MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5fc91760e012d3883537ab8656f4ed240c350357fb7999476b072cf5d937a417. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuasarRAT


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5fc91760e012d3883537ab8656f4ed240c350357fb7999476b072cf5d937a417
SHA3-384 hash: f3e1543887b68318c576129990bbb43992ea889975878260dcc94268ad371b13efbdcf9b623681b1cecb5c9bb57ec246
SHA1 hash: bb71457b5f03e65a17a0cab03cee02fc83d25e1c
MD5 hash: 1ddf5ccb516c07a05ae2bdcec190b1f4
humanhash: fix-fillet-delaware-uranus
File name:Cheat Mod 2025 install.vbs
Download: download sample
Signature QuasarRAT
Create hunting rule
File size:1'836 bytes
First seen:2025-12-23 12:36:04 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 24:9AMfoXnrQMG1KRHvMGEQ8TGdSXcF2MSoMRD2aMblg7dhYXXF3ppj0qkv:eMfoXnHoKRH0YpYx2evYXXNg/
Threatray 180 similar samples on MalwareBazaar
TLSH T15F3122B768084DAB5702A4C6D1DA246CDD72E367BA21ECB47640CC2C8F14635E6D2CEB
Magika vba
Reporter burger
Tags:QuasarRAT vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
44
Origin country :
NL NL
Vendor Threat Intelligence
No detections
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/45851/
Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=694a8cae038f10550b54fdb3
Tags:
dropper shell sage
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
cmd evasive lolbin persistence powershell timeout wscript
Link:
https://www.filescan.io/uploads/694a8cc33f8fdbf8e94ff107/reports/c58b3fb5-e179-485a-a60e-17e0bc136d65/overview
Verdict:
Malicious
Labled as:
Trojan.Script.VBS
Link:
https://www.hybrid-analysis.com/sample/5fc91760e012d3883537ab8656f4ed240c350357fb7999476b072cf5d937a417
Verdict:
Malicious
File Type:
vbs
First seen:
2025-12-23T09:43:00Z UTC
Last seen:
2025-12-23T10:32:00Z UTC
Hits:
~100
Detections:
HEUR:Trojan-Downloader.Script.Generic HEUR:Trojan.BAT.Agent.gen PDM:Trojan.Win32.Generic UDS:DangerousObject.Multi.Generic Trojan-Downloader.JS.SLoad.sb Trojan.VBS.SAgent.sb Trojan.JS.SAgent.sb Trojan-Downloader.JS.Cryptoload.sb Trojan.Win32.Agent.sb Trojan-Dropper.Win32.Injector.sb Trojan-PSW.MSIL.Agent.sb Trojan.Win32.Vimditator.sb HEUR:Trojan.BAT.Alien.gen Backdoor.MSIL.PulsarRAT.sb Trojan.MSIL.Agent.sb Backdoor.Win32.Androm
Link:
https://opentip.kaspersky.com/5fc91760e012d3883537ab8656f4ed240c350357fb7999476b072cf5d937a417/results?tab=lookup
Result
Threat name:
Quasar
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1838194
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
AI detected malicious Powershell script
Bypasses PowerShell execution policy
Connects to a pastebin service (likely for C&C)
Contains functionality to disable the Task Manager (.Net Source)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Potential malicious VBS script found (has network functionality)
Potential malicious VBS script found (suspicious strings)
Sample uses string decryption to hide its real strings
Sigma detected: Register Wscript In Run Key
Sigma detected: Script Initiated Connection to Non-Local Network
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
VBScript performs obfuscated calls to suspicious functions
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected AntiVM3
Yara detected Powershell decode and execute
Yara detected Quasar RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1838194 Sample: Cheat Mod 2025 install.vbs Startdate: 23/12/2025 Architecture: WINDOWS Score: 100 64 pastebin.com 2->64 66 raw.githubusercontent.com 2->66 68 eyadcrypto.linkpc.net 2->68 76 Sigma detected: Register Wscript In Run Key 2->76 78 Found malware configuration 2->78 80 Malicious sample detected (through community Yara rule) 2->80 84 14 other signatures 2->84 10 wscript.exe 3 2->10         started        15 wscript.exe 1 2->15         started        17 wscript.exe 2->17         started        signatures3 82 Connects to a pastebin service (likely for C&C) 64->82 process4 dnsIp5 74 raw.githubusercontent.com 185.199.110.133, 443, 49718, 49725 FASTLYUS Netherlands 10->74 58 C:\Users\user\AppData\...\task_schedule.bat, DOS 10->58 dropped 98 System process connects to network (likely due to code injection or exploit) 10->98 100 VBScript performs obfuscated calls to suspicious functions 10->100 102 Wscript starts Powershell (via cmd or directly) 10->102 104 3 other signatures 10->104 19 cmd.exe 2 10->19         started        22 powershell.exe 15->22         started        24 powershell.exe 17->24         started        file6 signatures7 process8 signatures9 86 Suspicious powershell command line found 19->86 88 Wscript starts Powershell (via cmd or directly) 19->88 26 wscript.exe 1 19->26         started        29 powershell.exe 14 16 19->29         started        32 powershell.exe 16 19->32         started        43 4 other processes 19->43 90 Writes to foreign memory regions 22->90 92 Injects a PE file into a foreign processes 22->92 34 AddInProcess32.exe 15 4 22->34         started        37 taskkill.exe 1 22->37         started        39 conhost.exe 22->39         started        41 conhost.exe 24->41         started        45 3 other processes 24->45 process10 dnsIp11 94 Wscript starts Powershell (via cmd or directly) 26->94 47 powershell.exe 7 26->47         started        60 C:\Users\user60ewProfile60NV.ps1, ASCII 29->60 dropped 62 C:\Users\user62ewProfile\S_M.vbs, ASCII 32->62 dropped 70 pastebin.com 172.66.171.73, 443, 49728 CLOUDFLARENETUS United States 34->70 72 eyadcrypto.linkpc.net 157.254.165.172, 2000 BEANFIELDCA United States 34->72 96 Hides that the sample has been downloaded from the Internet (zone.identifier) 34->96 file12 signatures13 process14 signatures15 106 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 47->106 50 taskkill.exe 1 47->50         started        52 conhost.exe 47->52         started        54 AddInProcess32.exe 47->54         started        56 4 other processes 47->56 process16
Score:
13%
Verdict:
Benign
File Type:
SCRIPT
Link:
https://malprob.io/report/5fc91760e012d3883537ab8656f4ed240c350357fb7999476b072cf5d937a417
Verdict:
Malware
YARA:
1 match(es)
Tags:
ADODB.Stream DeObfuscated MSXML2.ServerXMLHTTP Obfuscated Scripting.FileSystemObject T1059.005 VBScript WScript.Shell
Link:
https://app.malva.re/file/1ddf5ccb516c07a05ae2bdcec190b1f4
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5fc91760e012d3883537ab8656f4ed240c350357fb7999476b072cf5d937a417/
Verdict:
Malicious
Threat:
Family.QUASAR
Link:
https://tip.neiki.dev/file/5fc91760e012d3883537ab8656f4ed240c350357fb7999476b072cf5d937a417
Threat name:
Win32.Trojan.Znyonm
Create hunting rule
Status:
Malicious
First seen:
2025-12-23 12:35:59 UTC
File Type:
Text (VBS)
AV detection:
7 of 24 (29.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=l7eroyhacljyqnjxvodfn5hneqgdka2x7n4zsr3la4wplwjxuqlq._file
Verdict:
malicious
Label(s):
quasarrat
Create hunting rule
Similar samples:
2c6592950b4b786a7a13f1457f5f5fbeaf096906dc106503a8286c1c03b62a8f
QuasarRAT
6eeb5788ce02a71cee8cad314c4f1c467ac0dc77b23cbbef4f3a38bdfbd75f46
QuasarRAT
8b285bfafb3e876e29f04165896276d17f0998e2b02f97c90a28c34ab53ee866
QuasarRAT
b0455309a1405bee110cf310c555a615dea5644c96812770c80afde298e9d066
QuasarRAT
error
QuasarRAT
f4e4d9cc74ac2b174a5e3bc41c29eea3fbcbea79ff32f49535bb6a56c6523860
QuasarRAT
+ 170 additional samples on MalwareBazaar
Result
Malware family:
quasar
Create hunting rule
Score:
  10/10
Tags:
family:quasar defense_evasion discovery execution persistence spyware trojan
Link:
https://tria.ge/reports/251223-pvnqqsymht/
Behaviour
Delays execution with timeout.exe
Kills process with taskkill
Script User-Agent
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
.NET Reactor proctector
Checks computer location settings
Badlisted process makes network request
Command and Scripting Interpreter: PowerShell
Quasar RAT
Quasar family
Quasar payload
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.23
Link:
https://yomi.yoroi.company/submissions/5fc91760e012d3883537ab8656f4ed240c350357fb7999476b072cf5d937a417

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/45851/

Comments