MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 509c2a5b7f12d2a67bfb9b697581fc9718c6ceba0575cc9e8490284fe4bdd6ce. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuasarRAT


Vendor detections: 13


Intelligence 13 IOCs 1 YARA 22 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 509c2a5b7f12d2a67bfb9b697581fc9718c6ceba0575cc9e8490284fe4bdd6ce
SHA3-384 hash: 44bc6c667645191e9b41fac1805e021c993a2aff43391b900a1bea3fa7c23581cd0db18024ffb01e9f4459217c7929d8
SHA1 hash: 7fcc39fefb05e24fb241c2a37ae6f08fde069656
MD5 hash: f8de917e3675dd44f4efbc6ed02e984a
humanhash: one-victor-mexico-delta
File name:e-dekontpdf.js
Download: download sample
Signature QuasarRAT
Create hunting rule
File size:70'569 bytes
First seen:2026-06-26 15:00:11 UTC
Last seen:Never
File type:Java Script (JS) js
MIME type:text/plain
ssdeep 1536:IiJUwTWvh1ThiK4iqJ19mKwyQzfTu17RXuH+:IiJUwTWvh1ThiK4iqkfby7Me
Threatray 2'281 similar samples on MalwareBazaar
TLSH T12863FF6123C1F812218F2FA3FB1BF5F5E72A7D9530442C4BE1687DDC566A90ACAA4C71
Magika javascript
Reporter abuse_ch
Tags:js QuasarRAT RAT


Avatar
abuse_ch
QuasarRAT C2:
82.29.94.69:1933

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
82.29.94.69:1933 https://threatfox.abuse.ch/ioc/1838148/

Intelligence

File Origin
# of uploads :
1
# of downloads :
147
Origin country :
NL NL
Vendor Threat Intelligence
No detections
Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6a3dc59e86bc95245bf989fa
Tags:
shell sage remo
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm fingerprint obfuscated powershell repaired
Link:
https://www.filescan.io/uploads/6a3e942742d5f38065f40744/reports/42c083a7-57d8-4478-bcf9-358733d99017/overview
Verdict:
Malicious
Labled as:
SVM:TrojanDownloader/JS.MalBehav.gen
Link:
https://www.hybrid-analysis.com/sample/509c2a5b7f12d2a67bfb9b697581fc9718c6ceba0575cc9e8490284fe4bdd6ce
Verdict:
Malicious
File Type:
js
First seen:
2026-06-25T19:55:00Z UTC
Last seen:
2026-06-27T20:08:00Z UTC
Hits:
~10
Detections:
HEUR:Trojan.Script.Generic
Link:
https://opentip.kaspersky.com/509c2a5b7f12d2a67bfb9b697581fc9718c6ceba0575cc9e8490284fe4bdd6ce/results?tab=lookup
Result
Threat name:
Quasar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1934275
Signature
.NET source code references suspicious native API functions
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Bypasses PowerShell execution policy
Creates processes via WMI
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Installs a global keyboard hook
JavaScript source code contains call to eval() to check own source code (likely for evading instrumentation)
JavaScript source code contains functionality to generate code involving a shell, file or stream
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Obfuscated command line found
Potential obfuscated javascript found
Sample uses string decryption to hide its real strings
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Silenttrinity Stager Msbuild Activity
Sigma detected: Suspicious PowerShell Parameter Substring
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
Uses dynamic DNS services
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected Costura Assembly Loader
Yara detected Powershell download and execute
Yara detected Quasar RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1934275 Sample: e-dekontpdf.js Startdate: 26/06/2026 Architecture: WINDOWS Score: 100 50 babayagadead.duckdns.org 2->50 52 babayagareborn.net 2->52 54 7 other IPs or domains 2->54 66 Suricata IDS alerts for network traffic 2->66 68 Found malware configuration 2->68 70 Malicious sample detected (through community Yara rule) 2->70 74 16 other signatures 2->74 10 wscript.exe 1 2->10         started        signatures3 72 Uses dynamic DNS services 50->72 process4 signatures5 84 Suspicious powershell command line found 10->84 86 Wscript starts Powershell (via cmd or directly) 10->86 88 Obfuscated command line found 10->88 90 4 other signatures 10->90 13 powershell.exe 14 24 10->13         started        process6 dnsIp7 60 babayagareborn.net 104.21.40.38, 443, 49700, 49701 CLOUDFLARENET-CloudflareIncUS Canada 13->60 48 C:\Users\user\AppData\Roaming\cqgbqngf.ps1, Unicode 13->48 dropped 96 Suspicious powershell command line found 13->96 98 Writes to foreign memory regions 13->98 100 Injects a PE file into a foreign processes 13->100 18 powershell.exe 21 13->18         started        22 MSBuild.exe 14 2 13->22         started        25 conhost.exe 13->25         started        27 csc.exe 3 13->27         started        file8 signatures9 process10 dnsIp11 42 C:\Users\user\AppData\...\2paijo4e.cmdline, Unicode 18->42 dropped 76 Writes to foreign memory regions 18->76 78 Injects a PE file into a foreign processes 18->78 29 CasPol.exe 15 4 18->29         started        33 conhost.exe 18->33         started        35 csc.exe 3 18->35         started        56 babayagadead.duckdns.org 82.29.94.69, 1933, 49708 CDNEXTGB Germany 22->56 58 api.ipify.org 172.67.74.152, 443, 49710, 49711 CLOUDFLARENET-CloudflareIncUS Canada 22->58 80 Hides that the sample has been downloaded from the Internet (zone.identifier) 22->80 82 Installs a global keyboard hook 22->82 44 C:\Users\user\AppData\Local\...\zbuq2f1h.dll, PE32 27->44 dropped 38 cvtres.exe 1 27->38         started        file12 signatures13 process14 dnsIp15 62 91.192.100.36, 49703, 8084 AS-SOFTPLUSCH Switzerland 29->62 64 tools.keycdn.com 185.172.148.96, 443, 49706, 49709 PROINITYPROINITYCH Germany 29->64 92 Hides that the sample has been downloaded from the Internet (zone.identifier) 29->92 94 Installs a global keyboard hook 29->94 46 C:\Users\user\AppData\Local\...\2paijo4e.dll, PE32 35->46 dropped 40 cvtres.exe 1 35->40         started        file16 signatures17 process18
Score:
95%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/509c2a5b7f12d2a67bfb9b697581fc9718c6ceba0575cc9e8490284fe4bdd6ce
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/509c2a5b7f12d2a67bfb9b697581fc9718c6ceba0575cc9e8490284fe4bdd6ce/
Verdict:
Malicious
Threat:
Trojan.Script
Link:
https://tip.neiki.dev/file/509c2a5b7f12d2a67bfb9b697581fc9718c6ceba0575cc9e8490284fe4bdd6ce
Threat name:
Script-JS.Backdoor.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2026-06-26 00:20:08 UTC
File Type:
Text (JavaScript)
AV detection:
6 of 23 (26.09%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=kcocuw37cljkm673tnuxlap4s4mmntv2av24zhuesaue7zf523ha._file
Verdict:
malicious
Label(s):
quasarrat
Create hunting rule
fantomcrypt
Create hunting rule
Similar samples:
0ae8c5022567fc8588fdc2fbf27d1d245f7e9bb15a23cb8a01962be6b51cb73c
QuasarRAT
7ed207c4ee2943946feaf7aa6d7a587d9fc156e1c5a7d8f5a2b8248bec6c671e
QuasarRAT
7f96177416122537d0ca9f70b7ae0d34c8f72d32c7b1382d32c76fb8a5c6ad80
QuasarRAT
fa22721ab138c896200a7f28f6e3e29ead531b21c9e26371a6e1ccaa62cc6e84
QuasarRAT
fda825f6ddd6738d57b8a7c16b793d7580ff3bb0427b6b5412d4b82c8bae3145
QuasarRAT
+ 2'271 additional samples on MalwareBazaar
Result
Malware family:
quasar
Create hunting rule
Score:
  10/10
Tags:
family:quasar botnet:micro botnet:newbypassed discovery execution spyware trojan
Link:
https://tria.ge/reports/260626-sds6nsct21/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: JavaScript
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Looks up external IP address via web service
Badlisted process makes network request
Command and Scripting Interpreter: PowerShell
Family: Quasar RAT
Process spawned unexpected child process
Quasar payload
Malware Config
C2 Extraction:
babayagadead.duckdns.org:1933
91.192.100.36:8084
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.55
Link:
https://yomi.yoroi.company/submissions/509c2a5b7f12d2a67bfb9b697581fc9718c6ceba0575cc9e8490284fe4bdd6ce

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:Detect_PowerShell_Obfuscation
Create hunting rule
Author:daniyyell
Description:Detects obfuscated PowerShell commands commonly used in malicious scripts.
Rule name:INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
Author:ditekSHen
Description:Detects Windows executables referencing non-Windows User-Agents
Rule name:INDICATOR_SUSPICIOUS_GENInfoStealer
Create hunting rule
Author:ditekSHen
Description:Detects executables containing common artifacts observed in infostealers
Rule name:Lumma_Stealer_Detection
Create hunting rule
Author:ashizZz
Description:Detects a specific Lumma Stealer malware sample using unique strings and behaviors
Reference:https://seanthegeek.net/posts/compromized-store-spread-lumma-stealer-using-fake-captcha/
Rule name:MALWARE_Win_QuasarStealer
Create hunting rule
Author:ditekshen
Description:Detects Quasar infostealer
Rule name:MAL_QuasarRAT_May19_1
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects QuasarRAT malware
Reference:https://blog.ensilo.com/uncovering-new-activity-by-apt10
Rule name:MAL_QuasarRAT_May19_1_RID2E1E
Create hunting rule
Author:Florian Roth
Description:Detects QuasarRAT malware
Reference:https://blog.ensilo.com/uncovering-new-activity-by-apt10
Rule name:Multifamily_RAT_Detection
Create hunting rule
Author:Lucas Acha (http://www.lukeacha.com)
Description:Generic Detection for multiple RAT families, PUPs, Packers and suspicious executables
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:quasarrat
Create hunting rule
Author:jeFF0Falltrades
Rule name:quasarrat_kingrat
Create hunting rule
Author:jeFF0Falltrades
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_obfuscated_JS_obfuscatorio
Create hunting rule
Author:@imp0rtp3
Description:Detect JS obfuscation done by the js obfuscator (often malicious)
Reference:https://obfuscator.io
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:VECT_Ransomware
Create hunting rule
Author:Mustafa Bakhit
Description:Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.
Rule name:Vermin_Keylogger_Jan18_1
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects Vermin Keylogger
Reference:https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/
Rule name:win_quasar_rat_client
Create hunting rule
Author:Matthew @ Embee_Research
Description:Detects strings present in Quasar Rat Samples.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments