MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 58c0f6f8f34d79ea67065761fd2bfc32101c1611cb7d16f5c15f8c19f8572e65. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

QuasarRAT

Vendor detections: 19

Intelligence 19 IOCs 1 YARA 3 File information Comments

SHA256 hash:	58c0f6f8f34d79ea67065761fd2bfc32101c1611cb7d16f5c15f8c19f8572e65
SHA3-384 hash:	cb0bf8ffdff32e5d83e02edcf1712544b41a37abe299c2dd8b31c591988e5c63164aa45849eb835008e8c7cecc8a1a86
SHA1 hash:	9fe0ab54fbfd04d634da4c5828aa572d4e15745a
MD5 hash:	b6c327ecd634048616a94ed051fb4cd3
humanhash:	robin-freddie-hot-violet
File name:	x58c0f6f8f34d79ea67065761fd2bfc32101c1611cb7d.exe
Download:	download sample
Signature	QuasarRAT Create hunting rule
File size:	3'368'448 bytes
First seen:	2026-03-29 03:25:06 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	75f14bd3d4365d0894065c02d34d471a (1 x QuasarRAT)
ssdeep	98304:nFB4syHalDOo2ZNAVkZnffwQP9v9C7TmYVRKX:ngsTlCo2YVkLN9C7hVRU
Threatray	1 similar samples on MalwareBazaar
TLSH	T181F5F1838FA21F96DD7116FA1658B08187CD60AD22A4DFC7E171E2936F1BF172D39908
TrID	33.1% (.EXE) Win64 Executable (generic) (6522/11/2) 25.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 10.4% (.ICL) Windows Icons Library (generic) (2059/9) 10.3% (.EXE) OS/2 Executable (generic) (2029/13) 10.1% (.EXE) Generic Win/DOS Executable (2002/3)
Magika	pebin
Reporter	abuse_ch
Tags:	exe QuasarRAT RAT

abuse_ch

QuasarRAT C2:
54.172.72.215:4443

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
54.172.72.215:4443	https://threatfox.abuse.ch/ioc/1778241/

Intelligence

File Origin

# of uploads :

# of downloads :

162

Origin country :

Vendor Threat Intelligence

Gathering data

Malware family:

quasar

ID:

File name:

x58c0f6f8f34d79ea67065761fd2bfc32101c1611cb7d16f5c15f8c19f8572e65.exe

Verdict:

Malicious activity

Analysis date:

2026-03-29 03:11:04 UTC

Tags:

quasar

Link:

https://app.any.run/tasks/0cef79d7-a4ef-4c67-babe-92bef65e4266

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

QuasarRAT

Link:

https://www.capesandbox.com/analysis/59646/

Verdict:

Malicious

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=69c89845e137efff54f530a9

Tags:

infosteal asyncrat quasar

Result

Verdict:

Malware

Maliciousness:

Behaviour

Connection attempt

Creating a file

Сreating synchronization primitives

Creating a process from a recently created file

Creating a process with a hidden window

Creating a window

Unauthorized injection to a recently created process

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

anti-debug anti-vm microsoft_visual_cc packed

Link:

https://www.filescan.io/uploads/69c89ba1972c219c8d70f2b1/reports/676297e5-683b-4fb7-9b39-f567f33a03ab/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_90%

Link:

https://www.hybrid-analysis.com/sample/58c0f6f8f34d79ea67065761fd2bfc32101c1611cb7d16f5c15f8c19f8572e65

Verdict:

Malicious

File Type:

exe x64

First seen:

2026-03-28T18:07:00Z UTC

Last seen:

2026-03-30T14:23:00Z UTC

Hits:

~100

Detections:

Trojan.MSIL.Quasar.a HEUR:Trojan.MSIL.Quasar.gen Trojan.MSIL.Quasar.grw Trojan-PSW.Win32.Stealer.sb Trojan-PSW.MSIL.Agent.sb Trojan.Win32.Quasar.sb

Link:

https://opentip.kaspersky.com/58c0f6f8f34d79ea67065761fd2bfc32101c1611cb7d16f5c15f8c19f8572e65/results?tab=lookup

Malware family:

Quasar RAT

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/aa464bbe-1a66-4850-b7ed-a54c85c9167d

Result

Threat name:

Quasar

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1890630

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sample uses string decryption to hide its real strings

Sigma detected: Execution from Suspicious Folder

Sigma detected: Potentially Suspicious Malware Callback Communication

Sigma detected: Suspicious Program Location with Network Connections

Suricata IDS alerts for network traffic

Yara detected Quasar RAT

Behaviour

Behavior Graph:

Download SVG

Score:

99%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/58c0f6f8f34d79ea67065761fd2bfc32101c1611cb7d16f5c15f8c19f8572e65

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/58c0f6f8f34d79ea67065761fd2bfc32101c1611cb7d16f5c15f8c19f8572e65/

Verdict:

Malicious

Threat:

Family.QUASAR

Link:

https://tip.neiki.dev/file/58c0f6f8f34d79ea67065761fd2bfc32101c1611cb7d16f5c15f8c19f8572e65

Threat name:

Win64.Backdoor.Quasar

Status:

Malicious

First seen:

2026-03-29 02:13:00 UTC

AV detection:

16 of 24 (66.67%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ldapn6htjv46uzygk5q72k74giibyfqrzn6rn5obl6gbt6cxfzsq._file

Verdict:

malicious

Label(s):

quasarrat

Similar samples:

error

QuasarRAT

Result

Malware family:

quasar

Score:

10/10

Tags:

family:quasar botnet:office04 spyware trojan

Link:

https://tria.ge/reports/260329-dyscjsgw3q/

Behaviour

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Checks computer location settings

Executes dropped EXE

Quasar RAT

Quasar family

Quasar payload

Malware Config

C2 Extraction:

54.172.72.215:4443

Unpacked files

SH256 hash:

58c0f6f8f34d79ea67065761fd2bfc32101c1611cb7d16f5c15f8c19f8572e65

MD5 hash:

b6c327ecd634048616a94ed051fb4cd3

SHA1 hash:

9fe0ab54fbfd04d634da4c5828aa572d4e15745a

Link:

https://www.unpac.me/results/8ffe875f-446e-43a7-921a-2c1367bbe2fb/

Malware family:

QuasarRAT

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/58c0f6f8f34d/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

iSpy Keylogger

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/58c0f6f8f34d79ea67065761fd2bfc32101c1611cb7d16f5c15f8c19f8572e65

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	FreddyBearDropper Create hunting rule
Author:	Dwarozh Hoshiar
Description:	Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/59646/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample