MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4f831bfdd5b3ab7f4194b6fd391cac71b70ba7ced3489eb2bdf78170eb1214e9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

QuasarRAT

Vendor detections: 16

Intelligence 16 IOCs YARA 6 File information Comments

SHA256 hash:	4f831bfdd5b3ab7f4194b6fd391cac71b70ba7ced3489eb2bdf78170eb1214e9
SHA3-384 hash:	384f1119dceaf24b69743dd9333516f47a9c28e0fecd81acd9da734d8cda5beae430402860ef4990becd3aef267dcd10
SHA1 hash:	acb20c0c56da6085bc9508bd9fa6ee25d6ef92df
MD5 hash:	4ae7fa0777d1d79d3ecb39c3b709189d
humanhash:	neptune-iowa-illinois-salami
File name:	built_crypted.exe
Download:	download sample
Signature	QuasarRAT Create hunting rule
File size:	5'348'352 bytes
First seen:	2025-09-08 11:37:55 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	49152:uQHlEQpMxabpmQb6FEPcSUu0Juw5y5SfRfPfoTov7SjZszqg/3wwsIRF16Z0O:
Threatray	108 similar samples on MalwareBazaar
TLSH	T14F36DC383BEAD0197273EE564AD474A7A95FB7B37B03944E206103464633941EEE2D3E
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10522/11/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4504/4/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika	pebin
Reporter	abuse_ch
Tags:	exe QuasarRAT

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

built_crypted.exe

Verdict:

Malicious activity

Analysis date:

2025-09-07 23:13:47 UTC

Tags:

auto-reg api-base64 xor-url generic crypto-regex

Link:

https://app.any.run/tasks/d78a91ad-9b79-41eb-a546-8bd9a7ca6e7a

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/26247/

Verdict:

Malicious

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=68be11adb20052598878d430

Tags:

autorun micro spawn sage

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Сreating synchronization primitives

Creating a file in the %AppData% subdirectories

Launching a process

Enabling the 'hidden' option for recently created files

Creating a process from a recently created file

Creating a file

DNS request

Connection attempt

Setting a keyboard event handler

Sending a custom TCP request

Unauthorized injection to a recently created process

Enabling autorun by creating a file

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

anti-vm cryptor_detected obfuscated obfuscated packed

Link:

https://www.filescan.io/uploads/68bec047532ebbcda8d17dc3/reports/f46b0654-2538-45ea-8d84-c5478273467c/overview

Verdict:

Malicious

Labled as:

MSILKrypt.Generic

Link:

https://www.hybrid-analysis.com/sample/4f831bfdd5b3ab7f4194b6fd391cac71b70ba7ced3489eb2bdf78170eb1214e9

Verdict:

Malicious

File Type:

exe x32

First seen:

2025-09-07T20:16:00Z UTC

Last seen:

2025-09-07T20:16:00Z UTC

Hits:

~10

Detections:

HEUR:Trojan.Win32.Generic HEUR:Trojan.MSIL.Quasar.gen PDM:Trojan.Win32.Tasker.cust PDM:Trojan.Win32.Generic Trojan-PSW.MSIL.Agent.sb Trojan.MSIL.Quasar.a Trojan.MSIL.Crypt.sb

Link:

https://opentip.kaspersky.com/4f831bfdd5b3ab7f4194b6fd391cac71b70ba7ced3489eb2bdf78170eb1214e9/results?tab=lookup

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/c5b91bc5-5ebd-40ba-8bdf-c2d90b04f8e1

Result

Threat name:

Quasar

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1773065

Signature

.NET source code contains potential unpacker

.NET source code contains very large strings

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Connects to many ports of the same IP (likely port scanning)

Found malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Installs a global keyboard hook

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sample uses string decryption to hide its real strings

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected Quasar RAT

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/4f831bfdd5b3ab7f4194b6fd391cac71b70ba7ced3489eb2bdf78170eb1214e9

Verdict:

inconclusive

YARA:

10 match(es)

Tags:

.Net Executable Managed .NET PE (Portable Executable) PE File Layout SOS: 0.03 Win 32 Exe x86

Link:

https://app.malva.re/file/4ae7fa0777d1d79d3ecb39c3b709189d

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/4f831bfdd5b3ab7f4194b6fd391cac71b70ba7ced3489eb2bdf78170eb1214e9/

