MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 51974d6489023e692699475f2a5d25e986b2e1e6c191bf8f3e51100347981dfd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuasarRAT


Vendor detections: 17


Intelligence 17 IOCs YARA 28 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 51974d6489023e692699475f2a5d25e986b2e1e6c191bf8f3e51100347981dfd
SHA3-384 hash: d9756b36868c535650812896cb35b85bc00bcb95c83cec63a099557bae462322d5a6412fbf8031c76857873cd09f8855
SHA1 hash: 130493bf86c658ab8e748497603b0869a715e89f
MD5 hash: 8f90e5501e319a41a9a9649098f7c7ba
humanhash: diet-burger-georgia-fifteen
File name:Pulsar-Client.exe
Download: download sample
Signature QuasarRAT
Create hunting rule
File size:1'570'304 bytes
First seen:2025-10-21 16:36:21 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:e1i777crPbCJgRD1sdJ7GrUnxa1eoUztQd7kMIu6BP55+h+gAQAeey2nBlYjobPJ:e1pQ1ileoUKAQUP3+sgQ1nBlY4R
Threatray 248 similar samples on MalwareBazaar
TLSH T181757D5077AC8B26D7AF4AB9F4B149050B71E507A163E3AE45C8B1F92DA33829D103F7
TrID 58.8% (.RLL) Microsoft Resource Library (x86) (177572/6/26)
24.2% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
5.4% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
3.4% (.EXE) Win64 Executable (generic) (10522/11/4)
2.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
Magika pebin
Reporter BlinkzSec
Tags:exe QuasarRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
76
Origin country :
CZ CZ
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Pulsar-Client.exe
Verdict:
Malicious activity
Analysis date:
2025-10-21 16:44:12 UTC
Tags:
crypto-regex
Link:
https://app.any.run/tasks/69932448-5eb8-4413-9ac9-ec1be18fc63b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/33643/
Detection(s):
Win.Malware.Generic-9883083-0
Create hunting rule

