MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2570965cfad52b4929646db93d122b886a9a5bbe161a78beba3bafff582cb860. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuasarRAT


Vendor detections: 7


Intelligence 7 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2570965cfad52b4929646db93d122b886a9a5bbe161a78beba3bafff582cb860
SHA3-384 hash: 0349b6a010d21dc98c60ecc841a63ee9644c988483eb9707392201d13add708fc0f95f708450bb6d835659ba85abab9a
SHA1 hash: 296a7d11a9292f268c6c0e55c4dbab8ce4342c57
MD5 hash: 81004eb742d13246173caa8c02e35617
humanhash: spring-beryllium-three-louisiana
File name:Meow Updated.jar
Download: download sample
Signature QuasarRAT
Create hunting rule
File size:17'002 bytes
First seen:2025-08-28 14:42:44 UTC
Last seen:2025-08-28 14:42:44 UTC
File type:Java file jar
MIME type:application/zip
ssdeep 384:jsU5kn51nqXJwm7UFP/ugEtKRhoxvnmEcma/EEloMmVwItLrmzQ:YUInCf7UFPytKanmEy9B4r4Q
TLSH T1E272CFCA6D3462E2C3D1037E3F3074175A4ECD19589BCB6FAE85288B49FC118678E5C2
TrID 77.1% (.JAR) Java Archive (13500/1/2)
22.8% (.ZIP) ZIP compressed archive (4000/1)
Magika jar
Reporter burger
Tags:dropper jar QuasarRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
77
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
MeowUpdated.jar
Verdict:
No threats detected
Analysis date:
2025-08-28 14:33:33 UTC
Tags:
pastebin java
Link:
https://app.any.run/tasks/fed1b969-6960-40ac-867b-57a7bafeb855

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/24044/
Detection(s):
SecuriteInfo.com.Java.Obfus-11.UNOFFICIAL
Create hunting rule

Verdict:
Clean
Score:
89.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68b06b213e988eb6ab82e43d
Tags:
n/a
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/68b06b1c39a6221faa732919/reports/709d9297-f2fa-4448-8404-9b108e4b5ac0/overview
Verdict:
Suspicious
Labled as:
JAVA/AVI.Agent
Link:
https://www.hybrid-analysis.com/sample/2570965cfad52b4929646db93d122b886a9a5bbe161a78beba3bafff582cb860
Result
Verdict:
UNKNOWN
Link:
https://labs.inquest.net/dfi/sha256/2570965cfad52b4929646db93d122b886a9a5bbe161a78beba3bafff582cb860
Verdict:
Clean
File Type:
jar
Link:
https://opentip.kaspersky.com/2570965cfad52b4929646db93d122b886a9a5bbe161a78beba3bafff582cb860/results?tab=lookup
Result
Threat name:
Quasar
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1767058
Signature
Antivirus detection for dropped file
Connects to a pastebin service (likely for C&C)
Contain functionality to detect virtual machines
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Creates multiple autostart registry keys
Exploit detected, runtime environment dropped PE file
Exploit detected, runtime environment starts unknown processes
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Potentially Suspicious Malware Callback Communication
Sigma detected: Suspicious Script Execution From Temp Folder
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected Quasar RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1767058 Sample: Meow Updated.jar Startdate: 28/08/2025 Architecture: WINDOWS Score: 100 100 pastebin.com 2->100 102 files.catbox.moe 2->102 110 Found malware configuration 2->110 112 Malicious sample detected (through community Yara rule) 2->112 114 Antivirus detection for dropped file 2->114 118 9 other signatures 2->118 10 cmd.exe 2 2->10         started        12 ChromeUpdates.exe 1 2->12         started        15 ChromeUpdates.exe 2->15         started        17 6 other processes 2->17 signatures3 116 Connects to a pastebin service (likely for C&C) 100->116 process4 dnsIp5 20 java.exe 17 10->20         started        24 conhost.exe 10->24         started        130 Suspicious powershell command line found 12->130 132 Creates multiple autostart registry keys 12->132 26 powershell.exe 12 12->26         started        28 powershell.exe 15->28         started        98 127.0.0.1 unknown unknown 17->98 30 powershell.exe 17->30         started        32 powershell.exe 17->32         started        34 powershell.exe 17->34         started        36 2 other processes 17->36 signatures6 process7 dnsIp8 104 pastebin.com 172.66.171.73, 443, 49681, 49687 CLOUDFLARENETUS United States 20->104 106 files.catbox.moe 108.181.20.35, 443, 49682 ASN852CA Canada 20->106 80 C:\Users\user\AppData\...\ChromeUpdates.exe, PE32+ 20->80 dropped 38 cmd.exe 1 20->38         started        40 ChromeUpdates.exe 1 1 26->40         started        44 conhost.exe 26->44         started        46 ChromeUpdates.exe 28->46         started        48 conhost.exe 28->48         started        50 2 other processes 30->50 52 2 other processes 32->52 54 2 other processes 34->54 56 4 other processes 36->56 file9 process10 file11 58 ChromeUpdates.exe 1 1 38->58         started        62 conhost.exe 38->62         started        82 C:\Users\user\AppData\...\dat6890535.exe, PE32 40->82 dropped 120 Creates multiple autostart registry keys 40->120 64 dat6890535.exe 3 40->64         started        84 C:\Users\user\AppData\...\sys6909370.exe, PE32 46->84 dropped 66 sys6909370.exe 46->66         started        86 C:\Users\user\AppData\...\tmp6917320.exe, PE32 50->86 dropped 68 tmp6917320.exe 50->68         started        88 C:\Users\user\AppData\...\tmp6925794.exe, PE32 52->88 dropped 70 tmp6925794.exe 52->70         started        90 C:\Users\user\AppData\...\tmp6945750.exe, PE32 54->90 dropped 72 tmp6945750.exe 54->72         started        92 C:\Users\user\AppData\...\sys6961463.exe, PE32 56->92 dropped 94 C:\Users\user\AppData\...\sys6953775.exe, PE32 56->94 dropped 74 sys6953775.exe 56->74         started        signatures12 process13 file14 96 C:\Users\user\AppData\...\dat6887422.exe, PE32 58->96 dropped 122 Antivirus detection for dropped file 58->122 124 Multi AV Scanner detection for dropped file 58->124 126 Suspicious powershell command line found 58->126 128 4 other signatures 58->128 76 dat6887422.exe 14 2 58->76         started        signatures15 process16 dnsIp17 108 45.74.16.2, 4444 M247GB United States 76->108 134 Antivirus detection for dropped file 76->134 136 Hides that the sample has been downloaded from the Internet (zone.identifier) 76->136 signatures18
Score:
0%
Verdict:
Benign
File Type:
ARCHIVE
Link:
https://malprob.io/report/2570965cfad52b4929646db93d122b886a9a5bbe161a78beba3bafff582cb860
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2570965cfad52b4929646db93d122b886a9a5bbe161a78beba3bafff582cb860/
Verdict:
Clean
Link:
https://tip.neiki.dev/file/2570965cfad52b4929646db93d122b886a9a5bbe161a78beba3bafff582cb860
Threat name:
ByteCode-JAVA.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-08-28 00:51:34 UTC
File Type:
Binary (Archive)
Extracted files:
6
AV detection:
9 of 38 (23.68%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=evyjmxh22uvusklenw4t2erlrbvjuw56cynhrpv2hox76wbmxbqa._file
Result
Malware family:
n/a
Score:
  9/10
Tags:
defense_evasion
Link:
https://tria.ge/reports/250828-r3w37aswc1/
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Legitimate hosting services abused for malware hosting/C2
Executes dropped EXE
Looks for VMWare Tools registry key
Looks for VMWare services registry key.
Enumerates VirtualBox registry keys
Malware family:
QuasarRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/2570965cfad5/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/2570965cfad52b4929646db93d122b886a9a5bbe161a78beba3bafff582cb860

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

QuasarRAT

Java file jar 2570965cfad52b4929646db93d122b886a9a5bbe161a78beba3bafff582cb860

(this sample)

QuasarRAT

Executable exe 3662a8d4f950c9ebd0851e0b0713f2e48dfb7dd5ac3de02bae8acd1d6c4efd1d

  
Dropping
SHA256 3662a8d4f950c9ebd0851e0b0713f2e48dfb7dd5ac3de02bae8acd1d6c4efd1d
  
Dropping
MD5 0638de0435b4ba809cd39f311ab002bf
Cape
Cape
https://www.capesandbox.com/analysis/24044/

Comments