Verdict:

Malicious

Threat:

Trojan.MSIL.Quasar

Link:

https://tip.neiki.dev/file/4f831bfdd5b3ab7f4194b6fd391cac71b70ba7ced3489eb2bdf78170eb1214e9

Threat name:

ByteCode-MSIL.Trojan.Nekark

Status:

Malicious

First seen:

2025-09-07 23:13:48 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

25 of 38 (65.79%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=j6brx7ovwovx6qmuw36tshfmog3qxj6o2nej5mv566axb2ysctuq._file

Verdict:

malicious

Label(s):

quasarrat

QuasarRAT

62e2c7d860a0e3e0975c5b9da5193f9ab3ca6c56ef4eea46d17cc87ac4598b90

QuasarRAT

9f8b05f57597f6a61089e954ea1c2dfa24f1a4a72c5a2ff883a9fabb1203f658

QuasarRAT

e553c34b8aabb6ad42dfdb8a77759b32c6c035f2fc82618eefa2261c71dee761

QuasarRAT

eb72d6dd2158ce9ad453f8ecfd5d6900cce588c196ae5806268cbaf3475848da

QuasarRAT

error

QuasarRAT

f66a4ee15f672bbf9259027eb286f369bfa81a3aa979f547415b831d22d031b5

QuasarRAT

f879f50e21830b34b77fd94a33b6c395b9837bb701a7f5e4dad2e9d287af9e72

QuasarRAT

+ 98 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

execution persistence

Link:

https://tria.ge/reports/250908-nr4r4sbl91/

Behaviour

Scheduled Task/Job: Scheduled Task

Suspicious behavior: AddClipboardFormatListener

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Executes dropped EXE

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/b7516144-c802-46ed-a391-d8ad4fe3bfa2

Unpacked files

SH256 hash:

4f831bfdd5b3ab7f4194b6fd391cac71b70ba7ced3489eb2bdf78170eb1214e9

MD5 hash:

4ae7fa0777d1d79d3ecb39c3b709189d

SHA1 hash:

acb20c0c56da6085bc9508bd9fa6ee25d6ef92df

Link:

https://www.unpac.me/results/f6d50189-4f3b-4c7f-9e2a-be51dcc7bf88/

SH256 hash:

085f01b69726bf4a6b116a8816c85d49ebb747b764e43d6830a01c7d54587da7

MD5 hash:

f49357c6ef061663c292663537ab04fc

SHA1 hash:

58c3c22580d43728ad19f92b4c55e7ede6c145bf

Detections:

INDICATOR_EXE_Packed_Fody

Link:

https://www.unpac.me/results/f6d50189-4f3b-4c7f-9e2a-be51dcc7bf88/

SH256 hash:

52baff5ea0f63cf37ae0cc5a77504ee22491cefb4e61a51c1b4d157511916c35

MD5 hash:

839dd924eb6e9e5672d79241c8ae292d

SHA1 hash:

c191c6ee754956190667ad971f8abfaed8eacc92

Detections:

SUSP_NET_Large_Static_Array_In_Small_File_Jan24

HKTL_NET_GUID_Quasar

Link:

https://www.unpac.me/results/f6d50189-4f3b-4c7f-9e2a-be51dcc7bf88/

Parent samples :

e553c34b8aabb6ad42dfdb8a77759b32c6c035f2fc82618eefa2261c71dee761
62e2c7d860a0e3e0975c5b9da5193f9ab3ca6c56ef4eea46d17cc87ac4598b90
eb72d6dd2158ce9ad453f8ecfd5d6900cce588c196ae5806268cbaf3475848da
6e6e691a7f98fc4086f2bec28b34b2474ab783e9408c611e789a00107a24c227
7e4fe2503e3dd2028c230f5e0413423f1dbbcbda01a252d22c8ece243979e927
4f831bfdd5b3ab7f4194b6fd391cac71b70ba7ced3489eb2bdf78170eb1214e9
b6d7379d42b82f6e3943837a34a74936f230cdfbb3ff2d19f1517466492af7c2

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

iSpy Keylogger

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/4f831bfdd5b3ab7f4194b6fd391cac71b70ba7ced3489eb2bdf78170eb1214e9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	CP_AllMal_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication

Rule name:	DebuggerCheck__PEB Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/26247/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample