MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6dbb22d7e0e30cbba3a888b9e736c9953c7edd4bb04a8855ff998f188e77e661. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

QuasarRAT

Vendor detections: 11

Intelligence 11 IOCs YARA 3 File information Comments

SHA256 hash:	6dbb22d7e0e30cbba3a888b9e736c9953c7edd4bb04a8855ff998f188e77e661
SHA3-384 hash:	46ee9bd92b1075d3e83fe445f55fe5bbc3081cbe7f791e31b209204c365b357478d2c2676b10cbee517fd5459ab6c8b1
SHA1 hash:	c4efac4b65a41f3199405a26062a75d921d54906
MD5 hash:	e85de0bcf4695abb9d012b14fc30739b
humanhash:	nebraska-quiet-whiskey-mobile
File name:	Pulsar.bat
Download:	download sample
Signature	QuasarRAT Create hunting rule
File size:	2'211'836 bytes
First seen:	2025-09-07 23:09:55 UTC
Last seen:	Never
File type:	bat
MIME type:	text/x-msdos-batch
ssdeep	24576:5Mb2nfuObpLXfcZClqaReoBHkiS7YvNBle4p6BdGSyelUXuLAEe2ghLgufbjKyvJ:lM/aLVTe+QyxeHe1bvS7GzfPsbzfF65t
Threatray	122 similar samples on MalwareBazaar
TLSH	T1DCA533104B79FFB9462C773A207B0B1D12F04F999A5AD6E5C3267AD36E2FB00E64181D
Magika	batch
Reporter	AntiSkidding
Tags:	bat Quasar QuasarRAT

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Pulsar.bat

Verdict:

Malicious activity

Analysis date:

2025-09-07 22:31:30 UTC

Tags:

anti-evasion susp-powershell pastebin crypto-regex

Link:

https://app.any.run/tasks/6cfc7407-3b7c-4f1e-b2e5-d971ec166fa6

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/26173/

Verdict:

Malicious

Score:

94.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=68be07c16e66ba602d78df21

Tags:

shell sage remo

Result

Verdict:

Clean

Maliciousness:

Behaviour

Launching a process

Using the Windows Management Instrumentation requests

Creating a file in the %temp% directory

Creating a window

Creating a file

Launching cmd.exe command interpreter

Сreating synchronization primitives

DNS request

Connection attempt

Sending a custom TCP request

Verdict:

Unknown

Link:

https://www.hybrid-analysis.com/sample/6dbb22d7e0e30cbba3a888b9e736c9953c7edd4bb04a8855ff998f188e77e661

Verdict:

Malicious

File Type:

unix shell

First seen:

2025-09-07T19:53:00Z UTC

Last seen:

2025-09-07T19:53:00Z UTC

Hits:

~10

Detections:

Trojan.MSIL.Quasar.a PDM:Trojan.Win32.Generic Trojan-PSW.MSIL.Agent.sb Trojan.VBS.Runner.sb HEUR:Trojan.BAT.Alien.gen

Link:

https://opentip.kaspersky.com/6dbb22d7e0e30cbba3a888b9e736c9953c7edd4bb04a8855ff998f188e77e661/results?tab=lookup

Score:

99%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/6dbb22d7e0e30cbba3a888b9e736c9953c7edd4bb04a8855ff998f188e77e661

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/6dbb22d7e0e30cbba3a888b9e736c9953c7edd4bb04a8855ff998f188e77e661/

Verdict:

Malicious

Threat:

Family.QUASAR

Link:

https://tip.neiki.dev/file/6dbb22d7e0e30cbba3a888b9e736c9953c7edd4bb04a8855ff998f188e77e661

Threat name:

Script-BAT.Packed.Generic

Status:

Suspicious

First seen:

2025-09-07 22:31:34 UTC

File Type:

Text (Batch)

AV detection:

6 of 38 (15.79%)

Threat level:

1/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=nw5sfv7a4mglxi5irc46onwjsu6h5xklwbfiqvp7tghrrdtx4zqq._file

Verdict:

malicious

Label(s):

quasarrat

QuasarRAT

3662a8d4f950c9ebd0851e0b0713f2e48dfb7dd5ac3de02bae8acd1d6c4efd1d

QuasarRAT

5bf621e8d7c8590e3a2a5bb9779b5458b28f85b8887076b4a4885d1ee3e2c7f0

QuasarRAT

8768859060387f56a2243b3d68d1b88fc12def261668c945d67ba7772f569b24

QuasarRAT

d017447f8ef2d707ce3a908e05bcac2206d8f5b8d63b72e494a81eb379b69853

QuasarRAT

error

QuasarRAT

f3e081a4b2e4302d3b14e5f16aca269ea93aa5cb816bb7ac2a8e4f51a80f0fde

QuasarRAT

fefcf51745f418e4d6d8d4a62dd2bf723ab2bb21c5965523ecd0e670eec1f9aa

QuasarRAT

+ 112 additional samples on MalwareBazaar

Result

Malware family:

quasar

Score:

10/10

Tags:

family:quasar defense_evasion execution spyware trojan

Link:

https://tria.ge/reports/250907-254k6azzav/

Behaviour

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Command and Scripting Interpreter: PowerShell

Deobfuscate/Decode Files or Information

Legitimate hosting services abused for malware hosting/C2

Badlisted process makes network request

Quasar RAT

Quasar family

Quasar payload

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

iSpy Keylogger

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/6dbb22d7e0e30cbba3a888b9e736c9953c7edd4bb04a8855ff998f188e77e661

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	botnet_plaintext_c2 Create hunting rule
Author:	cip
Description:	Attempts to match at least some of the strings used in some botnet variants which use plaintext communication protocols.

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/26173/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample