MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 85ee9179acf302bc9e3708315d06558133f002e1d233dda93d37428f216ac53f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuasarRAT


Vendor detections: 11


Intelligence 11 IOCs YARA 19 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 85ee9179acf302bc9e3708315d06558133f002e1d233dda93d37428f216ac53f
SHA3-384 hash: a9e4c2ad2a7c72056099b6ee99a3de7e97cbeea3053026e3bd471c94b6f402e57de0e45f6ac52a6723befd221611f479
SHA1 hash: 84c68cfbd83820c364ba97335ecf74c475eb6e21
MD5 hash: 75bcb02db776ccd802d90756e7ef762c
humanhash: illinois-carbon-quebec-lamp
File name:SecuriteInfo.com.Win64.Evo-gen.23764691
Download: download sample
Signature QuasarRAT
Create hunting rule
File size:4'092'392 bytes
First seen:2025-10-06 06:30:20 UTC
Last seen:2025-10-06 07:19:42 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash d42595b695fc008ef2c56aabd8efd68e (122 x Vidar, 92 x Rhadamanthys, 51 x Stealc)
ssdeep 49152:8UJQVn5dXkpDLu6mplztEy1iGoAbUF+l1pB8tecdgKR2tpK0EutBF/Vuri2NQfhg:8RPplztTtp8uPsVNCs8UpjOLSQv3HK
Threatray 186 similar samples on MalwareBazaar
TLSH T1BE169D166C8109A5C4A6B33189F2D152BAF4BE780B2623D36F50B6B83F336C8D576774
TrID 44.4% (.EXE) Win64 Executable (generic) (10522/11/4)
21.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.ICL) Windows Icons Library (generic) (2059/9)
8.5% (.EXE) OS/2 Executable (generic) (2029/13)
8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter SecuriteInfoCom
Tags:exe QuasarRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
73
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Win64.Evo-gen.23764691
Verdict:
Malicious activity
Analysis date:
2025-10-06 06:32:53 UTC
Tags:
golang auto-reg crypto-regex
Link:
https://app.any.run/tasks/917fb385-c5af-4000-8fa3-f07feb329c0f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/30695/
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68e3622d6bc7e25d18cc3568
Tags:
dropper emotet extens sage
Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a custom TCP request
Launching cmd.exe command interpreter
Launching a process
Creating a window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
golang installer invalid-signature obfuscated packed packed packer_detected signed threat
Link:
https://www.filescan.io/uploads/68e3622ef377ab2310528348/reports/fcb5c224-0f7c-4d4f-942a-a770e2322563/overview
Verdict:
Malicious
Labled as:
WinGo/Kryptik_AGeneric.E trojan
Link:
https://www.hybrid-analysis.com/sample/85ee9179acf302bc9e3708315d06558133f002e1d233dda93d37428f216ac53f
Verdict:
Malicious
File Type:
exe x64
First seen:
2025-10-06T02:57:00Z UTC
Last seen:
2025-10-06T10:18:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/85ee9179acf302bc9e3708315d06558133f002e1d233dda93d37428f216ac53f/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/d5e96714-c583-4429-ab96-3a75de6f1c3d
Score:
50%
Verdict:
Susipicious
File Type:
PE
Link:
https://malprob.io/report/85ee9179acf302bc9e3708315d06558133f002e1d233dda93d37428f216ac53f
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 64 Exe x64
Link:
https://app.malva.re/file/75bcb02db776ccd802d90756e7ef762c
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/85ee9179acf302bc9e3708315d06558133f002e1d233dda93d37428f216ac53f/
Threat name:
Win64.Backdoor.Quasar
Create hunting rule
Status:
Malicious
First seen:
2025-10-06 05:42:12 UTC
File Type:
PE+ (Exe)
Extracted files:
26
AV detection:
16 of 24 (66.67%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
quasarrat
Create hunting rule
Similar samples:
0ccb7c895e64098f7847295ef0112437b49811301786b2b36eecf23374e34da2
QuasarRAT
5df7a18c5674abbab89a53d3398c3398b800b14f8ff08488d89407402325f75a
QuasarRAT
6dbb22d7e0e30cbba3a888b9e736c9953c7edd4bb04a8855ff998f188e77e661
QuasarRAT
8768859060387f56a2243b3d68d1b88fc12def261668c945d67ba7772f569b24
QuasarRAT
907526c3c3900f327899c251e01e0bd5678774fc163f0c053eec4cbe1ea5e8b2
QuasarRAT
ea90d10a0f856d00da2e68829e7c87e04f0d4834a05405cdbda1455c05f7de0f
QuasarRAT
error
QuasarRAT
+ 176 additional samples on MalwareBazaar
Result
Malware family:
quasar
Create hunting rule
Score:
  10/10
Tags:
family:quasar botnet:test1 discovery persistence spyware trojan
Link:
https://tria.ge/reports/251006-g94fqsgj3z/
Behaviour
Suspicious behavior: AddClipboardFormatListener
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Adds Run key to start application
Executes dropped EXE
Quasar RAT
Quasar family
Quasar payload
Malware Config
C2 Extraction:
178.16.53.10:4782
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/50e14104-f2ff-44af-889e-dd240689aae9
Unpacked files
SH256 hash:
85ee9179acf302bc9e3708315d06558133f002e1d233dda93d37428f216ac53f
MD5 hash:
75bcb02db776ccd802d90756e7ef762c
SHA1 hash:
84c68cfbd83820c364ba97335ecf74c475eb6e21
Link:
https://www.unpac.me/results/e3ef2275-e63e-4a43-8246-3f9020f48b4c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/85ee9179acf302bc9e3708315d06558133f002e1d233dda93d37428f216ac53f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectGoMethodSignatures
Create hunting rule
Author:Wyatt Tauber
Description:Detects Go method signatures in unpacked Go binaries
Rule name:Detect_Go_GOMAXPROCS
Create hunting rule
Author:Obscurity Labs LLC
Description:Detects Go binaries by the presence of runtime.GOMAXPROCS in the runtime metadata
Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:GoBinTest
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:Golangmalware
Create hunting rule
Author:Dhanunjaya
Description:Malware in Golang
Rule name:golang_binary_string
Create hunting rule
Description:Golang strings present
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:golang_duffcopy_amd64
Create hunting rule
Rule name:HiveRansomware
Create hunting rule
Author:Dhanunjaya
Description:Yara Rule To Detect Hive V4 Ransomware
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:ProgramLanguage_Golang
Create hunting rule
Author:albertzsigovits
Description:Application written in Golang programming language
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

QuasarRAT

Executable exe 85ee9179acf302bc9e3708315d06558133f002e1d233dda93d37428f216ac53f

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3659947/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/30695/

Comments