MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1634d8e3e41040ba216ebf67d4c830cbd38c5e9c1f6623dcba630e2bd489d696. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuasarRAT


Vendor detections: 18


Intelligence 18 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1634d8e3e41040ba216ebf67d4c830cbd38c5e9c1f6623dcba630e2bd489d696
SHA3-384 hash: 477e6c5c348b90dc975d4f765e07abb48e1fb71ff4797abbabf28030eeb5ed66395e36840b04443d91ac4354e92cddc5
SHA1 hash: 68f2abf1273b79365c9fd65358409e4be8717125
MD5 hash: 9dbd549527f715d839bfcfb75f9a74f2
humanhash: blossom-kentucky-bulldog-triple
File name:1634d8e3e41040ba216ebf67d4c830cbd38c5e9c1f6623dcba630e2bd489d696.exe
Download: download sample
Signature QuasarRAT
Create hunting rule
File size:5'364'224 bytes
First seen:2026-03-29 03:52:14 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'853 x AgentTesla, 19'780 x Formbook, 12'304 x SnakeKeylogger)
ssdeep 24576:TzvislWlQT3HGQlJBPepkdPXk3+rxYa4tN3Sbty+PLqORKtOGyrLRNHEOXDrgCVn:TeOxrBGoNtsIKt/EnrT51loiVssKk
TLSH T1B34607242DEB102D7373AFA55FD8B8EF895FF6B32B0A64A9205103864723D41DD91B39
TrID 70.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.2% (.EXE) Win64 Executable (generic) (6522/11/2)
4.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter KnownSpotter
Tags:exe QuasarRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
134
Origin country :
CA CA
Vendor Threat Intelligence
Gathering data
Malware family:
quasar
Create hunting rule
ID:
1
File name:
1634d8e3e41040ba216ebf67d4c830cbd38c5e9c1f6623dcba630e2bd489d696.exe
Verdict:
Malicious activity
Analysis date:
2026-03-12 02:03:51 UTC
Tags:
quasar rat auto-reg crypto-regex pulsar
Link:
https://app.any.run/tasks/0947f45c-12cb-4026-aead-f3cf0d544be3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Gathering data
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69b21f095a439615ccbf9c04
Tags:
vmdetect quasar emotet
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Creating a window
Сreating synchronization primitives
Connection attempt
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
base64 evasive krypt obfuscated reconnaissance unsafe
Link:
https://www.filescan.io/uploads/69c8a2272346b9da57adb46f/reports/7bc0dc35-3b82-4a03-bb9e-f983383989e6/overview
Verdict:
Malicious
Labled as:
MSIL.Krypt..Generic
Link:
https://www.hybrid-analysis.com/sample/1634d8e3e41040ba216ebf67d4c830cbd38c5e9c1f6623dcba630e2bd489d696
Result
Gathering data
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-10-05T11:13:00Z UTC
Last seen:
2025-10-05T17:01:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/1634d8e3e41040ba216ebf67d4c830cbd38c5e9c1f6623dcba630e2bd489d696/results?tab=lookup
Malware family:
Quasar RAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9b93d49e-cd25-4d0f-bbed-4daa94b15708
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/1634d8e3e41040ba216ebf67d4c830cbd38c5e9c1f6623dcba630e2bd489d696
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1634d8e3e41040ba216ebf67d4c830cbd38c5e9c1f6623dcba630e2bd489d696/
Verdict:
Malicious
Threat:
Family.QUASAR
Link:
https://tip.neiki.dev/file/1634d8e3e41040ba216ebf67d4c830cbd38c5e9c1f6623dcba630e2bd489d696
Threat name:
ByteCode-MSIL.Hacktool.Aikaantivm
Create hunting rule
Status:
Malicious
First seen:
2025-10-05 17:04:27 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
27 of 36 (75.00%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cy2nry7ecbaluilox5t5jsbqzpjyyxu4d5tchxf2mmhcxvej22la._file
Verdict:
malicious
Label(s):
quasarrat
Create hunting rule
Similar samples:
error
QuasarRAT
Result
Malware family:
quasar
Create hunting rule
Score:
  10/10
Tags:
family:quasar persistence spyware trojan
Link:
https://tria.ge/reports/260329-efpz5sgz5l/
Behaviour
Suspicious behavior: AddClipboardFormatListener
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
Quasar RAT
Quasar family
Quasar payload
Unpacked files
SH256 hash:
1634d8e3e41040ba216ebf67d4c830cbd38c5e9c1f6623dcba630e2bd489d696
MD5 hash:
9dbd549527f715d839bfcfb75f9a74f2
SHA1 hash:
68f2abf1273b79365c9fd65358409e4be8717125
Link:
https://www.unpac.me/results/675cd799-179b-421b-9adc-31963c250cb0/
SH256 hash:
068f63496f1e1274d4da0ae3ff500bb578ee647c0fa79034634f9a6fbb751b94
MD5 hash:
6f5f873ec53ec6e4f5637d9022e5f623
SHA1 hash:
263405f894485d55cde00be4758619947b7e142d
Detections:
QuasarRAT
Create hunting rule
cn_utf8_windows_terminal
Create hunting rule
malware_windows_xrat_quasarrat
Create hunting rule
MAL_QuasarRAT_May19_1
Create hunting rule
MAL_BackNet_Nov18_1
Create hunting rule
INDICATOR_EXE_Packed_Fody
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
Link:
https://www.unpac.me/results/675cd799-179b-421b-9adc-31963c250cb0/
SH256 hash:
a0af255ea4b09a8cdb995b8c6fd1075e46f098e23c2351c974e6ded9b8b620cf
MD5 hash:
c52a44933d17d576d4c97b4cb0545841
SHA1 hash:
092696fdcc034910aa02c94a5c93f4e1e86e0c50
Detections:
SUSP_NET_Large_Static_Array_In_Small_File_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/675cd799-179b-421b-9adc-31963c250cb0/
Parent samples :
78976f38ca4b4e62ead97e1222faa8ce79c0f9a517ef57bdeae4dc3f2c834d1b
818ef3d013069a7bacd3bf4d4a728ace9ea74ab518fb4adffcc0a23f57e4b585
50cb6b8d0f572cd355d682a3f3529854b98cc75e141e452c98bec0279ef1ace2
030c62f201281c0034102b3cab64490e51b0499a9b5fad498f1ded30b23dbf66
d65862ab1d8dfcba06ab6e1fc40d109d9c644cac4e02ef0c8fb30f96ec199b61
31e0765454785a12c86436331f67020b7390d16b9de42b954127799835eea36c
89a59fdc6d7e292adecc9602af1544e9d6c7fdb1f99f654a918d007422a93d14
78daa33cb739c0b1648f17599695cf0fc5ad0b1c7640d55d91e1d534a024c6f7
c8b2df4130ad422d0dab2be3798677609f0555f37d825cda228662d2112f3d6c
6597d0a917f2def35809cfcffd7c9098bc7e97eb62d35fb74486344208faf61a
a77fed3715f635883d0e54c30ab4d3ccad5afe0f845d27e5bff0f9410df4aaee
f879f50e21830b34b77fd94a33b6c395b9837bb701a7f5e4dad2e9d287af9e72
0a45180f1b3ef2e81e988e448cbf6eb1ddedcd864a7ecf46ac5a28aef8f2740b
6c2b4ca9e169f3d71f3fa2962b947c0f7b1e358e2e7ce6c9ee12778e0679f6b1
eb72d6dd2158ce9ad453f8ecfd5d6900cce588c196ae5806268cbaf3475848da
00b4241162e828f59e1a47467cdecd0c36f779e1e5b7c4930331c9104b6e1c55
5aa42451a5ac1ef0da91a240389b95cf535f34931f50540e4b3d6c38c9b68067
93df359df8737052e68d069b9c425d797c0de4b63672ede2839b907385528c40
e8b13c084533e4ae24ea404d7bd849554af93071e62c61ef47f7f98cd8d62e31
9926e77942377ae785122efbf7a70007071ab49b8080a89c5f386dd9593247e3
a1a600812424e7c976b8ec60f77fe808520d3fc7f716d12663bdc22b93c81038
6a3a4caaedc9479bbdd0a10e496b1502e8cdb1905ec365f1c737bb467ac95d3c
1634d8e3e41040ba216ebf67d4c830cbd38c5e9c1f6623dcba630e2bd489d696
SH256 hash:
8660d59a7b76b9ce348665cc8639dfa13c9b29c0398c1d1c12a8e3d8a58e611c
MD5 hash:
84c711f30130339455b4628122cfba15
SHA1 hash:
15eb16b9a6984f6410bcf7e4eafe360c04359566
Detections:
SUSP_NET_Large_Static_Array_In_Small_File_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/675cd799-179b-421b-9adc-31963c250cb0/
SH256 hash:
4c9615496970ea84320e2a6e99f8fb828e3c7790384df5585d93fc368885d94e
MD5 hash:
50e6524b7ee9c2c93f5210b63cb1ca54
SHA1 hash:
3e296ec3bb24750833ea80515e6fb4c73874c91a
Link:
https://www.unpac.me/results/675cd799-179b-421b-9adc-31963c250cb0/
SH256 hash:
5a10f55297557ac56e4a66516b386115e58f46de09dd7387d31d14014edb22de
MD5 hash:
15a7d84b9e0a154b642e5657bd40ddde
SHA1 hash:
62416df0438e422bc34eb30378d1515557b6ec3a
Detections:
SUSP_NET_Large_Static_Array_In_Small_File_Jan24
Create hunting rule
HKTL_NET_GUID_Quasar
Create hunting rule
Link:
https://www.unpac.me/results/675cd799-179b-421b-9adc-31963c250cb0/
SH256 hash:
56f525e33494f4cd2a560a71cdf237303a3fb54a8fa44e1693eba35c9245c60a
MD5 hash:
07137e5cc4d5ecc95ca267c9dce042d4
SHA1 hash:
d82f5e3d718bc9172fcfe0e8c50cb20251762058
Link:
https://www.unpac.me/results/675cd799-179b-421b-9adc-31963c250cb0/
Malware family:
QuasarRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/1634d8e3e410/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1634d8e3e41040ba216ebf67d4c830cbd38c5e9c1f6623dcba630e2bd489d696

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__RemoteAPI
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:telebot_framework
Create hunting rule
Author:vietdx.mb

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/59652/

Comments