MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 57661edbe11037aecf6fa97e9d129f8ba3e4b8bd3e5d199f95e8a1a51d9cdb1f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuasarRAT


Vendor detections: 15


Intelligence 15 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 57661edbe11037aecf6fa97e9d129f8ba3e4b8bd3e5d199f95e8a1a51d9cdb1f
SHA3-384 hash: 92f102fe840a9e5d0d3434fd52c714fa10ba244bb4b57a41f799c8ceaccb255c6802256936581201da45b881a1e6623a
SHA1 hash: 8156051e8301e80dfffd12e0b96b524836d0a7a1
MD5 hash: 865a7c412a5b7569ba4d5b443fc0ea64
humanhash: nineteen-vermont-oregon-eighteen
File name:SecuriteInfo.com.Trojan.PackedNET.215.29632.29908
Download: download sample
Signature QuasarRAT
Create hunting rule
File size:3'730'944 bytes
First seen:2025-06-06 12:24:31 UTC
Last seen:2025-06-06 13:18:28 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep 24576:JohTkGWCVLpq1OpxnoOqwLWD+1uM3r2C/bvPaMq3GF3QWpmjLYa5RJdFQpyU8xAP:JpGW6oOALwLg0qCzUf5Rmp5CK2rfHv
Threatray 70 similar samples on MalwareBazaar
TLSH T14B06382439EA601AF173EFB65BE479DADA6FB7333B07A45D109003864623941EEC153E
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10522/11/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
dhash icon 6edbb12b17172b96 (10 x Quakbot, 9 x Heodo, 7 x BazaLoader)
Reporter SecuriteInfoCom
Tags:exe QuasarRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
329
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
916eec4e23123e3a1d63ea2daf0c2c14.exe
Verdict:
Malicious activity
Analysis date:
2025-06-03 11:17:29 UTC
Tags:
lumma stealer amadey botnet payload loader unlocker-eject tool rat quasar remote telegram rdp github evasion auto-reg arch-exec crypto-regex pastebin
Link:
https://app.any.run/tasks/5a6cada9-2d2a-4dc0-aee6-bc2335d7fd55

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/7674/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.215.29632.29908.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6842defd8bd5d68a12e5ed47
Tags:
keylog remo word
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Setting a keyboard event handler
Connection attempt to an infection source
DNS request
Connection attempt
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Query of malicious DNS domain
Sending a TCP request to an infection source
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/57661edbe11037aecf6fa97e9d129f8ba3e4b8bd3e5d199f95e8a1a51d9cdb1f
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/975642cf-ccec-4ab0-a75e-744af030fa79
Result
Threat name:
Quasar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1708117
Signature
.NET source code contains potential unpacker
.NET source code contains very large strings
Antivirus / Scanner detection for submitted sample
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Installs a global keyboard hook
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Uses threadpools to delay analysis
Yara detected Quasar RAT
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/57661edbe11037aecf6fa97e9d129f8ba3e4b8bd3e5d199f95e8a1a51d9cdb1f
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/57661edbe11037aecf6fa97e9d129f8ba3e4b8bd3e5d199f95e8a1a51d9cdb1f/
Threat name:
Win32.Backdoor.Quasar
Create hunting rule
Status:
Suspicious
First seen:
2025-06-02 21:45:41 UTC
File Type:
PE (.Net Exe)
Extracted files:
19
AV detection:
23 of 38 (60.53%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=k5tb5w7bca325t3pvf7j2eu7ror6jof5hzorth4v5cq2khm43mpq._file
Verdict:
malicious
Label(s):
quasarrat
Create hunting rule
Similar samples:
1c1e6f8a36871157f3c8e9544ace1ce91fdd5cd11915650b92b3ec158c444072
QuasarRAT
6d5faa0cd51cbe5d6fb33a09453d1a9ccfcbffc3fb715369026db4103b1605db
QuasarRAT
749f17c6f9adb9378036f3e7c86cc5f7de353f0a8fbbe06d247d8ded4b198024
QuasarRAT
8a737222b87d1ba3e145c099feddd38893e9bd3864e0d505477347872d108941
QuasarRAT
9e112e2a8ca34f215042f5d331b4f79eca8003fe825594fcbf8936d32e9d2d7c
QuasarRAT
ce228d856a2a217ff4a0b5d2061c8414af08c222d3ce58b5a237ff27b54ef1f8
QuasarRAT
da4fb7c03aaca6df5146ea391788bef99ababd891dbff4b446fa008d254472c2
QuasarRAT
+ 60 additional samples on MalwareBazaar
Result
Malware family:
quasar
Create hunting rule
Score:
  10/10
Tags:
family:quasar discovery spyware trojan
Link:
https://tria.ge/reports/250606-plgaasar4y/
Behaviour
Suspicious behavior: AddClipboardFormatListener
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
System Location Discovery: System Language Discovery
Quasar RAT
Quasar family
Quasar payload
Malware Config
C2 Extraction:
��tM����Yy�Z�=-�
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/4e5547aa-9ca8-439b-90ab-1e1d7409e8a1
Unpacked files
SH256 hash:
57661edbe11037aecf6fa97e9d129f8ba3e4b8bd3e5d199f95e8a1a51d9cdb1f
MD5 hash:
865a7c412a5b7569ba4d5b443fc0ea64
SHA1 hash:
8156051e8301e80dfffd12e0b96b524836d0a7a1
Link:
https://www.unpac.me/results/fc9dbc14-6bed-4b94-8685-63db9ef8c1eb/
Malware family:
QuasarRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/57661edbe110/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/57661edbe11037aecf6fa97e9d129f8ba3e4b8bd3e5d199f95e8a1a51d9cdb1f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

QuasarRAT

Executable exe 57661edbe11037aecf6fa97e9d129f8ba3e4b8bd3e5d199f95e8a1a51d9cdb1f

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3558731/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/7674/

Comments