MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3662a8d4f950c9ebd0851e0b0713f2e48dfb7dd5ac3de02bae8acd1d6c4efd1d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuasarRAT


Vendor detections: 15


Intelligence 15 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3662a8d4f950c9ebd0851e0b0713f2e48dfb7dd5ac3de02bae8acd1d6c4efd1d
SHA3-384 hash: e0e3f56a18ee2f4b37496147a69da1ac52fe725b12249af9dd0a2a556be5a61fd871151880f22a967f551b43109b2af9
SHA1 hash: dbe89fdde3fe98a3db192156b8b24a4c516bbe3f
MD5 hash: 0638de0435b4ba809cd39f311ab002bf
humanhash: oklahoma-fanta-mars-early
File name:ChromeUpdates.exe
Download: download sample
Signature QuasarRAT
Create hunting rule
File size:2'010'112 bytes
First seen:2025-08-28 14:42:58 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4212d684ac905b1d94ca771b4bd8f7e2 (1 x QuasarRAT)
ssdeep 49152:+JICdoTtgWJ9bqNbzRheWYT/bJhoPtJxvtPSCAT2vZ30uf:+CCdoTvmFYWYT/HAtfthz
TLSH T17F95235AB27712FCD976483C8C479219F7F2382407318B5B966D5F210F3B7908E2AE66
TrID 48.7% (.EXE) Win64 Executable (generic) (10522/11/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter burger
Tags:exe QuasarRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
86
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ChromeUpdates.exe
Verdict:
No threats detected
Analysis date:
2025-08-28 14:40:00 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/b7a80b31-d432-4f8c-9844-ffe047ffcbe0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/24045/
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68b06b273e988eb6ab82e446
Tags:
vmdetect quasar agentb
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a process with a hidden window
Creating a window
Сreating synchronization primitives
DNS request
Connection attempt
Sending a custom TCP request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-vm anti-vm evasive microsoft_visual_cc obfuscated packed packed packer_detected
Link:
https://www.filescan.io/uploads/68b06b1d39a6221faa73291e/reports/466e759a-ef23-4985-ba2b-565f7f70a881/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/3662a8d4f950c9ebd0851e0b0713f2e48dfb7dd5ac3de02bae8acd1d6c4efd1d
Verdict:
Malicious
File Type:
exe x64
First seen:
2025-08-27T18:00:00Z UTC
Last seen:
2025-08-27T18:00:00Z UTC
Hits:
~10
Detections:
HEUR:Trojan-Banker.MSIL.ClipBanker.gen HEUR:Trojan.Win32.Agentb.gen HEUR:Trojan.MSIL.Quasar.gen
Link:
https://opentip.kaspersky.com/3662a8d4f950c9ebd0851e0b0713f2e48dfb7dd5ac3de02bae8acd1d6c4efd1d/results?tab=lookup
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f56bd5e3-0f14-4865-88c2-22c1c0eb95b9
Result
Threat name:
Quasar
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1767070
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Connects to a pastebin service (likely for C&C)
Contain functionality to detect virtual machines
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to disable the Task Manager (.Net Source)
Creates multiple autostart registry keys
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Sigma detected: Potentially Suspicious Malware Callback Communication
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected Quasar RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1767070 Sample: ChromeUpdates.exe Startdate: 28/08/2025 Architecture: WINDOWS Score: 100 86 pastebin.com 2->86 92 Found malware configuration 2->92 94 Malicious sample detected (through community Yara rule) 2->94 96 Antivirus / Scanner detection for submitted sample 2->96 100 7 other signatures 2->100 9 ChromeUpdates.exe 1 1 2->9         started        13 ChromeUpdates.exe 1 2->13         started        15 ChromeUpdates.exe 1 2->15         started        17 5 other processes 2->17 signatures3 98 Connects to a pastebin service (likely for C&C) 86->98 process4 file5 84 C:\Users\user\AppData\...\upd4712165.exe, PE32 9->84 dropped 108 Suspicious powershell command line found 9->108 110 Creates multiple autostart registry keys 9->110 112 Contain functionality to detect virtual machines 9->112 114 2 other signatures 9->114 19 upd4712165.exe 14 2 9->19         started        23 powershell.exe 12 13->23         started        25 powershell.exe 15->25         started        27 powershell.exe 17->27         started        29 powershell.exe 17->29         started        31 powershell.exe 17->31         started        33 2 other processes 17->33 signatures6 process7 dnsIp8 88 45.74.16.2, 4444 M247GB United States 19->88 90 pastebin.com 172.66.171.73, 443, 49715 CLOUDFLARENETUS United States 19->90 102 Antivirus detection for dropped file 19->102 104 Hides that the sample has been downloaded from the Internet (zone.identifier) 19->104 35 ChromeUpdates.exe 1 23->35         started        38 conhost.exe 23->38         started        40 ChromeUpdates.exe 1 25->40         started        42 conhost.exe 25->42         started        44 ChromeUpdates.exe 27->44         started        47 conhost.exe 27->47         started        49 2 other processes 29->49 51 2 other processes 31->51 53 4 other processes 33->53 signatures9 process10 file11 70 C:\Users\user\AppData\...\tmp4733711.exe, PE32 35->70 dropped 55 tmp4733711.exe 3 35->55         started        72 C:\Users\user\AppData\...\sys4741595.exe, PE32 40->72 dropped 58 sys4741595.exe 3 40->58         started        74 C:\Users\user\AppData\...\tmp4776971.exe, PE32 44->74 dropped 116 Creates multiple autostart registry keys 44->116 60 tmp4776971.exe 44->60         started        76 C:\Users\user\AppData\...\win4749396.exe, PE32 49->76 dropped 62 win4749396.exe 3 49->62         started        78 C:\Users\user\AppData\...\upd4759371.exe, PE32 51->78 dropped 64 upd4759371.exe 51->64         started        80 C:\Users\user\AppData\...\upd4767505.exe, PE32 53->80 dropped 82 C:\Users\user\AppData\...\dat4770560.exe, PE32 53->82 dropped 66 upd4767505.exe 53->66         started        68 dat4770560.exe 53->68         started        signatures12 process13 signatures14 106 Antivirus detection for dropped file 58->106
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/3662a8d4f950c9ebd0851e0b0713f2e48dfb7dd5ac3de02bae8acd1d6c4efd1d
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PDB Path PE (Portable Executable) PE File Layout Win 64 Exe x64
Link:
https://app.malva.re/file/0638de0435b4ba809cd39f311ab002bf
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3662a8d4f950c9ebd0851e0b0713f2e48dfb7dd5ac3de02bae8acd1d6c4efd1d/
Verdict:
Malicious
Threat:
Trojan.MSIL.Quasar
Link:
https://tip.neiki.dev/file/3662a8d4f950c9ebd0851e0b0713f2e48dfb7dd5ac3de02bae8acd1d6c4efd1d
Threat name:
Win64.Backdoor.Quasar
Create hunting rule
Status:
Malicious
First seen:
2025-08-28 01:12:34 UTC
File Type:
PE+ (Exe)
AV detection:
27 of 38 (71.05%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gzrkrvhzkde6xuefdyfqoe7s4sg7w7ovvq66ak5orlgr23co7uoq._file
Verdict:
malicious
Label(s):
quasarrat
Create hunting rule
Similar samples:
error
QuasarRAT
Result
Malware family:
n/a
Score:
  9/10
Tags:
defense_evasion
Link:
https://tria.ge/reports/250828-r3xdyshk7x/
Behaviour
Looks for VMWare Tools registry key
Looks for VMWare services registry key.
Enumerates VirtualBox registry keys
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/5732ad3a-b5a5-4e04-aa00-111c378ed2df
Unpacked files
SH256 hash:
3662a8d4f950c9ebd0851e0b0713f2e48dfb7dd5ac3de02bae8acd1d6c4efd1d
MD5 hash:
0638de0435b4ba809cd39f311ab002bf
SHA1 hash:
dbe89fdde3fe98a3db192156b8b24a4c516bbe3f
Link:
https://www.unpac.me/results/a4c5c32d-7ea4-4bbe-abcd-fcbae940ae27/
Malware family:
QuasarRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/3662a8d4f950/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3662a8d4f950c9ebd0851e0b0713f2e48dfb7dd5ac3de02bae8acd1d6c4efd1d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Check_Debugger
Create hunting rule
Rule name:Check_VmTools
Create hunting rule
Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__RemoteAPI
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

QuasarRAT

Java file jar 2570965cfad52b4929646db93d122b886a9a5bbe161a78beba3bafff582cb860

QuasarRAT

Executable exe 3662a8d4f950c9ebd0851e0b0713f2e48dfb7dd5ac3de02bae8acd1d6c4efd1d

(this sample)

  
Dropped by
SHA256 2570965cfad52b4929646db93d122b886a9a5bbe161a78beba3bafff582cb860
Cape
Cape
https://www.capesandbox.com/analysis/24045/
  
Dropped by
MD5 81004eb742d13246173caa8c02e35617

Comments