecc0a1b0d79d372daa14db67066
MD5 hash:
f7123f518fa6e2da4a11ade278b8a1dc
SHA1 hash:
03d3d45e89cc03872864e27d5a78ee1be095cecb
Detections:
QuasarRAT
cn_utf8_windows_terminal
malware_windows_xrat_quasarrat
MAL_QuasarRAT_May19_1
MAL_BackNet_Nov18_1
INDICATOR_EXE_Packed_Fody
INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL
INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
SH256 hash:
53d8dad970f9bb93937d98eeafbc0f1cc73fdef439c78f7c380609d7f3915e40
MD5 hash:
f52e824f166cb0cf070a5b2b3aba82f3
SHA1 hash:
bd5f37c929d9e3388fc482ebb4db8283d0e8d368
SH256 hash:
d989fe2546a5437e9420c4d3585441ee215a743087960c34cd04955293d1e0ca
MD5 hash:
1d8702f155c9b225a5d0fce814777c75
SHA1 hash:
2c7efc378489926b07b180a8366c8f0552c605e2
Detections:
SUSP_NET_Large_Static_Array_In_Small_File_Jan24
HKTL_NET_GUID_Quasar
Parent samples :
4d3e6fe106f6d05c524b1e72a093651c4c76544a8d526a81d5fd448806bec304
270eb5e8c2481e2611f3805dba760256e8be56efea15d519df95a6d5dbf29fcd
e151fd79a759d3206f5e0012cec26e972ec74ea43c5e6943d81310c30408fe4e
8aeaeaa9bf27b99f933d7479f77d6b91249cdca0e6967eb22456844c0dbb2098
23228723bd373f0a2907aa450ebaf3a218fac346c3d854ee7554b899dcc198ab
8638d79bd3e5370b1a1525cb43e9b92a5d99d58a947f4dc06c692f5f9a82bcd8
7be2273bfc26f6f298548a4ff29de90dd24c8dc6b473ea06c2d59c62e09cedff
c9b1c0660b49eeaea761b489d5c00235f7a597b4a5b244643418d6375e436b42
6e2c497b5ba8031212a6ec66f84c2483a35e124ba96db701679b480e8e56d0e0
9eb5301a3c5929f849f95bf070172e4a8a8bd8c4880dbe238aa88ee76adf3063
a769cf974a67c6c99eca486ea834aaf1f601ddf1ddb3860eafb2e433dec469e9
07a467fa5c5d3fd8474fef9e8024755d812ea3ed335e91eee64e55400bcc6086
3f5ce1cb8e9d41e779201fa63573230862cfb3aa0e0023ce82fd0ca4933bda77
270eb5e8c2481e2611f3805dba760256e8be56efea15d519df95a6d5dbf29fcd
e151fd79a759d3206f5e0012cec26e972ec74ea43c5e6943d81310c30408fe4e
8aeaeaa9bf27b99f933d7479f77d6b91249cdca0e6967eb22456844c0dbb2098
23228723bd373f0a2907aa450ebaf3a218fac346c3d854ee7554b899dcc198ab
8638d79bd3e5370b1a1525cb43e9b92a5d99d58a947f4dc06c692f5f9a82bcd8
7be2273bfc26f6f298548a4ff29de90dd24c8dc6b473ea06c2d59c62e09cedff
c9b1c0660b49eeaea761b489d5c00235f7a597b4a5b244643418d6375e436b42
6e2c497b5ba8031212a6ec66f84c2483a35e124ba96db701679b480e8e56d0e0
9eb5301a3c5929f849f95bf070172e4a8a8bd8c4880dbe238aa88ee76adf3063
a769cf974a67c6c99eca486ea834aaf1f601ddf1ddb3860eafb2e433dec469e9
07a467fa5c5d3fd8474fef9e8024755d812ea3ed335e91eee64e55400bcc6086
3f5ce1cb8e9d41e779201fa63573230862cfb3aa0e0023ce82fd0ca4933bda77
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
YARA Signatures
MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.
| Rule name: | Check_Dlls |
|---|
| Rule name: | Costura_Protobuf |
|---|---|
| Author: | @bartblaze |
| Description: | Identifies Costura and Protobuf in .NET assemblies, respectively for storing resources and (de)serialization. Seen together might indicate a suspect binary. |
| Rule name: | CP_AllMal_Detector |
|---|---|
| Author: | DiegoAnalytics |
| Description: | CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication |
| Rule name: | CP_Script_Inject_Detector |
|---|---|
| Author: | DiegoAnalytics |
| Description: | Detects attempts to inject code into another process across PE, ELF, Mach-O binaries |
| Rule name: | DebuggerCheck__API |
|---|---|
| Reference: | https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara |
| Rule name: | DebuggerCheck__QueryInfo |
|---|---|
| Reference: | https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara |
| Rule name: | DebuggerHiding__Thread |
|---|---|
| Reference: | https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara |
| Rule name: | DetectEncryptedVariants |
|---|---|
| Author: | Zinyth |
| Description: | Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded |
| Rule name: | Detect_PowerShell_Obfuscation |
|---|---|
| Author: | daniyyell |
| Description: | Detects obfuscated PowerShell commands commonly used in malicious scripts. |
| Rule name: | FreddyBearDropper |
|---|---|
| Author: | Dwarozh Hoshiar |
| Description: | Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip. |
| Rule name: | golang_bin_JCorn_CSC846 |
|---|---|
| Author: | Justin Cornwell |
| Description: | CSC-846 Golang detection ruleset |
| Rule name: | INDICATOR_EXE_Packed_ConfuserEx |
|---|---|
| Author: | ditekSHen |
| Description: | Detects executables packed with ConfuserEx Mod |
| Rule name: | INDICATOR_EXE_Packed_ConfuserEx_Custom |
|---|---|
| Author: | ditekSHen |
| Description: | Detects executables packed with ConfuserEx Custom; outside of GIT |
| Rule name: | INDICATOR_EXE_Packed_Fody |
|---|---|
| Author: | ditekSHen |
| Description: | Detects executables manipulated with Fody |
| Rule name: | Indicator_MiniDumpWriteDump |
|---|---|
| Author: | Obscurity Labs LLC |
| Description: | Detects PE files and PowerShell scripts that use MiniDumpWriteDump either through direct imports or string references |
| Rule name: | INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA |
|---|---|
| Author: | ditekSHen |
| Description: | Detects Windows executables referencing non-Windows User-Agents |
| Rule name: | INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL |
|---|---|
| Author: | ditekSHen |
| Description: | Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion |
| Rule name: | MAL_BackNet_Nov18_1 |
|---|---|
| Author: | Florian Roth (Nextron Systems) |
| Description: | Detects BackNet samples |
| Reference: | https://github.com/valsov/BackNet |
| Rule name: | MAL_BackNet_Nov18_1_RID2D6D |
|---|---|
| Author: | Florian Roth |
| Description: | Detects BackNet samples |
| Reference: | https://github.com/valsov/BackNet |
| Rule name: | MAL_QuasarRAT_May19_1 |
|---|---|
| Author: | Florian Roth (Nextron Systems) |
| Description: | Detects QuasarRAT malware |
| Reference: | https://blog.ensilo.com/uncovering-new-activity-by-apt10 |
| Rule name: | MAL_QuasarRAT_May19_1_RID2E1E |
|---|---|
| Author: | Florian Roth |
| Description: | Detects QuasarRAT malware |
| Reference: | https://blog.ensilo.com/uncovering-new-activity-by-apt10 |
| Rule name: | Multifamily_RAT_Detection |
|---|---|
| Author: | Lucas Acha (http://www.lukeacha.com) |
| Description: | Generic Detection for multiple RAT families, PUPs, Packers and suspicious executables |
| Rule name: | NET |
|---|---|
| Author: | malware-lu |
| Rule name: | NETexecutableMicrosoft |
|---|---|
| Author: | malware-lu |
| Rule name: | pe_imphash |
|---|
| Rule name: | RANSOMWARE |
|---|---|
| Author: | ToroGuitar |
| Rule name: | Skystars_Malware_Imphash |
|---|---|
| Author: | Skystars LightDefender |
| Description: | imphash |
| Rule name: | Sus_CMD_Powershell_Usage |
|---|---|
| Author: | XiAnzheng |
| Description: | May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP) |
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Malspam
Delivery method
Distributed via e-mail attachment
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.