MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1f2b22638ddb587f86f508aaffebc0f0eb1acdbcf783b92260e819d2be9cca2e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



QuasarRAT


Vendor detections: 19


Intelligence 19 IOCs YARA 16 File information Comments

SHA256 hash: 1f2b22638ddb587f86f508aaffebc0f0eb1acdbcf783b92260e819d2be9cca2e
SHA3-384 hash: a288bb0f799f33231bb7afda1d7759407dfceef1e39cce2619f8b1a20d7417efbdd65e6190385863ccd5fddbe679ef56
SHA1 hash: 89f5617037af63d3256c65a3038f1e198245f82e
MD5 hash: 2553ce39d87b9e0ad58ee44878a09c0b
humanhash: alpha-william-kansas-maryland
File name:SecuriteInfo.com.BackDoor.Quasar.277.6302.27172
Download: download sample
Signature QuasarRAT
File size:865'280 bytes
First seen:2026-06-09 21:20:25 UTC
Last seen:2026-06-09 22:18:02 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (49'096 x AgentTesla, 20'113 x Formbook, 12'356 x SnakeKeylogger)
ssdeep 24576:yCFW9pz9LqRNJOj7j+mUKbIXaW1JkZaXULkM:hUzhyFKUGx
Threatray 815 similar samples on MalwareBazaar
TLSH T16E05F0F8AAD0BD35CA256830FD519000C37FB84545BFDD5EA8046E6CF7BA2D40992E9E
TrID 70.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.2% (.EXE) Win64 Executable (generic) (6522/11/2)
4.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
dhash icon e0c8cec6c6c6c8e0 (3 x AgentTesla, 3 x QuasarRAT, 1 x CobaltStrike)
Reporter SecuriteInfoCom
Tags:exe QuasarRAT

Intelligence


File Origin
# of uploads :
2
# of downloads :
153
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
ID:
1
File name:
stage2.exe
Verdict:
Malicious activity
Analysis date:
2026-06-10 02:23:13 UTC
Tags:
httpdebugger tool quasar rat ip-check evasion yano

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
99.1%
Tags:
autorun quasar
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Restart of the analyzed sample
Creating a file
Using the Windows Management Instrumentation requests
DNS request
Connection attempt
Sending an HTTP GET request
Creating a file in the %AppData% subdirectories
Launching a process
Enabling the 'hidden' option for recently created files
Creating a process from a recently created file
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Connecting to a non-recommended domain
Creating a window
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process by context flags manipulation
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
base64 dotfuscator obfuscated obfuscated packed reconnaissance smartassembly vbnet yano
Verdict:
Malicious
File Type:
exe x32
First seen:
2026-06-09T17:54:00Z UTC
Last seen:
2026-06-11T00:47:00Z UTC
Hits:
~10
Gathering data
Threat name:
Win32.Trojan.Malgent
Status:
Malicious
First seen:
2026-06-09 21:00:29 UTC
File Type:
PE (.Net Exe)
Extracted files:
12
AV detection:
24 of 38 (63.16%)
Threat level:
  5/5
Result
Malware family:
Score:
  10/10
Tags:
family:quasar botnet:doy1 discovery execution persistence spyware trojan
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
System Location Discovery: System Language Discovery
SmartAssembly .NET packer
Suspicious use of SetThreadContext
Looks up external IP address via web service
Executes dropped EXE
Family: Quasar RAT
Quasar payload
Malware Config
C2 Extraction:
mirroflobsny.sytes.net:61544
wirroflobsny.ydns.eu:61545
Unpacked files
SH256 hash:
1f2b22638ddb587f86f508aaffebc0f0eb1acdbcf783b92260e819d2be9cca2e
MD5 hash:
2553ce39d87b9e0ad58ee44878a09c0b
SHA1 hash:
89f5617037af63d3256c65a3038f1e198245f82e
SH256 hash:
eac9d209ef59a7c7235024ffc4daf38fe7d929b268c26e005ac6b7c4d6b0f951
MD5 hash:
8a8363c9e5c6c87384687920d7a85dc7
SHA1 hash:
3d80b9ef464285d6e381bf685160bd219be883de
SH256 hash:
810ace460537845c06b7d1e5352c66da6ba59ab745424d50fec0d78bca86401a
MD5 hash:
6cc0d85d17c6fc8d0a10ebf30cb86963
SHA1 hash:
d2338d4b53d1a34a1234a0dd1e91783decdbdaf4
Detections:
QuasarRAT
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__RemoteAPI
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:INDICATOR_EXE_Packed_Dotfuscator
Author:ditekSHen
Description:Detects executables packed with Dotfuscator
Rule name:INDICATOR_EXE_Packed_Goliath
Author:ditekSHen
Description:Detects executables packed with Goliath
Rule name:INDICATOR_EXE_Packed_SmartAssembly
Author:ditekSHen
Description:Detects executables packed with SmartAssembly
Rule name:NET
Author:malware-lu
Rule name:NETexecutableMicrosoft
Author:malware-lu
Rule name:pe_imphash
Rule name:RANSOMWARE
Author:ToroGuitar
Rule name:Skystars_Malware_Imphash
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_CMD_Powershell_Usage
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:VECT_Ransomware
Author:Mustafa Bakhit
Description:Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Web download

QuasarRAT

Executable exe 1f2b22638ddb587f86f508aaffebc0f0eb1acdbcf783b92260e819d2be9cca2e

(this sample)

  
Delivery method
Distributed via web download

Comments