MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2c03efcf8673a901a4d51f24e3d4f4ed698f9b4782b53a8c254dd1a1a00a2604. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

QuasarRAT

Vendor detections: 18

Intelligence 18 IOCs YARA 3 File information Comments

SHA256 hash:	2c03efcf8673a901a4d51f24e3d4f4ed698f9b4782b53a8c254dd1a1a00a2604
SHA3-384 hash:	248c83c1137f3ddfc543acd5386fbb6761e1c22d8f733f481b0afe2f854f7dde9bb114d5289b633d98df13c272a738ab
SHA1 hash:	920b1da0d958f92196df9db907fccac5f5e702c3
MD5 hash:	b971f1f8dc4f8f326a3c1c973834626f
humanhash:	gee-indigo-robin-mockingbird
File name:	2c03efcf8673a901a4d51f24e3d4f4ed698f9b4782b53a8c254dd1a1a00a2604
Download:	download sample
Signature	QuasarRAT Create hunting rule
File size:	5'626'880 bytes
First seen:	2026-02-18 07:41:26 UTC
Last seen:	2026-02-18 08:30:42 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'818 x AgentTesla, 19'741 x Formbook, 12'286 x SnakeKeylogger)
ssdeep	49152:7LzswaoVnztqNusJtW8785c/t4itGkV7vhB109Q6K0Xz7gk7YoN5Z9A2AY3WkIP5:xRwNuAWm3GMvD+dHLRd9AdY3WkYSyC
Threatray	815 similar samples on MalwareBazaar
TLSH	T1014623393D821415CA680BFE8026D9C537F1E68B6706C36D7BED01ACDD53B4B9B2B624
TrID	73.9% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 6.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 6.6% (.EXE) Win64 Executable (generic) (6522/11/2) 4.5% (.EXE) Win32 Executable (generic) (4504/4/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika	pebin
Reporter	JAMESWT_WT
Tags:	cbzr-98pq1-ydns-eu code1-ydns-eu exe QuasarRAT Spam-ITA

Intelligence

File Origin

# of uploads :

# of downloads :

131

Origin country :

Vendor Threat Intelligence

Malware configuration found for:

DeepSea

Details

DeepSea

DeepSea decrypted strings

Link:

https://research.acce.ciphertechsolutions.com/results/0787e8ac-ae9a-423f-8a9b-c3f68d45e65e/

Malware family:

quasar

ID:

File name:

Zamówienie - 0091500262026 - LVS Polska SA.pdf(68KB).com

Verdict:

Malicious activity

Analysis date:

2026-02-17 08:54:33 UTC

Tags:

netreactor loader remote xworm evasion rat quasar remcos

Link:

https://app.any.run/tasks/0f7b9bf4-5260-421d-997a-35d80f67bda9

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

QuasarRAT

Link:

https://www.capesandbox.com/analysis/53660/

Detection(s):

SecuriteInfo.com.Trojan.Inject6.26872.17306.17532.UNOFFICIAL

Verdict:

Malicious

Score:

91.7%

Link:

https://cyber-fortress.com/docs/result/index.php?id=69956d5f1ebe863df48510ec

Tags:

autorun shell sage

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

lolbin obfuscated obfuscated tracker unsafe vbnet

Link:

https://www.filescan.io/uploads/69956d5710e80629d4e856eb/reports/e155283d-cb79-4300-8277-63e14bd3fb4c/overview

Verdict:

Malicious

Labled as:

IL:Trojan.MSILZilla

Link:

https://www.hybrid-analysis.com/sample/2c03efcf8673a901a4d51f24e3d4f4ed698f9b4782b53a8c254dd1a1a00a2604

Verdict:

Malicious

File Type:

exe x32

Detections:

PDM:Trojan.Win32.Generic Trojan.MSIL.Inject.b HEUR:Trojan-PSW.MSIL.Stealer.gen

Link:

https://opentip.kaspersky.com/2c03efcf8673a901a4d51f24e3d4f4ed698f9b4782b53a8c254dd1a1a00a2604/results?tab=lookup

Malware family:

Quasar RAT

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/34d0123b-1ace-4e43-8d1d-ed6a96f6fc60

Score:

98%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/2c03efcf8673a901a4d51f24e3d4f4ed698f9b4782b53a8c254dd1a1a00a2604

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/2c03efcf8673a901a4d51f24e3d4f4ed698f9b4782b53a8c254dd1a1a00a2604/

Verdict:

Malicious

Threat:

Family.QUASAR

Link:

https://tip.neiki.dev/file/2c03efcf8673a901a4d51f24e3d4f4ed698f9b4782b53a8c254dd1a1a00a2604

Threat name:

Win32.Trojan.Jalapeno

Status:

Malicious

First seen:

2026-02-17 12:53:09 UTC

AV detection:

15 of 24 (62.50%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=fqb67t4goouqdjgvd4sohvhu5vuy7g2hqk2tvdbfjxi2diakeyca._file

Verdict:

malicious

Label(s):

quasarrat

QuasarRAT

40c6d95876d7a085020471145c41cd5a16090625919d5de147334a52d24a6f1b

QuasarRAT

53aefcb31cf737d2af9779bea562b358bb08c876bb68fbe5614c1084decb6728

QuasarRAT

6960b195f9cca224e216556a8df9b359fcc13219a311b6edcb2a85164c32a692

QuasarRAT

7cf92236a23833476c9e91eabf6bf023de5572b65a62da1e6cb9be39247162a6

QuasarRAT

error

QuasarRAT

f5238cef954ae8da144e56269c54e11f5861d7e11c7334a632b46e41c9ee65a4

QuasarRAT

+ 805 additional samples on MalwareBazaar

Result

Malware family:

quasar

Score:

10/10

Tags:

family:quasar botnet:welcome discovery execution persistence spyware trojan

Link:

https://tria.ge/reports/260218-jjsyescv9g/

Behaviour

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

.NET Reactor proctector

Executes dropped EXE

Quasar RAT

Quasar family

Quasar payload

Malware Config

C2 Extraction:

cbzr-98pq1.ydns.eu:4045
code1.ydns.eu:9302

Unpacked files

SH256 hash:

2c03efcf8673a901a4d51f24e3d4f4ed698f9b4782b53a8c254dd1a1a00a2604

MD5 hash:

b971f1f8dc4f8f326a3c1c973834626f

SHA1 hash:

920b1da0d958f92196df9db907fccac5f5e702c3

Link:

https://www.unpac.me/results/aa5f939d-e6b8-4b83-9a7f-4eeb76dcb4dd/

Malware family:

QuasarRAT

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/2c03efcf8673/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/2c03efcf8673a901a4d51f24e3d4f4ed698f9b4782b53a8c254dd1a1a00a2604

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/53660/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample