MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2ad6a919f8256c9100324af50c0894527bb71f344ecdfe1e1f00b4e708ff8481. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuasarRAT


Vendor detections: 15


Intelligence 15 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2ad6a919f8256c9100324af50c0894527bb71f344ecdfe1e1f00b4e708ff8481
SHA3-384 hash: 942e89269e593b83d87d4c09b5ad2d636e343cd61618c48df69d1f20e0a010c2acb20fcc7458f19d188149390a6d3ad3
SHA1 hash: b2d4805b29cd1f4fd7c2d7c0ceb21ab7c4e8340e
MD5 hash: f7398df9b4a2f27568ded2f1b750e65e
humanhash: juliet-freddie-mars-sad
File name:file
Download: download sample
Signature QuasarRAT
Create hunting rule
File size:8'110'592 bytes
First seen:2026-01-06 18:11:45 UTC
Last seen:2026-01-06 21:19:26 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 60559adcf3698c3eb3c69577ebf28413 (3 x DonutLoader, 1 x njrat, 1 x QuasarRAT)
ssdeep 196608:QMLJZvVtypBrzn7GMhO6c/iODP2m95RlltjP2JKYiHB:QOJZvVEnrT7lhO6cTDOE5/KJuh
Threatray 63 similar samples on MalwareBazaar
TLSH T11E86332E94F2DBE8D6B9D4F616FC127E05E3781F31DFA1A967EA4511BA090C704380B6
TrID 38.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
15.6% (.ICL) Windows Icons Library (generic) (2059/9)
15.4% (.EXE) OS/2 Executable (generic) (2029/13)
15.2% (.EXE) Generic Win/DOS Executable (2002/3)
15.2% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter Bitsight
Tags:dropped-by-amadey exe fbf543 QuasarRAT


Avatar
Bitsight
url: http://130.12.180.43/files/7449711934/EsSLuZk.exe

Intelligence

File Origin
# of uploads :
6
# of downloads :
201
Origin country :
US US
Vendor Threat Intelligence
No detections
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2026-01-06 18:14:48 UTC
Tags:
evasion rat pulsar uac stealer arch-doc crypto-regex
Link:
https://app.any.run/tasks/a09b59a4-0bc0-4b76-a474-8db27958aa3a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/47879/
Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=695d5082e148d42004dfe5dd
Tags:
backdoor shell sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Running batch commands
Creating a process with a hidden window
Creating a process from a recently created file
Creating a file
Creating a window
Сreating synchronization primitives
Sending a custom TCP request
Connection attempt
DNS request
Sending an HTTP GET request
Using the Windows Management Instrumentation requests
Sending an HTTP POST request
Enabling the 'hidden' option for files in the %temp% directory
Unauthorized injection to a recently created process
Forced shutdown of a browser
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
crypto hacktool masm packed
Link:
https://www.filescan.io/uploads/695d507eafe828bbd3154014/reports/9a0a97df-ab55-4406-8d8c-27405a992910/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/2ad6a919f8256c9100324af50c0894527bb71f344ecdfe1e1f00b4e708ff8481
Verdict:
Malicious
File Type:
exe x64
First seen:
2026-01-06T15:29:00Z UTC
Last seen:
2026-01-07T18:23:00Z UTC
Hits:
~100
Detections:
Trojan.Win64.Donut.sb Trojan.Win32.Shellcode.sb Trojan.Win64.DonutInjector.sb Backdoor.MSIL.PulsarRAT.sb Trojan-PSW.Win32.Coins.sb Trojan.Win64.Agentb.sb PDM:Trojan.Win32.Generic Backdoor.MSIL.PulsarRAT.fn Trojan-Spy.Stealer.TCP.C&C Trojan-PSW.Win32.Stealer.sb Trojan-PSW.Win32.Agent.sb Trojan.Win64.Agent.sb Trojan-PSW.MSIL.Stealer.sb Trojan.Win32.Agent.sb Trojan-Spy.Stealer.HTTP.C&C Trojan-PSW.MSIL.Agent.sb Trojan.MSIL.Agent.sb
Link:
https://opentip.kaspersky.com/2ad6a919f8256c9100324af50c0894527bb71f344ecdfe1e1f00b4e708ff8481/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/06017fc9-3d0b-4c46-aefe-1588c6c7be3a
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/2ad6a919f8256c9100324af50c0894527bb71f344ecdfe1e1f00b4e708ff8481
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
Executable PDB Path PE (Portable Executable) PE File Layout Win 64 Exe x64
Link:
https://app.malva.re/file/f7398df9b4a2f27568ded2f1b750e65e
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2ad6a919f8256c9100324af50c0894527bb71f344ecdfe1e1f00b4e708ff8481/
Verdict:
Malicious
Threat:
Family.PULSAR
Link:
https://tip.neiki.dev/file/2ad6a919f8256c9100324af50c0894527bb71f344ecdfe1e1f00b4e708ff8481
Threat name:
Win64.Trojan.DonutLoader
Create hunting rule
Status:
Malicious
First seen:
2026-01-06 18:12:18 UTC
File Type:
PE+ (Exe)
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fllksgpyevwjcabsjl2qyceukj53ohzuj3g74hq7ac2ooch7qsaq._file
Verdict:
malicious
Label(s):
quasarrat
Create hunting rule
donutloader
Create hunting rule
Similar samples:
0455ebce0a62e2413a730a8e172cde5e6171d2a3569c4620c7e10a6ff04a3710
QuasarRAT
0b5c1b777491d7f267bdb5b1eb6e687323799f85ea5eac44f3db11a84c7f505c
QuasarRAT
15119331f58db1c391df927fa73723c1d7ba66d46fe2aecf1526a117c5b59d05
QuasarRAT
5796230cdd9dac9064551b7e0aeecd62ff2c25808dfe854e774c54815f66c741
QuasarRAT
6eeb5788ce02a71cee8cad314c4f1c467ac0dc77b23cbbef4f3a38bdfbd75f46
QuasarRAT
7830e7c10b53bf790efd4c6b5d52e0c31cb83d86378c2aeef96d7dc8d726f245
QuasarRAT
8b285bfafb3e876e29f04165896276d17f0998e2b02f97c90a28c34ab53ee866
QuasarRAT
9250584a4878cae6188ba7eafa667e4612afbfb89e2698bbc5ceb7fa17cddc08
QuasarRAT
e27288fcd6c3ccbadf90d37481ff6b407e31eeb33f775e5110be3e75401879b9
QuasarRAT
error
QuasarRAT
+ 53 additional samples on MalwareBazaar
Result
Malware family:
quasar
Create hunting rule
Score:
  10/10
Tags:
family:donutloader family:quasar discovery loader spyware stealer trojan
Link:
https://tria.ge/reports/260106-ws9nracx4h/
Behaviour
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Browser Information Discovery
System Location Discovery: System Language Discovery
Looks up external IP address via web service
Executes dropped EXE
Reads user/profile data of web browsers
Detects DonutLoader
DonutLoader
Donutloader family
Quasar RAT
Quasar family
Quasar payload
Verdict:
Malicious
Tags:
External_IP_Lookup
YARA:
n/a
Link:
https://app.threat.zone/submission/60c975a6-f0bc-493b-b49a-e5d513b1ca92
Unpacked files
SH256 hash:
2ad6a919f8256c9100324af50c0894527bb71f344ecdfe1e1f00b4e708ff8481
MD5 hash:
f7398df9b4a2f27568ded2f1b750e65e
SHA1 hash:
b2d4805b29cd1f4fd7c2d7c0ceb21ab7c4e8340e
Link:
https://www.unpac.me/results/fe638f16-94ab-4324-94cf-65876486e7a3/
Malware family:
QuasarRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/2ad6a919f825/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/2ad6a919f8256c9100324af50c0894527bb71f344ecdfe1e1f00b4e708ff8481

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

QuasarRAT

Executable exe 2ad6a919f8256c9100324af50c0894527bb71f344ecdfe1e1f00b4e708ff8481

(this sample)

  
Dropped by
Amadey
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3751498/
Cape
Cape
https://www.capesandbox.com/analysis/47879/

Comments