Win.Malware.Bulz-9933026-0
Create hunting rule

ditekSHen.MALWARE.Win.Trojan.QuasarStealer.UNOFFICIAL
Create hunting rule

Win.Malware.Generic-6623004-0
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68f7b6ab3edd081eba4067c6
Tags:
vmdetect quasar emotet
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Connecting to a non-recommended domain
Connection attempt
Sending a custom TCP request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm anti-vm cmd explorer hacktool lolbin msbuild net obfuscated obfuscated quasar regasm regsvcs remote runonce threat update zusy
Link:
https://www.filescan.io/uploads/68f7b7c73a79800405eedb7f/reports/e7768cfa-67b2-4489-a0b0-02ec9455a595/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/51974d6489023e692699475f2a5d25e986b2e1e6c191bf8f3e51100347981dfd
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-10-21T13:45:00Z UTC
Last seen:
2025-10-23T06:08:00Z UTC
Hits:
~100
Detections:
Trojan.MSIL.Quasar.ffm Trojan.MSIL.Quasar.a Trojan.MSIL.Agent.sb HEUR:Trojan-Banker.MSIL.ClipBanker.gen HEUR:Trojan.Win32.Generic Trojan.MSIL.Quasar.ffn Backdoor.MSIL.Crysan.d Trojan-PSW.MSIL.Agent.sb
Link:
https://opentip.kaspersky.com/51974d6489023e692699475f2a5d25e986b2e1e6c191bf8f3e51100347981dfd/results?tab=lookup
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c3608bba-36a7-4f1c-8872-9e329629e158
Score:
87%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/51974d6489023e692699475f2a5d25e986b2e1e6c191bf8f3e51100347981dfd
Verdict:
QuasarRat
YARA:
15 match(es)
Tags:
.Net Executable Fody/Costura Packer Html Malicious Managed .NET PDB Path PE (Portable Executable) PE File Layout QuasarRat RAT SOS: 0.14 SOS: 0.15 SOS: 0.17 SOS: 0.18 SOS: 0.23 SOS: 0.24 SOS: 0.25 SOS: 0.26 SOS: 0.63 Win 32 Exe x86
Link:
https://app.malva.re/file/8f90e5501e319a41a9a9649098f7c7ba
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/51974d6489023e692699475f2a5d25e986b2e1e6c191bf8f3e51100347981dfd/
Verdict:
Malicious
Threat:
Family.QUASAR
Link:
https://tip.neiki.dev/file/51974d6489023e692699475f2a5d25e986b2e1e6c191bf8f3e51100347981dfd
Threat name:
Win32.Hacktool.Aikaantivm
Create hunting rule
Status:
Malicious
First seen:
2025-10-21 16:25:17 UTC
File Type:
PE (.Net Exe)
Extracted files:
18
AV detection:
21 of 24 (87.50%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kglu2zejai7gsjuzi5psuxjf5gdlfypgygi37dz6keiagr4ydx6q._file
Verdict:
malicious
Label(s):
quasarrat
Create hunting rule
Similar samples:
1c66ad71b16931d7d2d5c4f86fd5abc1dc07afbc32e112e29ba424a8f302d5f6
QuasarRAT
37565b55aafaf0e15de3bbc9ee91d4c3f42f86d569c41048c92f5dc380d11e77
QuasarRAT
45ef6e4f80f8619585cb239d12cc89dddff3cc158600fdf33fc4834b1f8b49a6
QuasarRAT
51974d6489023e692699475f2a5d25e986b2e1e6c191bf8f3e51100347981dfd
QuasarRAT
52456d908d99b33a3dfc07c2e17a4e2dff6e9488bb0f36fe2e240a3d24ba00b2
QuasarRAT
73847acc61c5cf81e1ade006175ee43d851e6fed8c4697dd5713a7e16e39e20e
QuasarRAT
8fb0cb3397fd345f1c0d4406d6e07acce51ea58d3037cc58c1d86204e897e0a5
QuasarRAT
error
QuasarRAT
+ 238 additional samples on MalwareBazaar
Result
Malware family:
quasar
Create hunting rule
Score:
  10/10
Tags:
family:quasar spyware trojan
Link:
https://tria.ge/reports/251021-t7bzxsbx6f/
Behaviour
Suspicious behavior: AddClipboardFormatListener
Suspicious use of AdjustPrivilegeToken
Quasar RAT
Quasar family
Quasar payload
Unpacked files
SH256 hash:
51974d6489023e692699475f2a5d25e986b2e1e6c191bf8f3e51100347981dfd
MD5 hash:
8f90e5501e319a41a9a9649098f7c7ba
SHA1 hash:
130493bf86c658ab8e748497603b0869a715e89f
Detections:
QuasarRAT
Create hunting rule
Link:
https://www.unpac.me/results/15f00994-8d8e-456d-b98f-9db0d8e2ebbd/
SH256 hash:
08cbd7278b66f1e68425a82d4b97181a4130d93e3dd91831407aba7212ccdacf
MD5 hash:
cb5b861883d2bddd9833c9fe956406f7
SHA1 hash:
43290cd4aaf80df5d1cf9f242486ef8e646fddda
Link:
https://www.unpac.me/results/15f00994-8d8e-456d-b98f-9db0d8e2ebbd/
SH256 hash:
4f81ffd0dc7204db75afc35ea4291769b07c440592f28894260eea76626a23c6
MD5 hash:
e1e9d7d46e5cd9525c5927dc98d9ecc7
SHA1 hash:
2242627282f9e07e37b274ea36fac2d3cd9c9110
Link:
https://www.unpac.me/results/15f00994-8d8e-456d-b98f-9db0d8e2ebbd/
SH256 hash:
3cb6c43f6e601bf9ba6183c97908a735adcedf44f0009afbea79ce0c8278e0a5
MD5 hash:
13b3f0bf9ca79492a60ddcf43a3fc164
SHA1 hash:
3565469ee4a2408ff2fe2a3b5685b1895e544dff
Detections:
SUSP_NET_Large_Static_Array_In_Small_File_Jan24
Create hunting rule
HKTL_NET_GUID_Quasar
Create hunting rule
Link:
https://www.unpac.me/results/15f00994-8d8e-456d-b98f-9db0d8e2ebbd/
SH256 hash:
067413dff0f9d7a386fe3968cb3988594e68f647c157502ab11d939fc8e2d6ef
MD5 hash:
e2fbecbb3953cb5d5de98a38e5323095
SHA1 hash:
b57b485ba7372fb3403fd0c36043a051af2afc05
Link:
https://www.unpac.me/results/15f00994-8d8e-456d-b98f-9db0d8e2ebbd/
SH256 hash:
4d7aa07d288c6a39109eedf6435e3ba8c413342876ed08bb5a64d55dd39dd04d
MD5 hash:
3876cd00a3ad6d0a5fdbfc19877f300a
SHA1 hash:
a0690708c86f009d41fda400fead8407b8168895
Link:
https://www.unpac.me/results/15f00994-8d8e-456d-b98f-9db0d8e2ebbd/
SH256 hash:
accccfbe45d9f08ffeed9916e37b33e98c65be012cfff6e7fa7b67210ce1fefb
MD5 hash:
ecdfe8ede869d2ccc6bf99981ea96400
SHA1 hash:
2f410a0396bc148ed533ad49b6415fb58dd4d641
Link:
https://www.unpac.me/results/15f00994-8d8e-456d-b98f-9db0d8e2ebbd/
SH256 hash:
d5ec0837bb176abf13dcd52c658c4e84c5264f67065b9c19679b6643f7d21564
MD5 hash:
af7880a90c02c0115cd169c7182ab378
SHA1 hash:
6e3ccf50bb1d30805dce58ab6bdd63e0196669e6
Detections:
SUSP_NET_Large_Static_Array_In_Small_File_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/15f00994-8d8e-456d-b98f-9db0d8e2ebbd/
Parent samples :
51974d6489023e692699475f2a5d25e986b2e1e6c191bf8f3e51100347981dfd
7830e7c10b53bf790efd4c6b5d52e0c31cb83d86378c2aeef96d7dc8d726f245
SH256 hash:
bf3fb84664f4097f1a8a9bc71a51dcf8cf1a905d4080a4d290da1730866e856f
MD5 hash:
f09441a1ee47fb3e6571a3a448e05baf
SHA1 hash:
3c5c5df5f8f8db3f0a35c5ed8d357313a54e3cde
Link:
https://www.unpac.me/results/15f00994-8d8e-456d-b98f-9db0d8e2ebbd/
SH256 hash:
1e02248fc226f1813f9a473aaf8dc9bd264101a6e371ddb73e145c0949834d47
MD5 hash:
4b874a3043d5e3c133f4c35863159638
SHA1 hash:
3a7d21700497d81c41193544b7ea913032d0aa82
Link:
https://www.unpac.me/results/15f00994-8d8e-456d-b98f-9db0d8e2ebbd/
Malware family:
QuasarRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/51974d648902/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/51974d6489023e692699475f2a5d25e986b2e1e6c191bf8f3e51100347981dfd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Check_Dlls
Create hunting rule
Rule name:cobalt_strike_beacon_detected
Create hunting rule
Author:0x0d4y
Description:This rule detects cobalt strike beacons.
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Thread
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:Detect_PowerShell_Obfuscation
Create hunting rule
Author:daniyyell
Description:Detects obfuscated PowerShell commands commonly used in malicious scripts.
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:HKTL_NET_GUID_Quasar
Create hunting rule
Author:Arnim Rupp (https://github.com/ruppde)
Description:Detects c# red/black-team tools via typelibguid
Reference:https://github.com/quasar/Quasar
Rule name:INDICATOR_EXE_Packed_Fody
Create hunting rule
Author:ditekSHen
Description:Detects executables manipulated with Fody
Rule name:Indicator_MiniDumpWriteDump
Create hunting rule
Author:Obscurity Labs LLC
Description:Detects PE files and PowerShell scripts that use MiniDumpWriteDump either through direct imports or string references
Rule name:INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
Author:ditekSHen
Description:Detects Windows executables referencing non-Windows User-Agents
Rule name:INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL
Create hunting rule
Author:ditekSHen
Description:Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion
Rule name:MAL_BackNet_Nov18_1
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects BackNet samples
Reference:https://github.com/valsov/BackNet
Rule name:MAL_BackNet_Nov18_1_RID2D6D
Create hunting rule
Author:Florian Roth
Description:Detects BackNet samples
Reference:https://github.com/valsov/BackNet
Rule name:MAL_QuasarRAT_May19_1
Create hunting rule
Description:Detects QuasarRAT malware
Rule name:MAL_QuasarRAT_May19_1
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects QuasarRAT malware
Reference:https://blog.ensilo.com/uncovering-new-activity-by-apt10
Rule name:MAL_QuasarRAT_May19_1_RID2E1E
Create hunting rule
Author:Florian Roth
Description:Detects QuasarRAT malware
Reference:https://blog.ensilo.com/uncovering-new-activity-by-apt10
Rule name:Multifamily_RAT_Detection
Create hunting rule
Author:Lucas Acha (http://www.lukeacha.com)
Description:Generic Detection for multiple RAT families, PUPs, Packers and suspicious executables
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETDLLMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

QuasarRAT

Executable exe 51974d6489023e692699475f2a5d25e986b2e1e6c191bf8f3e51100347981dfd

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3683096/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/33643/

Comments