MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 749f17c6f9adb9378036f3e7c86cc5f7de353f0a8fbbe06d247d8ded4b198024. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuasarRAT


Vendor detections: 14


Intelligence 14 IOCs YARA 11 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 749f17c6f9adb9378036f3e7c86cc5f7de353f0a8fbbe06d247d8ded4b198024
SHA3-384 hash: c2407bba9fbfe28fcae5006357f1e0e77f159ae72a4edcdf45d4fd16e7ae55347eaab5f74ea98e934fd72d6db64229a9
SHA1 hash: 9c423a866056a5eee6aff804ec398fd1daa320b0
MD5 hash: dffb1a80b478657a9b34af4c62d8a365
humanhash: timing-don-island-south
File name:Client-built_ultra_protected.exe
Download: download sample
Signature QuasarRAT
Create hunting rule
File size:14'627'597 bytes
First seen:2025-05-28 22:42:25 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 965e162fe6366ee377aa9bc80bdd5c65 (44 x BlankGrabber, 9 x Efimer, 7 x PythonStealer)
ssdeep 196608:N0h8B24iMqWNo2mtKVNXMCHGLLc54i1wN+6fV0cSXl74w40wqQyH52:w8B2JtWNhqKVNXMCHWUjQVg74w9rQ48
Threatray 46 similar samples on MalwareBazaar
TLSH T17DE633189AA47DB7D4B2833ED092ED2EE63179250BE6E6D743E550571F23380AC37B81
TrID 66.6% (.EXE) InstallShield setup (43053/19/16)
16.2% (.EXE) Win64 Executable (generic) (10522/11/4)
7.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
3.1% (.EXE) OS/2 Executable (generic) (2029/13)
3.0% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
dhash icon c6c2ccc4f4e0e0f8 (37 x PythonStealer, 21 x CrealStealer, 19 x Empyrean)
Reporter BastianHein
Tags:exe QuasarRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
613
Origin country :
CL CL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Client-built_ultra_protected.exe
Verdict:
Malicious activity
Analysis date:
2025-05-28 22:45:15 UTC
Tags:
python evasion pyinstaller crypto-regex rust
Link:
https://app.any.run/tasks/4835ebf9-a0af-4280-97d8-885b55c8e7a8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/6117/
Detection(s):
SecuriteInfo.com.Python.Packed.104.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68379300acf88f5815e83210
Tags:
installer vmdetect extens remo
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file
Restart of the analyzed sample
Creating a window
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a process with a hidden window
Сreating synchronization primitives
Connecting to a non-recommended domain
Connection attempt
Sending a custom TCP request
DNS request
Using the Windows Management Instrumentation requests
Unauthorized injection to a recently created process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
base64 expand lolbin microsoft_visual_cc overlay overlay packed packed packer_detected
Link:
https://www.filescan.io/uploads/68379186fd02ed5e058d574c/reports/4f24d08e-3726-40df-972a-f20248041065/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/749f17c6f9adb9378036f3e7c86cc5f7de353f0a8fbbe06d247d8ded4b198024
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/fd585453-ec75-4723-a026-c809585b3ff2
Result
Threat name:
Quasar
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1701146
Signature
Antivirus detection for dropped file
Contains functionality to infect the boot sector
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected Quasar RAT
Behaviour
Behavior Graph:
Download SVG
Score:
97%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/749f17c6f9adb9378036f3e7c86cc5f7de353f0a8fbbe06d247d8ded4b198024
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/749f17c6f9adb9378036f3e7c86cc5f7de353f0a8fbbe06d247d8ded4b198024/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=osprprxzvw4tpabw6pt4q3gf67pdkpykr656a3jepwg62syzqasa._file
Verdict:
malicious
Label(s):
quasarrat
Create hunting rule
Similar samples:
0e053045a5ab0d4e2a65052bd3aa795d70976b5afa8413b3198f6e30db11409a
QuasarRAT
13be0a2444ed05fa173dca62cea89c996e0fe93d82d33bb7795d1870eb1b0e2d
QuasarRAT
5b9dd8506f14373dc169b477fb7ee60512fdea77e7e666ba7120c39bfdfd2703
QuasarRAT
6d5faa0cd51cbe5d6fb33a09453d1a9ccfcbffc3fb715369026db4103b1605db
QuasarRAT
93b842ea63d8c2ca4ea2e8a59df0f872f61dcf591691fe2a7e80cf17bfa4a46a
QuasarRAT
bcf7b6bf4607c5d6874ebaf8719ccf3c3470625cf1854a753223cb783b1108c5
QuasarRAT
error
QuasarRAT
+ 36 additional samples on MalwareBazaar
Result
Malware family:
quasar
Create hunting rule
Score:
  10/10
Tags:
family:quasar botnet:office04 pyinstaller spyware trojan
Link:
https://tria.ge/reports/250528-2ncfcaar91/
Behaviour
Modifies system certificate store
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Executes dropped EXE
Loads dropped DLL
Quasar RAT
Quasar family
Quasar payload
Malware Config
C2 Extraction:
45.138.16.192:4782
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/ceb3bc6b-f360-4152-95da-54f04c8dd8e5
Unpacked files
SH256 hash:
749f17c6f9adb9378036f3e7c86cc5f7de353f0a8fbbe06d247d8ded4b198024
MD5 hash:
dffb1a80b478657a9b34af4c62d8a365
SHA1 hash:
9c423a866056a5eee6aff804ec398fd1daa320b0
Link:
https://www.unpac.me/results/3fce7198-76c6-4c48-a7b5-652328829929/
Malware family:
QuasarRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/749f17c6f9ad/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/749f17c6f9adb9378036f3e7c86cc5f7de353f0a8fbbe06d247d8ded4b198024

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:crime_win32_ransom_avaddon_1
Create hunting rule
Author:@VK_Intel
Description:Detects Avaddon ransomware
Reference:https://twitter.com/VK_Intel/status/1300944441390370819
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:PyInstaller
Create hunting rule
Author:@bartblaze
Description:Identifies executable converted using PyInstaller. This rule by itself does NOT necessarily mean the detected file is malicious.
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:upxHook
Create hunting rule
Author:@r3dbU7z
Description:Detect artifacts from 'upxHook' - modification of UPX packer
Reference:https://bazaar.abuse.ch/sample/6352be8aa5d8063673aa428c3807228c40505004320232a23d99ebd9ef48478a/
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques
Rule name:Warp
Create hunting rule
Author:Seth Hardy
Description:Warp
Rule name:WarpStrings
Create hunting rule
Author:Seth Hardy
Description:Warp Identifying Strings

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/6117/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (FORCE_INTEGRITY)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::ConvertSidToStringSidW
ADVAPI32.dll::ConvertStringSecurityDescriptorToSecurityDescriptorW
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::GetTokenInformation
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessW
ADVAPI32.dll::OpenProcessToken
KERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetDriveTypeW
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetCommandLineW
KERNEL32.dll::GetCommandLineA
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::ReadConsoleW
KERNEL32.dll::SetConsoleCtrlHandler
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleMode
KERNEL32.dll::GetConsoleOutputCP
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::FindFirstFileW
KERNEL32.dll::RemoveDirectoryW
KERNEL32.dll::SetDllDirectoryW
WIN_USER_APIPerforms GUI ActionsUSER32.dll::PeekMessageW
USER32.dll::CreateWindowExW

Comments