MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8c5659ff1e439fdb199c25ac76fb8d3e9c45b702ac8c99073ccdf7fd1f9cdbfd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuasarRAT


Vendor detections: 20


Intelligence 20 IOCs YARA 33 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8c5659ff1e439fdb199c25ac76fb8d3e9c45b702ac8c99073ccdf7fd1f9cdbfd
SHA3-384 hash: 7d69203699c4e1359830ff99f6fbdb09da7c63e063e33be99160e3fac02c9612fbc4e40361a79b6fcc3caa6b97f498ab
SHA1 hash: 34650e3267bb75eec237f645b9ddd996c017fe12
MD5 hash: 6b59f2ca347a24f0a86ea8ed9d17ee74
humanhash: ink-delta-spring-hot
File name:venom.exe
Download: download sample
Signature QuasarRAT
Create hunting rule
File size:1'085'952 bytes
First seen:2025-06-23 13:55:56 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:Faynkc1ZzBvtrZHFjMKY286OOLAlel6qbWtRvRxZ:synkc1ZzBvtrZHFjMKY2zglel6KW
Threatray 90 similar samples on MalwareBazaar
TLSH T1CB353A14E7F86595F06E7F32747498150A38BE436A3DA74B2B9591980F6B380CCB2F63
TrID 58.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
13.2% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
8.4% (.EXE) Win64 Executable (generic) (10522/11/4)
5.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.0% (.EXE) Win16 NE executable (generic) (5038/12/1)
Magika pebin
Reporter johnk3r
Tags:18-230-228-127 91-134-207-16 exe QuasarRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
460
Origin country :
AR AR
Vendor Threat Intelligence
Malware family:
quasar
Create hunting rule
ID:
1
File name:
venom.exe
Verdict:
Malicious activity
Analysis date:
2025-06-23 13:58:10 UTC
Tags:
evasion rat quasar remote crypto-regex
Link:
https://app.any.run/tasks/9065b31e-c626-4c75-bd04-4a522d380454

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
DLAgent09
Create hunting rule
Link:
https://www.capesandbox.com/analysis/10687/
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68595d0ab06783b9ebd6af43
Tags:
autorun quasar
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Using the Windows Management Instrumentation requests
Сreating synchronization primitives
DNS request
Connection attempt
Sending an HTTP GET request
Creating a window
Sending a custom TCP request
Verdict:
Malicious
Labled as:
Trojan.Agent
Link:
https://www.hybrid-analysis.com/sample/8c5659ff1e439fdb199c25ac76fb8d3e9c45b702ac8c99073ccdf7fd1f9cdbfd
Malware family:
Quasar RAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4e04af89-48dc-4d1b-9316-1d88fc7ced5f
Result
Threat name:
Clipboard Hijacker, Quasar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1720986
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Antivirus / Scanner detection for submitted sample
Contains functionality to disable the Task Manager (.Net Source)
Contains functionality to hide user accounts
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Sigma detected: Potentially Suspicious Malware Callback Communication
Suricata IDS alerts for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Yara detected AntiVM3
Yara detected Clipboard Hijacker
Yara detected Generic Downloader
Yara detected Quasar RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/8c5659ff1e439fdb199c25ac76fb8d3e9c45b702ac8c99073ccdf7fd1f9cdbfd
Verdict:
QuasarRat
YARA:
9 match(es)
Tags:
Executable Malicious PE (Portable Executable) QuasarRat RAT Win 32 Exe x86
Malware Config
C2 Extraction:
PORT: selectbackup.ddn
CNC: selectbackup.ddn
Link:
https://app.malva.re/file/6b59f2ca347a24f0a86ea8ed9d17ee74
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8c5659ff1e439fdb199c25ac76fb8d3e9c45b702ac8c99073ccdf7fd1f9cdbfd/
Verdict:
Malicious
Link:
https://tip.neiki.dev/file/8c5659ff1e439fdb199c25ac76fb8d3e9c45b702ac8c99073ccdf7fd1f9cdbfd
Threat name:
ByteCode-MSIL.Infostealer.ClipBanker
Create hunting rule
Status:
Malicious
First seen:
2025-06-23 13:56:33 UTC
File Type:
PE (.Net Exe)
Extracted files:
30
AV detection:
23 of 24 (95.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rrlft7y6iop5wgm4ewwhn64nh2oelnycvsgjsbz4zx372h443p6q._file
Verdict:
malicious
Label(s):
quasarrat
Create hunting rule
Similar samples:
2a3d6b98064397ea36c835292774589ced9f1a9287186c3cf28e0248b0cb4adc
QuasarRAT
2a8c219afd3d9e171dc1515b32185bad9172bbcdaf15a6a7502458b6e7553ff5
QuasarRAT
326e0518dab187c2786ffb1429a71dc764ef82211aaf59bcd3a8a78c01579283
QuasarRAT
8c5659ff1e439fdb199c25ac76fb8d3e9c45b702ac8c99073ccdf7fd1f9cdbfd
QuasarRAT
98ed685e58c13887c499cef7806acfd58d771bdcf95b60d8c7604fd500a466ba
QuasarRAT
ace5504608d43d701becbb246abe3c7b0483fd3904c13a5677084e6f98ef0271
QuasarRAT
error
QuasarRAT
+ 80 additional samples on MalwareBazaar
Result
Malware family:
quasar
Create hunting rule
Score:
  10/10
Tags:
family:quasar botnet:client discovery spyware trojan
Link:
https://tria.ge/reports/250623-q8ycrscl7s/
Behaviour
Suspicious use of AdjustPrivilegeToken
System Location Discovery: System Language Discovery
Looks up external IP address via web service
Quasar RAT
Quasar family
Quasar payload
Malware Config
C2 Extraction:
selectbackup.ddns.net:5552
Verdict:
Malicious
Tags:
red_team_tool rat quasar_rat downloader trojan Win.Malware.Ursu-9802322-0
YARA:
RDPWrap JPCERTCC_Quasar MALWARE_Win_QuasarRAT MAL_QuasarRAT_May19_1 malware_Quasar_strings malware_windows_quasarrat MALWARE_Win_DLAgent10 MAL_NET_LimeCrypter_RunPE_Jan24
Link:
https://app.threat.zone/submission/565b1e76-d126-4f9e-99c0-77efabf2a294
Unpacked files
SH256 hash:
8c5659ff1e439fdb199c25ac76fb8d3e9c45b702ac8c99073ccdf7fd1f9cdbfd
MD5 hash:
6b59f2ca347a24f0a86ea8ed9d17ee74
SHA1 hash:
34650e3267bb75eec237f645b9ddd996c017fe12
Detections:
QuasarRAT
Create hunting rule
RDPWrap
Create hunting rule
Link:
https://www.unpac.me/results/17d3be3d-7668-4311-92ae-07c98482d353/
SH256 hash:
c1428ec7129ad3e36dad35d8992602cefcd6a593952834897424314fe029dd4b
MD5 hash:
67ca4c5eed9cab4b08064d4314dc0a86
SHA1 hash:
61dfa1d80d9e6b506d29e3897dd3ca08ade30988
Detections:
INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM
Create hunting rule
Link:
https://www.unpac.me/results/17d3be3d-7668-4311-92ae-07c98482d353/
Parent samples :
a53a585de940ceb15a7b30f6d6157b0e9722d7b81cea4a2dadb1f0c7410fae87
e2cc914a1df535f2cf88007a518a9990afe5ccdb9cf1262e550e2ce8cc9c7eb0
fbe788dd0db451b33c60b855c9aa18af0d2b87140cfa25a0a78be290d10089cc
ace5504608d43d701becbb246abe3c7b0483fd3904c13a5677084e6f98ef0271
d4e3e9ccf34249744cc8bbeba02fb11626604b8093edc8d85326b467e6aeb7b1
326e0518dab187c2786ffb1429a71dc764ef82211aaf59bcd3a8a78c01579283
2a8c219afd3d9e171dc1515b32185bad9172bbcdaf15a6a7502458b6e7553ff5
8c5659ff1e439fdb199c25ac76fb8d3e9c45b702ac8c99073ccdf7fd1f9cdbfd
SH256 hash:
3a96d9a797a3b6b3ea0d8264ed1078508df9557e2f453217d52a75907f9b9465
MD5 hash:
547ebc92cac936d8c3459d2765948f4a
SHA1 hash:
09c143d609b65b19a97289ca7645df2a0bc39c83
Link:
https://www.unpac.me/results/17d3be3d-7668-4311-92ae-07c98482d353/
SH256 hash:
3db2b0c012e3e770548b36eb84ea2278f34dfda82a269fc30f38e743b33855e3
MD5 hash:
ef33c4c8efc8c1b355ad64e12b010070
SHA1 hash:
ac30158d8bd81ec0b728a299c9e72789b4f33f31
Link:
https://www.unpac.me/results/17d3be3d-7668-4311-92ae-07c98482d353/
SH256 hash:
866c468f227e0ee2c3614cf97e74ebacf79fecb24845210488d13a42824cf50d
MD5 hash:
b064ffbd0835d50b00ebe34660832ecf
SHA1 hash:
bf5b5bba369127ccc6d740f27e40b2c67b5cf8bd
Link:
https://www.unpac.me/results/17d3be3d-7668-4311-92ae-07c98482d353/
SH256 hash:
542be6a092437c47aec4c046bf4636f9a3153954b0384141b8cc2922d68a38b5
MD5 hash:
bfb7da75069724d5ec80b44bc2e46d9f
SHA1 hash:
fe757e6a079f7be6efa5d15df7260792560f6576
Link:
https://www.unpac.me/results/17d3be3d-7668-4311-92ae-07c98482d353/
Malware family:
QuasarRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/8c5659ff1e43/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8c5659ff1e439fdb199c25ac76fb8d3e9c45b702ac8c99073ccdf7fd1f9cdbfd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:detect_powershell
Create hunting rule
Author:daniyyell
Description:Detects suspicious PowerShell activity related to malware execution
Rule name:Detect_PowerShell_Obfuscation
Create hunting rule
Author:daniyyell
Description:Detects obfuscated PowerShell commands commonly used in malicious scripts.
Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse
Create hunting rule
Author:ditekSHen
Description:Detects file containing reversed ASEP Autorun registry keys
Rule name:INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
Author:ditekSHen
Description:Detects Windows executables referencing non-Windows User-Agents
Rule name:INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
Create hunting rule
Author:ditekSHen
Description:Detects executables embedding registry key / value combination indicative of disabling Windows Defender features
Rule name:INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM
Create hunting rule
Author:ditekSHen
Description:Detects executables embedding command execution via IExecuteCommand COM object
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCMD
Create hunting rule
Author:ditekSHen
Description:Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer
Create hunting rule
Author:ditekSHen
Description:detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Rule name:malware_Quasar_strings
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect QuasarRAT in memory
Rule name:MALWARE_Win_DLAgent09
Create hunting rule
Author:ditekSHen
Description:Detects known downloader agent
Rule name:MALWARE_Win_DLAgent10
Create hunting rule
Author:ditekSHen
Description:Detects known downloader agent
Rule name:MALWARE_Win_QuasarRAT
Create hunting rule
Author:ditekSHen
Description:QuasarRAT payload
Rule name:MAL_NET_UAC_Bypass_May25
Create hunting rule
Author:Jonathan Peters (cod3nym)
Description:Detects .NET based tool abusing legitimate Windows utility cmstp.exe to bypass UAC (User-Admin-Controls)
Reference:Internal Research
Rule name:MAL_QuasarRAT_May19_1
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects QuasarRAT malware
Reference:https://blog.ensilo.com/uncovering-new-activity-by-apt10
Rule name:MAL_QuasarRAT_May19_1
Create hunting rule
Description:Detects QuasarRAT malware
Rule name:MAL_QuasarRAT_May19_1_RID2E1E
Create hunting rule
Author:Florian Roth
Description:Detects QuasarRAT malware
Reference:https://blog.ensilo.com/uncovering-new-activity-by-apt10
Rule name:msil_suspicious_use_of_strreverse
Create hunting rule
Author:dr4k0nia
Description:Detects mixed use of Microsoft.CSharp and VisualBasic to use StrReverse
Rule name:Multifamily_RAT_Detection
Create hunting rule
Author:Lucas Acha (http://www.lukeacha.com)
Description:Generic Detection for multiple RAT families, PUPs, Packers and suspicious executables
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Quasar
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect QuasarRAT in memory
Rule name:quasarrat
Create hunting rule
Author:jeFF0Falltrades
Rule name:QuasarRAT
Create hunting rule
Author:ditekshen
Description:QuasarRAT payload
Rule name:quasarrat_kingrat
Create hunting rule
Author:jeFF0Falltrades
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:RDPWrap
Create hunting rule
Author:@bartblaze
Description:Identifies RDP Wrapper, sometimes used by attackers to maintain persistence.
Reference:https://github.com/stascorp/rdpwrap
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_NET_Msil_Suspicious_Use_StrReverse
Create hunting rule
Author:dr4k0nia, modified by Florian Roth
Description:Detects mixed use of Microsoft.CSharp and VisualBasic to use StrReverse
Reference:https://github.com/dr4k0nia/yara-rules
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/10687/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments


Avatar
commented on 2025-06-23 14:01:30 UTC

RAT King Parser (https://github.com/jeFF0Falltrades/rat_king_parser) Output:

{
"sha256": "8c5659ff1e439fdb199c25ac76fb8d3e9c45b702ac8c99073ccdf7fd1f9cdbfd",
"yara_possible_family": "quasarrat",
"key": "c0a259535a82aca1251b880d30d1a22e",
"salt": "bfeb1e56fbcd973bb219022430a57843003d5644d21e62b9d4f180e7e6c33941",
"config": {
"obfuscated_key_1": "2.7.0.0",
"obfuscated_key_2": "selectbackup.ddns.net:5552;",
"obfuscated_key_3": 3000,
"obfuscated_key_4": "WOtrgpk9s0tBaHY5wCncig==",
"obfuscated_key_5": "3NSukrM1umntSCeOfe75jwutvrgJwZ7RLjyzE7JUxjslb9d4x20pPVjO5raGfg1wGJ0S+FaZONO2tAMvGOYaZA==",
"obfuscated_key_6": "APPLICATIONDATA",
"obfuscated_key_7": "",
"obfuscated_key_8": "Venom.exe",
"obfuscated_key_9": false,
"obfuscated_key_10": false,
"obfuscated_key_11": false,
"obfuscated_key_12": "4m697TywNrGW2bvUNC",
"obfuscated_key_13": false,
"obfuscated_key_14": "Venom Client Startup",
"obfuscated_key_15": false,
"obfuscated_key_16": false,
"obfuscated_key_17": "gfz6ANqqncWsAWZd8EiF",
"obfuscated_key_18": "Client",
"obfuscated_key_19": "Logs",
"obfuscated_key_20": false,
"obfuscated_key_21": false,
"obfuscated_key_22": "1VLCVok8uAUWMFluP6aSI4k7Vq9_qFvkxXRj6nvwWGhbo88x",
"obfuscated_key_23": false
}
}