MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 85c0e3209b312fc6d2f5e2079caa0d33aec8348e39579a7babe7a6b482a07648. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuasarRAT


Vendor detections: 16


Intelligence 16 IOCs YARA 46 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 85c0e3209b312fc6d2f5e2079caa0d33aec8348e39579a7babe7a6b482a07648
SHA3-384 hash: 4aa2c4e2e82a586b8b15f75192c477292e807a3770bf165cf988a1221b32f6adbe268e4d9801f89be57daaedd07135cf
SHA1 hash: 82f2da883b21601e77eefa8d5d1756a8bc1d4b71
MD5 hash: fd08232e3af6893fd3df409236ff2c26
humanhash: sierra-skylark-georgia-fanta
File name:installer.exe
Download: download sample
Signature QuasarRAT
Create hunting rule
File size:19'034'112 bytes
First seen:2025-11-24 10:28:17 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 0058caa108186abf74c81651deab016c (1 x QuasarRAT)
ssdeep 196608:eBwBFfNDVXVFnBK80HL6+sGsd8jxmZo2D2rpQjavXxBRrhLfenvn2lgA3GE1oYWc:n1ZTUrLXGtcQaBRVenv2jv8Ov562bp
TLSH T1A3171202BAC69DA8E08CCC74C3468A974B2274DB0B2AB6EF47D555242F7E7F45F18319
TrID 66.6% (.EXE) InstallShield setup (43053/19/16)
16.2% (.EXE) Win64 Executable (generic) (10522/11/4)
7.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
3.1% (.EXE) OS/2 Executable (generic) (2029/13)
3.0% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter smica83
Tags:exe QuasarRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
159
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
quasar
Create hunting rule
ID:
1
File name:
installer.exe
Verdict:
Malicious activity
Analysis date:
2025-11-24 10:28:51 UTC
Tags:
idm tool auto-startup rat quasar remote evasion auto-reg auto generic arch-scr
Link:
https://app.any.run/tasks/8c2afbbc-c6ba-4d65-a037-bc32a124f14d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/41258/
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6924338317146b98ddbca9fc
Tags:
vmdetect quasar
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a service
Launching a service
Loading a system driver
Sending a custom TCP request
Launching a process
Using the Windows Management Instrumentation requests
DNS request
Connection attempt
Sending an HTTP GET request
Creating a file in the %AppData% subdirectories
Creating a window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file
Creating a process from a recently created file
Creating a file in the %temp% subdirectories
Enabling autorun for a service
Forced shutdown of a system process
Unauthorized injection to a system process
Verdict:
Unknown
Threat level:
  2.5/10
Confidence:
100%
Tags:
adaptive-context anti-debug anti-vm fingerprint installer-heuristic keylogger microsoft_visual_cc packed
Link:
https://www.filescan.io/uploads/6924334df6a4ba1793ae514a/reports/521eafbc-55c0-4151-8493-92817b55769f/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/85c0e3209b312fc6d2f5e2079caa0d33aec8348e39579a7babe7a6b482a07648
Verdict:
Malicious
File Type:
exe x64
First seen:
2025-11-24T00:39:00Z UTC
Last seen:
2025-11-24T23:44:00Z UTC
Hits:
~100
Detections:
Trojan.MSIL.Quasar.sb Trojan.MSIL.Quasar.ftt Trojan.MSIL.Quasar.a HEUR:Trojan.MSIL.Quasar.gen Trojan-PSW.MSIL.Virinom.sb Trojan.Win32.Quasar.sb Trojan.Win32.Inject.sb HEUR:Trojan-Spy.MSIL.Downeks.gen HEUR:Trojan.Win32.Generic Trojan-Spy.Quasar.HTTP.ServerRequest Trojan-Spy.MSIL.Downeks.sb Trojan-Spy.Downeks.HTTP.Download Trojan-PSW.Win32.Stealer.sb
Link:
https://opentip.kaspersky.com/85c0e3209b312fc6d2f5e2079caa0d33aec8348e39579a7babe7a6b482a07648/results?tab=lookup
Result
Threat name:
Quasar, XRat
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
90 / 100
Link:
https://www.joesandbox.com/analysis/1819905
Signature
Allocates memory in foreign processes
Detected unpacking (creates a PE file in dynamic memory)
Drops script or batch files to the startup folder
Found evasive API chain (may stop execution after checking mutex)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Modifies power options to not sleep / hibernate
Multi AV Scanner detection for submitted file
Sample is not signed and drops a device driver
Sample uses process hollowing technique
Sample uses string decryption to hide its real strings
Sigma detected: Potential Mpclient.DLL Sideloading Via Defender Binaries
Sigma detected: Suspicious Startup Folder Persistence
Suricata IDS alerts for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Unusual module load detection (module proxying)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Uses powercfg.exe to modify the power settings
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Quasar RAT
Yara detected XRat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1819905 Sample: installer.exe Startdate: 24/11/2025 Architecture: WINDOWS Score: 90 87 topstarwor.loseyourip.com 2->87 89 ip-api.com 2->89 105 Suricata IDS alerts for network traffic 2->105 107 Found malware configuration 2->107 109 Malicious sample detected (through community Yara rule) 2->109 111 11 other signatures 2->111 11 installer.exe 7 2->11         started        signatures3 process4 file5 77 C:\Users\user\AppData\...\idman642build53.exe, PE32 11->77 dropped 79 C:\Users\user\AppData\Local\...79isSrv.exe, PE32+ 11->79 dropped 81 C:\Users\user\AppData\Local\...\mpclient.dll, PE32+ 11->81 dropped 14 NisSrv.exe 35 11->14         started        17 idman642build53.exe 190 11->17         started        process6 file7 83 C:\Users\user\AppData\...\MateBookService.exe, PE32+ 14->83 dropped 20 MateBookService.exe 14->20         started        24 conhost.exe 14->24         started        85 C:\Users\user\AppData\Local\Temp\...\IDM1.tmp, data 17->85 dropped 95 Found evasive API chain (may stop execution after checking mutex) 17->95 26 IDM1.tmp 10 205 17->26         started        signatures8 process9 file10 61 C:\Users\user\AppData\...\HwOs2EcX64.sys, PE32+ 20->61 dropped 63 C:\...\MateBookService.exe.startup.bat, DOS 20->63 dropped 65 C:\Users\user\Container\mpclient.dll, PE32+ 20->65 dropped 73 2 other files (none is malicious) 20->73 dropped 113 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 20->113 115 Writes to foreign memory regions 20->115 117 Allocates memory in foreign processes 20->117 121 2 other signatures 20->121 28 jsc.exe 20->28         started        32 conhost.exe 20->32         started        67 C:\Program Files (x86)\...\idmwfpAA.sys, data 26->67 dropped 69 C:\Program Files (x86)\...\idmwfp64.sys, data 26->69 dropped 71 C:\Program Files (x86)\...\idmwfp32.sys, data 26->71 dropped 75 2 other malicious files 26->75 dropped 119 Sample is not signed and drops a device driver 26->119 signatures11 process12 dnsIp13 91 topstarwor.loseyourip.com 5.252.100.211, 1988, 49722 DBT-ASTR Germany 28->91 93 ip-api.com 208.95.112.1, 49721, 80 TUT-ASUS United States 28->93 123 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 28->123 125 Hides that the sample has been downloaded from the Internet (zone.identifier) 28->125 127 Installs a global keyboard hook 28->127 129 Unusual module load detection (module proxying) 28->129 34 cmd.exe 28->34         started        37 powershell.exe 28->37         started        39 powershell.exe 28->39         started        41 2 other processes 28->41 signatures14 process15 signatures16 97 Uses ping.exe to sleep 34->97 99 Uses ping.exe to check the status of other devices and networks 34->99 59 3 other processes 34->59 101 Uses powercfg.exe to modify the power settings 37->101 103 Modifies power options to not sleep / hibernate 37->103 43 conhost.exe 37->43         started        45 powercfg.exe 37->45         started        47 conhost.exe 39->47         started        49 powercfg.exe 39->49         started        51 conhost.exe 41->51         started        53 powercfg.exe 41->53         started        55 conhost.exe 41->55         started        57 powercfg.exe 41->57         started        process17
Score:
83%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/85c0e3209b312fc6d2f5e2079caa0d33aec8348e39579a7babe7a6b482a07648
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PDB Path PE (Portable Executable) PE File Layout Win 64 Exe x64
Link:
https://app.malva.re/file/fd08232e3af6893fd3df409236ff2c26
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/85c0e3209b312fc6d2f5e2079caa0d33aec8348e39579a7babe7a6b482a07648/
Verdict:
Malicious
Threat:
Family.QUASAR
Link:
https://tip.neiki.dev/file/85c0e3209b312fc6d2f5e2079caa0d33aec8348e39579a7babe7a6b482a07648
Threat name:
Win64.Trojan.Egairtigado
Create hunting rule
Status:
Malicious
First seen:
2025-11-24 05:21:19 UTC
File Type:
PE+ (Exe)
Extracted files:
3
AV detection:
14 of 37 (37.84%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qxaogie3gex4nuxv4idzzkqngoxmqneohflzu65l46tljavaozea._file
Verdict:
malicious
Label(s):
quasarrat
Create hunting rule
Similar samples:
error
QuasarRAT
Result
Malware family:
quasar
Create hunting rule
Score:
  10/10
Tags:
family:quasar botnet:wondershare filmora2 adware discovery execution persistence phishing privilege_escalation spyware stealer trojan
Link:
https://tria.ge/reports/251124-mhv8yaxlgk/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Modifies registry class
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks installed software on the system
Command and Scripting Interpreter: PowerShell
Installs/modifies Browser Helper Object
Looks up external IP address via web service
Power Settings
A potential corporate email address has been identified in the URL: mozillacc3@internetdownloadmanager.com
Checks computer location settings
Event Triggered Execution: Component Object Model Hijacking
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Drops file in Drivers directory
Sets service image path in registry
Quasar RAT
Quasar family
Quasar payload
Malware Config
C2 Extraction:
topstarwor.loseyourip.com:1988
Verdict:
Malicious
Tags:
apt APT10
YARA:
APT10_ChChes_lnk
Link:
https://app.threat.zone/submission/2da7531d-4f73-49a7-8764-313dcaa2b7c8
Unpacked files
SH256 hash:
85c0e3209b312fc6d2f5e2079caa0d33aec8348e39579a7babe7a6b482a07648
MD5 hash:
fd08232e3af6893fd3df409236ff2c26
SHA1 hash:
82f2da883b21601e77eefa8d5d1756a8bc1d4b71
Link:
https://www.unpac.me/results/39e3b5c8-cf12-47c4-a9bf-ce64b97f726e/
Malware family:
QuasarRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/85c0e3209b31/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/85c0e3209b312fc6d2f5e2079caa0d33aec8348e39579a7babe7a6b482a07648

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:APT10_ChChes_lnk
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:LNK malware ChChes downloader
Rule name:Check_Debugger
Create hunting rule
Rule name:CN_disclosed_20180208_KeyLogger_1
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects malware from disclosed CN malware set
Reference:https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details
Rule name:CN_disclosed_20180208_KeyLogger_1_RID3227
Create hunting rule
Author:Florian Roth
Description:Detects malware from disclosed CN malware set
Reference:https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__RemoteAPI
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:Detect_PowerShell_Obfuscation
Create hunting rule
Author:daniyyell
Description:Detects obfuscated PowerShell commands commonly used in malicious scripts.
Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
Author:ditekSHen
Description:Detects Windows executables referencing non-Windows User-Agents
Rule name:INDICATOR_SUSPICIOUS_GENInfoStealer
Create hunting rule
Author:ditekSHen
Description:Detects executables containing common artifacts observed in infostealers
Rule name:INDICATOR_SUSPICIOUS_References_SecTools
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many IR and analysis tools
Rule name:malware_Quasar_strings
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect QuasarRAT in memory
Rule name:MALWARE_Win_QuasarRAT
Create hunting rule
Author:ditekSHen
Description:QuasarRAT payload
Rule name:MAL_QuasarRAT_May19_1
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects QuasarRAT malware
Reference:https://blog.ensilo.com/uncovering-new-activity-by-apt10
Rule name:MAL_QuasarRAT_May19_1_RID2E1E
Create hunting rule
Author:Florian Roth
Description:Detects QuasarRAT malware
Reference:https://blog.ensilo.com/uncovering-new-activity-by-apt10
Rule name:Multifamily_RAT_Detection
Create hunting rule
Author:Lucas Acha (http://www.lukeacha.com)
Description:Generic Detection for multiple RAT families, PUPs, Packers and suspicious executables
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:ProgramLanguage_Rust
Create hunting rule
Author:albertzsigovits
Description:Application written in Rust programming language
Rule name:Quasar
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect QuasarRAT in memory
Rule name:quasarrat
Create hunting rule
Author:jeFF0Falltrades
Rule name:quasarrat_kingrat
Create hunting rule
Author:jeFF0Falltrades
Rule name:Quasar_RAT_1
Create hunting rule
Author:@SOCRadar
Description:Detects Quasar RAT
Rule name:Quasar_RAT_1_RID2B54
Create hunting rule
Author:Florian Roth
Description:Detects Quasar RAT
Reference:https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
Rule name:Quasar_RAT_2
Create hunting rule
Description:Detects Quasar RAT
Rule name:Quasar_RAT_2_RID2B55
Create hunting rule
Author:Florian Roth
Description:Detects Quasar RAT
Reference:https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:Rustyloader_mem_loose
Create hunting rule
Author:James_inthe_box
Description:Corroded buerloader
Reference:https://app.any.run/tasks/83064edd-c7eb-4558-85e8-621db72b2a24
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:test_Malaysia
Create hunting rule
Author:rectifyq
Description:Detects file containing malaysia string
Rule name:Vermin_Keylogger_Jan18_1
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects Vermin Keylogger
Reference:https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques
Rule name:Windows_Trojan_Quasarrat_e52df647
Create hunting rule
Author:Elastic Security
Rule name:win_quasar_rat_client
Create hunting rule
Author:Matthew @ Embee_Research
Description:Detects strings present in Quasar Rat Samples.
Rule name:xRAT_1
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects Patchwork malware
Reference:https://goo.gl/Pg3P4W
Rule name:xRAT_1_RID2900
Create hunting rule
Author:Florian Roth
Description:Detects Patchwork malware
Reference:https://goo.gl/Pg3P4W

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/41258/

Comments