MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 65f89942f20de3e5a32c37c38817e494dc139107a6abf4fdd1a9e52d7f40b053. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuasarRAT


Vendor detections: 15


Intelligence 15 IOCs YARA 18 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 65f89942f20de3e5a32c37c38817e494dc139107a6abf4fdd1a9e52d7f40b053
SHA3-384 hash: fd9907396276b288ec36b2c869739a7235aa5d9a8769e7069b4ba1f7c40b57199e2e11b88a52c7fcd51bb24afb1440dd
SHA1 hash: 3bc045ae178b505ee9140759d1df4fbeb29560e6
MD5 hash: 6b84f1beebaecb5ff9e66d9f2315a6a6
humanhash: salami-mountain-high-juliet
File name:XWorm 7.4.exe
Download: download sample
Signature QuasarRAT
Create hunting rule
File size:2'545'664 bytes
First seen:2026-04-13 14:14:47 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'863 x AgentTesla, 19'794 x Formbook, 12'305 x SnakeKeylogger)
ssdeep 49152:sU7YRnirm2NnPlKKSb7L3wip6MaRwE0A:GwZNnAKSb7L3w0Xe
TLSH T14EC5AE203DEA500EF1B7AF75DBE474DA9A6EF2237706965E145503860E23A41FDC323A
TrID 60.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
13.7% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
5.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
5.4% (.EXE) Win64 Executable (generic) (6522/11/2)
4.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
Magika pebin
dhash icon 10ccc871b268cc82 (1 x UmbralStealer, 1 x QuasarRAT)
Reporter burger
Tags:exe QuasarRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
122
Origin country :
US US
Vendor Threat Intelligence
No detections
Malware family:
n/a
ID:
1
File name:
XWorm 7.4.exe
Verdict:
Malicious activity
Analysis date:
2026-04-13 14:13:58 UTC
Tags:
pulsar rat
Link:
https://app.any.run/tasks/f295c4c7-0dc9-4bd6-a2cf-dd250e751df3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/61399/
Detection(s):
Win.Malware.Generic-9883083-0
Create hunting rule

Win.Malware.Bulz-9933026-0
Create hunting rule

Win.Malware.Generic-6623004-0
Create hunting rule

Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69dcfa3ff68adfe100396a79
Tags:
autorun emotet
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a file in the %AppData% subdirectories
Launching a process
Enabling the 'hidden' option for recently created files
Creating a process from a recently created file
Creating a file
DNS request
Connection attempt
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Enabling autorun by creating a file
Enabling autorun
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm base64 hacktool obfuscated packed privilege reconnaissance
Link:
https://www.filescan.io/uploads/69dcfaa7799d5bf325fb8beb/reports/ee9dd0ed-e6ac-4e7d-9ce2-dbced5f84cee/overview
Verdict:
Malicious
Labled as:
Malware.Generic
Link:
https://www.hybrid-analysis.com/sample/65f89942f20de3e5a32c37c38817e494dc139107a6abf4fdd1a9e52d7f40b053
Verdict:
Malicious
File Type:
exe x32
First seen:
2026-04-13T11:17:00Z UTC
Last seen:
2026-04-14T00:11:00Z UTC
Hits:
~10
Detections:
Trojan-PSW.MSIL.Agent.sb HEUR:Trojan.MSIL.SAgent.gen Trojan.Win32.Agent.sb PDM:Trojan.Win32.Tasker.cust PDM:Trojan.Win32.Generic
Link:
https://opentip.kaspersky.com/65f89942f20de3e5a32c37c38817e494dc139107a6abf4fdd1a9e52d7f40b053/results?tab=lookup
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/03793d6f-8f68-4e06-a183-4a6542994c7e
Result
Threat name:
Quasar
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1897461
Signature
.NET source code contains potential unpacker
Connects to many ports of the same IP (likely port scanning)
Creates an undocumented autostart registry key
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Potential Privilege Escalation using Task Scheduler highest RunLevel
Sample uses string decryption to hide its real strings
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Quasar RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1897461 Sample: XWorm 7.4.exe Startdate: 13/04/2026 Architecture: WINDOWS Score: 100 37 Rifler8255-31269.portmap.host 2->37 41 Found malware configuration 2->41 43 Multi AV Scanner detection for submitted file 2->43 45 Yara detected Quasar RAT 2->45 47 6 other signatures 2->47 9 XWorm 7.4.exe 1 5 2->9         started        13 RtkAudUService64.exe 3 2->13         started        15 RtkAudUService64.exe 2 2->15         started        17 2 other processes 2->17 signatures3 process4 file5 33 C:\Users\user\...\RtkAudUService64.exe, PE32 9->33 dropped 35 C:\Users\user\AppData\...\XWorm 7.4.exe.log, CSV 9->35 dropped 53 Creates an undocumented autostart registry key 9->53 55 Hides that the sample has been downloaded from the Internet (zone.identifier) 9->55 19 RtkAudUService64.exe 6 9->19         started        23 schtasks.exe 1 9->23         started        25 RtkAudUService64.exe 9->25         started        signatures6 process7 dnsIp8 39 Rifler8255-31269.portmap.host 193.161.193.99, 31269 BITREE-ASRU Russian Federation 19->39 49 Multi AV Scanner detection for dropped file 19->49 51 Hides that the sample has been downloaded from the Internet (zone.identifier) 19->51 27 schtasks.exe 1 19->27         started        29 conhost.exe 23->29         started        signatures9 process10 process11 31 conhost.exe 27->31         started       
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/65f89942f20de3e5a32c37c38817e494dc139107a6abf4fdd1a9e52d7f40b053
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/65f89942f20de3e5a32c37c38817e494dc139107a6abf4fdd1a9e52d7f40b053/
Verdict:
Malicious
Threat:
Family.PULSARRAT
Link:
https://tip.neiki.dev/file/65f89942f20de3e5a32c37c38817e494dc139107a6abf4fdd1a9e52d7f40b053
Threat name:
Win32.Backdoor.PulsarRat
Create hunting rule
Status:
Malicious
First seen:
2026-04-13 14:14:28 UTC
File Type:
PE (.Net Exe)
Extracted files:
5
AV detection:
29 of 38 (76.32%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mx4jsqxsbxr6lizmg7byqf7estobheihu2v7j7orvhss272awbjq._file
Verdict:
malicious
Label(s):
quasarrat
Create hunting rule
Similar samples:
error
QuasarRAT
Result
Malware family:
n/a
Score:
  10/10
Tags:
execution persistence
Link:
https://tria.ge/reports/260413-rk66fabz61/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: AddClipboardFormatListener
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Adds Run key to start application
Executes dropped EXE
Modifies WinLogon for persistence
Unpacked files
SH256 hash:
65f89942f20de3e5a32c37c38817e494dc139107a6abf4fdd1a9e52d7f40b053
MD5 hash:
6b84f1beebaecb5ff9e66d9f2315a6a6
SHA1 hash:
3bc045ae178b505ee9140759d1df4fbeb29560e6
Link:
https://www.unpac.me/results/1c5568bb-8759-4588-8f00-1d1316a9ede1/
SH256 hash:
ccb2a7845e53e8835d6d9ccd19462a23ab8627e60e5ea1daa761ed49769d90d7
MD5 hash:
b5f30d481fb4f2c3def71033f2066d02
SHA1 hash:
1cf8233786265c3cef3f2c27f0a845ef93fa2d15
Detections:
SUSP_NET_Large_Static_Array_In_Small_File_Jan24
Create hunting rule
HKTL_NET_GUID_Quasar
Create hunting rule
Link:
https://www.unpac.me/results/1c5568bb-8759-4588-8f00-1d1316a9ede1/
Parent samples :
7a02c7dee0626d47b4c6b2950266b2c532b841c12f2627375c32720c60c6fb23
30dfe87c5c3844e6d6a1ad8800c177cce116afe6b123ef385d6fc6df5b6f535a
65f89942f20de3e5a32c37c38817e494dc139107a6abf4fdd1a9e52d7f40b053
SH256 hash:
fba5ccf774f0a8a5ff63d5b5563aa69d0eceeb6463db6f07ab215cdc3239760d
MD5 hash:
3993ad83f50259d6af427f270d7b2440
SHA1 hash:
0efb93fe702b0235bb1695b7db7e532d5f8c3a51
Link:
https://www.unpac.me/results/1c5568bb-8759-4588-8f00-1d1316a9ede1/
SH256 hash:
d5235265564f0bfd23b7279d7bdccc9ea6383ed07c5d0bfdf6c99029af9a2c0c
MD5 hash:
1d3dd9fcc077e6b4f88c05b9aef53ee6
SHA1 hash:
12b33858bc84f54b8aa8dbcb5a0ec2da043a6f66
Link:
https://www.unpac.me/results/1c5568bb-8759-4588-8f00-1d1316a9ede1/
SH256 hash:
caf45c975aa9824874636bb4ca8becc9fa6f514c959ed9157cb4b547e2f9cf00
MD5 hash:
037e74b00994a63e7eb7e6b09ce4d264
SHA1 hash:
571dfc56f6dc1aabaa3e9746e6103d2173382b2c
Link:
https://www.unpac.me/results/1c5568bb-8759-4588-8f00-1d1316a9ede1/
SH256 hash:
601e4de434fa691e7be2dc780519aadb3518c1dadce88176887df39cdad7fc93
MD5 hash:
c26da043cc89199ab19ebca94042b8b1
SHA1 hash:
71ec36fe50761f6de2f19e91d1c7db67a9212040
Link:
https://www.unpac.me/results/1c5568bb-8759-4588-8f00-1d1316a9ede1/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/65f89942f20de3e5a32c37c38817e494dc139107a6abf4fdd1a9e52d7f40b053

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Costura_Protobuf
Create hunting rule
Author:@bartblaze
Description:Identifies Costura and Protobuf in .NET assemblies, respectively for storing resources and (de)serialization. Seen together might indicate a suspect binary.
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Thread
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:Detect_PowerShell_Obfuscation
Create hunting rule
Author:daniyyell
Description:Detects obfuscated PowerShell commands commonly used in malicious scripts.
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:INDICATOR_EXE_Packed_Fody
Create hunting rule
Author:ditekSHen
Description:Detects executables manipulated with Fody
Rule name:Indicator_MiniDumpWriteDump
Create hunting rule
Author:Obscurity Labs LLC
Description:Detects PE files and PowerShell scripts that use MiniDumpWriteDump either through direct imports or string references
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Pulsar_RAT
Create hunting rule
Author:@bartblaze
Description:Identifies Pulsar RAT, based on Quasar RAT.
Reference:https://malpedia.caad.fkie.fraunhofer.de/details/win.pulsar_rat
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/61399/

Comments