MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0065d42e62b532221d6ec96913cdedd45d3e84b1d50076b478a5d0a22608b536. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuasarRAT


Vendor detections: 14


Intelligence 14 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0065d42e62b532221d6ec96913cdedd45d3e84b1d50076b478a5d0a22608b536
SHA3-384 hash: 15bc1f0ac85c3ab038bedd97dcfdcbcc1481d5e34ba99ed9f9a3c6ffbba4937d2f7d452a2002d33545aaa3f5f8416abf
SHA1 hash: 49fa1788e9c2294fa9c0d00c7fb38a3bb2e307ac
MD5 hash: e4a85471e36e19f0165b320c731c667a
humanhash: hamper-don-failed-alanine
File name:Client-built.exe
Download: download sample
Signature QuasarRAT
Create hunting rule
File size:1'849'344 bytes
First seen:2025-07-05 13:13:46 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 49152:Zh3k2DTy+tpHxaFQ12R+mYLPZ5SdT31msHvTv2im1yt:DbDvtpwW1MlYLR5SdT8sHv7kk
TLSH T16785335FB821865DDFB76CFBBC734BA7B7210ECBD05DE068B49AA6E41041096BB5C204
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter abuse_ch
Tags:exe QuasarRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
21
Origin country :
SE SE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Client-built.exe
Verdict:
Malicious activity
Analysis date:
2025-07-05 09:49:48 UTC
Tags:
uac
Link:
https://app.any.run/tasks/7d3fcaaf-06b0-4f2d-949a-88b4992cb85b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/12414/
Verdict:
Malicious
Score:
81.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6868f53a900df8e7f8670705
Tags:
autorun spawn sage remo
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a file in the %AppData% subdirectories
Launching a process
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
base64 packed packed packer_detected
Link:
https://www.filescan.io/uploads/686925359db85bde254be77a/reports/0bc40eca-03aa-4efd-8890-e70edcb8cd4a/overview
Verdict:
Malicious
Labled as:
IL:Trojan.MSILZilla
Link:
https://www.hybrid-analysis.com/sample/0065d42e62b532221d6ec96913cdedd45d3e84b1d50076b478a5d0a22608b536
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d41ee615-35b5-4cd4-8a2b-f9fd1907588d
Result
Threat name:
Quasar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1729188
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Installs a global keyboard hook
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Quasar RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1729188 Sample: Client-built.exe Startdate: 05/07/2025 Architecture: WINDOWS Score: 100 35 results-sand.gl.at.ply.gg 2->35 47 Found malware configuration 2->47 49 Antivirus / Scanner detection for submitted sample 2->49 51 Multi AV Scanner detection for submitted file 2->51 53 4 other signatures 2->53 9 Client-built.exe 5 2->9         started        13 System.exe 3 2->13         started        signatures3 process4 file5 31 C:\Users\user\AppData\Roaming\...\System.exe, PE32 9->31 dropped 33 C:\Users\user\...\Client-built.exe.log, CSV 9->33 dropped 55 Uses schtasks.exe or at.exe to add and modify task schedules 9->55 57 Hides that the sample has been downloaded from the Internet (zone.identifier) 9->57 15 System.exe 6 9->15         started        19 schtasks.exe 1 9->19         started        signatures6 process7 dnsIp8 37 results-sand.gl.at.ply.gg 147.185.221.29, 44673, 49719, 49722 SALSGIVERUS United States 15->37 39 Antivirus detection for dropped file 15->39 41 Multi AV Scanner detection for dropped file 15->41 43 Hides that the sample has been downloaded from the Internet (zone.identifier) 15->43 45 Installs a global keyboard hook 15->45 21 MpCmdRun.exe 1 15->21         started        23 schtasks.exe 1 15->23         started        25 conhost.exe 19->25         started        signatures9 process10 process11 27 conhost.exe 21->27         started        29 conhost.exe 23->29         started       
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/0065d42e62b532221d6ec96913cdedd45d3e84b1d50076b478a5d0a22608b536
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
.Net Executable PE (Portable Executable) Win 32 Exe x86
Link:
https://app.malva.re/file/e4a85471e36e19f0165b320c731c667a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0065d42e62b532221d6ec96913cdedd45d3e84b1d50076b478a5d0a22608b536/
Threat name:
ByteCode-MSIL.Trojan.Zilla
Create hunting rule
Status:
Malicious
First seen:
2025-07-05 12:50:58 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=abs5iltcwuzcehlozfurhtpn2rot5bfr2uahnndyuxikejqiwu3a._file
Verdict:
malicious
Label(s):
quasarrat
Create hunting rule
Similar samples:
error
QuasarRAT
Result
Malware family:
n/a
Score:
  7/10
Tags:
execution persistence
Link:
https://tria.ge/reports/250705-qgsyzahj4t/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Executes dropped EXE
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/5a7c7ab4-b1a0-431b-8769-06968edb4e79
Unpacked files
SH256 hash:
0065d42e62b532221d6ec96913cdedd45d3e84b1d50076b478a5d0a22608b536
MD5 hash:
e4a85471e36e19f0165b320c731c667a
SHA1 hash:
49fa1788e9c2294fa9c0d00c7fb38a3bb2e307ac
Link:
https://www.unpac.me/results/a8c49fc3-2043-497c-af3f-9a1c28af3074/
SH256 hash:
c1046a94e4042f0a622670cd6a01ca235609732d8ef68889e87fc947d754c5f5
MD5 hash:
8f786e161e0925e8a7c5602f64fff988
SHA1 hash:
4f90a7c051bb4a8e95a43916a4e979b1daadfffa
Detections:
SUSP_NET_Large_Static_Array_In_Small_File_Jan24
Create hunting rule
HKTL_NET_GUID_Quasar
Create hunting rule
Link:
https://www.unpac.me/results/a8c49fc3-2043-497c-af3f-9a1c28af3074/
Parent samples :
0065d42e62b532221d6ec96913cdedd45d3e84b1d50076b478a5d0a22608b536
c7cfa4eb2cce54eae7d5af7025931c424e48c3dd28dcdb76399e4ab23a4c1f6e
9b7be09c491e55dc424bbf7f3281b467d7e26d918263d925bb4b624fc25ff616
8ca07bac80251aac5bae7418c53144e723c1750d400faaac1678c55457f0f64a
565ba37db962f10ea77fab2be20b5d65672a72c7bbda35cf5538a236a3f63337
7645e0b22c7ea622d164b55b3449831e99bcf4de66c31ac0afaa877cef03248e
ddfffb912ac59f774d452516e5834d9e0175db9608e91eba45379a78b3c53fa9
71d675e36d237be76f9141742350f8b2d94d8cefa2b9b3b62622703193c15414
544f187d0b620cb18a494ea3ec51472e504eac944ef59dc4b5de1c60a9d5800e
e2c14df722dfbb0c3a8c4228034f37ba6395babc29ad2aa9f4a175f37a839831
SH256 hash:
f7b3a5b921199dc947f500b520efd1103894fb837c5eecaa6787bf548a5cd8b2
MD5 hash:
41b2417f6b1e6d0451c9efedd3aacbbb
SHA1 hash:
d2df66beab0271c7111cc926a31d70a9e2aaa62e
Link:
https://www.unpac.me/results/a8c49fc3-2043-497c-af3f-9a1c28af3074/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0065d42e62b532221d6ec96913cdedd45d3e84b1d50076b478a5d0a22608b536

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/12414/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments