MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 04fffcd5e0509e3609e5dc106afb8bfa7fab3a948ab63627cdc424cb7709f94e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QatarRAT


Vendor detections: 15


Intelligence 15 IOCs YARA 24 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 04fffcd5e0509e3609e5dc106afb8bfa7fab3a948ab63627cdc424cb7709f94e
SHA3-384 hash: e955abdf6a53744e6ab4c6fd6dcae4dff71fa64907f85c17d9fe14be1ccaf568014612412cc735396ff0555a34f8a880
SHA1 hash: e5ce759797298baeeb5d25504dcee0c77149cf88
MD5 hash: cc2d56e151fccf815bf1c71830f9a11a
humanhash: skylark-saturn-grey-dakota
File name:cc2d56e151fccf815bf1c71830f9a11a.exe
Download: download sample
Signature QatarRAT
Create hunting rule
File size:6'715'392 bytes
First seen:2026-02-27 16:39:23 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'818 x AgentTesla, 19'741 x Formbook, 12'286 x SnakeKeylogger)
ssdeep 98304:S4wxEJ/2C2WojPJw80Rp7XcO15YeOVgypS7J3paSmAMDHbb:Z6k2C2WUJB0HXZBnypS1
Threatray 20 similar samples on MalwareBazaar
TLSH T1A86645069E74497CD5AA42739871F438B73D74EE8A9DAF0BF97C90E33AD22107916342
TrID 44.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
26.3% (.EXE) InstallShield setup (43053/19/16)
10.1% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
4.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.9% (.EXE) Win64 Executable (generic) (6522/11/2)
Magika pebin
Reporter abuse_ch
Tags:exe QatarRAT RAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
94
Origin country :
SE SE
Vendor Threat Intelligence
No detections
Malware family:
n/a
ID:
1
File name:
cc2d56e151fccf815bf1c71830f9a11a.exe
Verdict:
Malicious activity
Analysis date:
2026-02-27 16:41:27 UTC
Tags:
evasion celestialrat rat generic stealer mirai botnet
Link:
https://app.any.run/tasks/f80498dc-8374-4e85-82b9-5190c290c11d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/54887/
Detection(s):
Win.Packed.AsyncRAT-9938103-1
Create hunting rule

Win.Packed.Msilperseus-9956592-0
Create hunting rule

Win.Packed.Msilmamut-10007182-0
Create hunting rule

Win.Dropper.LokiBot-10010685-0
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69a1c8fa8fffa866e3b2d5d2
Tags:
vmdetect autorun
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-vm anti-vm base64 cmd cmstp evasive explorer fingerprint fingerprint lolbin obfuscated packed reconnaissance rundll32 runonce schtasks telegram vbnet wscript zusy
Link:
https://www.filescan.io/uploads/69a1c8f6d967dbda74ef4e02/reports/8084b745-8596-4627-baef-4689ab48d54b/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/04fffcd5e0509e3609e5dc106afb8bfa7fab3a948ab63627cdc424cb7709f94e
Result
Gathering data
Verdict:
Malicious
File Type:
exe x32
Link:
https://opentip.kaspersky.com/04fffcd5e0509e3609e5dc106afb8bfa7fab3a948ab63627cdc424cb7709f94e/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/70eb4e31-db77-4aa6-a038-50e7b3e2c121
Result
Threat name:
QatarC, chromElevator
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1876078
Signature
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Contains functionality to hide user accounts
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Installs a global keyboard hook
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Yara detected AntiVM3
Yara detected chromElevator
Yara detected Costura Assembly Loader
Yara detected QatarCRAT
Yara detected Telegram Recon
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1876078 Sample: 8B5geFWzWV.exe Startdate: 27/02/2026 Architecture: WINDOWS Score: 100 93 Found malware configuration 2->93 95 Malicious sample detected (through community Yara rule) 2->95 97 Multi AV Scanner detection for submitted file 2->97 99 14 other signatures 2->99 9 8B5geFWzWV.exe 5 2->9         started        13 Qatar.exe 1 2->13         started        process3 file4 79 C:\Users\user\AppData\Roaming\...\Qatar.exe, PE32 9->79 dropped 81 C:\Users\user\AppData\...\8B5geFWzWV.exe.log, ASCII 9->81 dropped 103 Contains functionality to hide user accounts 9->103 105 Found many strings related to Crypto-Wallets (likely being stolen) 9->105 15 Qatar.exe 15 21 9->15         started        20 cmd.exe 1 9->20         started        signatures5 process6 dnsIp7 83 5.252.153.53 WORLDSTREAMNL Russian Federation 15->83 85 104.16.184.241 CLOUDFLARENETUS United States 15->85 71 C:\Users\user\AppData\...\watchdog.vbs.bat, DOS 15->71 dropped 73 C:\Users\user\AppData\Local\...\watchdog.vbs, ASCII 15->73 dropped 75 C:\Users\user\AppData\Local\...\SharpDX.dll, PE32 15->75 dropped 77 6 other files (none is malicious) 15->77 dropped 87 Multi AV Scanner detection for dropped file 15->87 89 Installs a global keyboard hook 15->89 22 cmd.exe 3 2 15->22         started        24 cmd.exe 15->24         started        26 cmd.exe 15->26         started        32 5 other processes 15->32 91 Uses schtasks.exe or at.exe to add and modify task schedules 20->91 28 conhost.exe 20->28         started        30 schtasks.exe 1 20->30         started        file8 signatures9 process10 process11 34 wscript.exe 22->34         started        45 2 other processes 22->45 37 wscript.exe 24->37         started        47 2 other processes 24->47 39 wscript.exe 26->39         started        49 2 other processes 26->49 41 wscript.exe 32->41         started        43 wscript.exe 32->43         started        51 12 other processes 32->51 signatures12 101 Windows Scripting host queries suspicious COM object (likely to drop second stage) 34->101 53 Qatar.exe 34->53         started        55 Qatar.exe 34->55         started        63 2 other processes 37->63 57 Qatar.exe 39->57         started        59 Qatar.exe 39->59         started        65 2 other processes 41->65 67 2 other processes 43->67 61 Qatar.exe 51->61         started        69 3 other processes 51->69 process13
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/04fffcd5e0509e3609e5dc106afb8bfa7fab3a948ab63627cdc424cb7709f94e
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/04fffcd5e0509e3609e5dc106afb8bfa7fab3a948ab63627cdc424cb7709f94e/
Verdict:
Malicious
Threat:
Family.CELESTIALRAT
Link:
https://tip.neiki.dev/file/04fffcd5e0509e3609e5dc106afb8bfa7fab3a948ab63627cdc424cb7709f94e
Threat name:
ByteCode-MSIL.Trojan.Seraph
Create hunting rule
Status:
Malicious
First seen:
2026-02-27 12:56:03 UTC
AV detection:
26 of 38 (68.42%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=at77zvpakcpdmcpf3qigv64l7j72wouurk3dmj6nyqsmw5yj7fha._file
Verdict:
malicious
Label(s):
qatarrat
Create hunting rule
arkanixstealer
Create hunting rule
Similar samples:
1866a1b6c1c64997769312d513eeee808f633fad3b31f45da6d4c957fa8dd052
QatarRAT
2b696ba0ea5ea7f35dcd39be430a8880034490f3d1c5f2219fed2d06376a21a3
QatarRAT
465e92ef5dc308cbd8ed79d503e0a7702eddd1e298662bc8695caf6ba383750a
QatarRAT
4eb10256903d23fe98c1b28886409ce9fb76a86fa31cdc11f87f42790c915694
QatarRAT
d6794a5fe565bdb5451694d27c34b535409274e508b1400b7a7ccd823970d3d6
QatarRAT
error
QatarRAT
+ 10 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery execution persistence
Link:
https://tria.ge/reports/260227-t6pjmagt4c/
Behaviour
Modifies registry class
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Looks up external IP address via web service
Checks computer location settings
Executes dropped EXE
Unpacked files
SH256 hash:
04fffcd5e0509e3609e5dc106afb8bfa7fab3a948ab63627cdc424cb7709f94e
MD5 hash:
cc2d56e151fccf815bf1c71830f9a11a
SHA1 hash:
e5ce759797298baeeb5d25504dcee0c77149cf88
Detections:
win_lumma_a0
Create hunting rule
RDPWrap
Create hunting rule
Link:
https://www.unpac.me/results/924f358a-8a2a-4db2-8100-df16846d88cc/
SH256 hash:
e857298fd2f8d1c7d48780769433f33e7b3ceaae5ea5a74c13ce8c10bcc7b690
MD5 hash:
1d04536714bb22a3e909525a7dd627f0
SHA1 hash:
affc166fa1874ff3ec0e42646e008cec972b76ab
Link:
https://www.unpac.me/results/924f358a-8a2a-4db2-8100-df16846d88cc/
Malware family:
QatarRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/04fffcd5e050/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/04fffcd5e0509e3609e5dc106afb8bfa7fab3a948ab63627cdc424cb7709f94e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__RemoteAPI
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:Detect_PowerShell_Obfuscation
Create hunting rule
Author:daniyyell
Description:Detects obfuscated PowerShell commands commonly used in malicious scripts.
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:Glasses
Create hunting rule
Author:Seth Hardy
Description:Glasses family
Rule name:GlassesCode
Create hunting rule
Author:Seth Hardy
Description:Glasses code features
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:grakate_stealer_nov_2021
Create hunting rule
Rule name:INDICATOR_EXE_Packed_Fody
Create hunting rule
Author:ditekSHen
Description:Detects executables manipulated with Fody
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
Create hunting rule
Author:ditekSHen
Description:Detects executables embedding registry key / value combination indicative of disabling Windows Defender features
Rule name:INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
Author:ditekSHen
Description:Detects executables using Telegram Chat Bot
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCMD
Create hunting rule
Author:ditekSHen
Description:Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF
Rule name:Multifamily_RAT_Detection
Create hunting rule
Author:Lucas Acha (http://www.lukeacha.com)
Description:Generic Detection for multiple RAT families, PUPs, Packers and suspicious executables
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:RDPWrap
Create hunting rule
Author:@bartblaze
Description:Identifies RDP Wrapper, sometimes used by attackers to maintain persistence.
Reference:https://github.com/stascorp/rdpwrap
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:telebot_framework
Create hunting rule
Author:vietdx.mb
Rule name:TelegramAPIMalware_PowerShell_EXE
Create hunting rule
Author:@polygonben
Description:Hunting for pwsh malware using Telegram for C2
Rule name:telegram_bot_api
Create hunting rule
Author:rectifyq
Description:Detects file containing Telegram Bot API
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/54887/

Comments