MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8e4c4435a5262a614a2fd4297f44933de12628e958311a99c8befb3165663e60. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuasarRAT


Vendor detections: 17


Intelligence 17 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8e4c4435a5262a614a2fd4297f44933de12628e958311a99c8befb3165663e60
SHA3-384 hash: cbf580daf144731e4d9ba38679af93b2e74ad0747cddf573d4cbde9b1756244e6ec01f5f20a4b1d0c5a8c57a8f7f9afe
SHA1 hash: 1c6fbded673d26d17f28414d4cc15b47d4015863
MD5 hash: 7d99e69c85b4c3d8042272f4b8998ef7
humanhash: lithium-august-vermont-triple
File name:PO-097-2025.exe
Download: download sample
Signature QuasarRAT
Create hunting rule
File size:5'506'048 bytes
First seen:2025-09-16 01:29:18 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 98304:8WmKBc7c8fpVrOv++lbXUZugxykypQ37PE4rm:nrQWm+l7fVkypIbr
TLSH T1814602B636C46904D1FFB376583AD2D1B3F2F68A56F1C60E21A7220879E05062B3577E
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter threatcat_ch
Tags:exe QuasarRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
105
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
quasar
Create hunting rule
ID:
1
File name:
PO-097-2025.exe
Verdict:
Malicious activity
Analysis date:
2025-09-16 01:31:15 UTC
Tags:
httpdebugger tool quasar rat remote evasion auto-reg
Link:
https://app.any.run/tasks/8c8e3955-1eff-46e9-9bbd-7dbee81e7555

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
QuasarRAT
Create hunting rule
Link:
https://www.capesandbox.com/analysis/27621/
Verdict:
Malicious
Score:
81.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68c8bde7d49ea3f1e4b63cb2
Tags:
virus micro remo
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
obfuscated obfuscated obfuscated phishing vbnet
Link:
https://www.filescan.io/uploads/68c8bd7a0d1238ff0aac91c4/reports/f85ec94a-2434-4ed7-81fe-29ca6e1493af/overview
Verdict:
Malicious
Labled as:
Trojan.Heur3.CTR.Generic
Link:
https://www.hybrid-analysis.com/sample/8e4c4435a5262a614a2fd4297f44933de12628e958311a99c8befb3165663e60
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-09-15T14:59:00Z UTC
Last seen:
2025-09-15T14:59:00Z UTC
Hits:
~100
Link:
https://opentip.kaspersky.com/8e4c4435a5262a614a2fd4297f44933de12628e958311a99c8befb3165663e60/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/2e09aab2-8a10-4b1e-85d5-283cc10a3d4d
Result
Threat name:
AsyncRAT, DarkTortilla, Quasar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1778161
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Antivirus / Scanner detection for submitted sample
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Suricata IDS alerts for network traffic
Tries to delay execution (extensive OutputDebugStringW loop)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected AsyncRAT
Yara detected DarkTortilla Crypter
Yara detected Quasar RAT
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/8e4c4435a5262a614a2fd4297f44933de12628e958311a99c8befb3165663e60
Verdict:
inconclusive
YARA:
11 match(es)
Tags:
.Net Executable Managed .NET PE (Portable Executable) PE File Layout SOS: 0.84 Win 32 Exe x86
Link:
https://app.malva.re/file/7d99e69c85b4c3d8042272f4b8998ef7
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8e4c4435a5262a614a2fd4297f44933de12628e958311a99c8befb3165663e60/
Threat name:
ByteCode-MSIL.Trojan.DarkTortilla
Create hunting rule
Status:
Malicious
First seen:
2025-09-16 01:31:05 UTC
File Type:
PE (.Net Exe)
Extracted files:
290
AV detection:
22 of 24 (91.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rzgeinnfeyvgcsrp2qux6rethxqsmkhjlayrvgoix35tczlghzqa._file
Result
Malware family:
quasar
Create hunting rule
Score:
  10/10
Tags:
family:darktortilla family:quasar botnet:sim crypter discovery execution loader persistence spyware trojan
Link:
https://tria.ge/reports/250916-bwhdfscq9s/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Darktortilla
Darktortilla family
Detects Darktortilla crypter.
Quasar RAT
Quasar family
Quasar payload
Malware Config
C2 Extraction:
45.131.65.126:8090
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/c315bf72-f511-4170-b5a9-8f4540cf6046
Unpacked files
SH256 hash:
8e4c4435a5262a614a2fd4297f44933de12628e958311a99c8befb3165663e60
MD5 hash:
7d99e69c85b4c3d8042272f4b8998ef7
SHA1 hash:
1c6fbded673d26d17f28414d4cc15b47d4015863
Link:
https://www.unpac.me/results/681531b8-bbc2-4928-b1c4-3effe28ea160/
SH256 hash:
003ddf8ddfc7afbc21df8ab9dd223df737b6ec66d1ff65ffc8d1f54a43ae7a2c
MD5 hash:
d344219cdf67ca2902224dfaa2e98224
SHA1 hash:
10a96c279c505812124da69fee75b18cceb9e64d
Link:
https://www.unpac.me/results/681531b8-bbc2-4928-b1c4-3effe28ea160/
Malware family:
QuasarRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/8e4c4435a526/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8e4c4435a5262a614a2fd4297f44933de12628e958311a99c8befb3165663e60

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

QuasarRAT

Executable exe 8e4c4435a5262a614a2fd4297f44933de12628e958311a99c8befb3165663e60

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/27621/

Comments