MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 903387d93c8c1a877a89e1c8cb95b56ae96762f8694b0f95ee05ec6676936aa1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuasarRAT


Vendor detections: 17


Intelligence 17 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 903387d93c8c1a877a89e1c8cb95b56ae96762f8694b0f95ee05ec6676936aa1
SHA3-384 hash: 31a81d61a00541d291a59748ec8b59d271f4c180120b81ea6076af932da3f071e92da3f245cdcc0f1dd55d2f4083e670
SHA1 hash: 36453ed4b84dfa84daf812d519ab32a1dd7e56f8
MD5 hash: 3eb5a848ab9411dff2063a1bd8431501
humanhash: spaghetti-hawaii-paris-freddie
File name:3eb5a848ab9411dff2063a1bd8431501.exe
Download: download sample
Signature QuasarRAT
Create hunting rule
File size:1'373'696 bytes
First seen:2025-05-14 12:31:18 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'741 x AgentTesla, 19'604 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 24576:GoS4u5e6DRxPX6RNuVILJKPa6C10+PhvRYa4d3Bk5aOdbhl2S83IpPjdI0HNdTXW:GU4xRBYuVCoCO+5WD3Odb7B2ItHTTc
Threatray 20 similar samples on MalwareBazaar
TLSH T142553392D3BE80F2D36C8F36A75A23F834F79F5B1DC9C85D1134816B980614A9D6BD28
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10522/11/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
dhash icon e8d4e8e8e8e8d0e0 (1 x QuasarRAT)
Reporter abuse_ch
Tags:exe QuasarRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
489
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
3eb5a848ab9411dff2063a1bd8431501.exe
Verdict:
Malicious activity
Analysis date:
2025-05-14 12:46:42 UTC
Tags:
evasion
Link:
https://app.any.run/tasks/ce5e7013-dbcf-45d6-9670-c00ec11c9fe3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Packed.Msilzilla-10008147-0
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68248e8ce16384d6a7045ec8
Tags:
dropper virus msil
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Using the Windows Management Instrumentation requests
DNS request
Connection attempt
Sending an HTTP GET request
Creating a file in the %temp% directory
Creating a process from a recently created file
Running batch commands
Creating a file
Creating a window
Creating a file in the %AppData% subdirectories
Launching a process
Unauthorized injection to a recently created process
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm cmd fingerprint lolbin obfuscated packed packed packer_detected quasar reconnaissance vbnet
Link:
https://www.filescan.io/uploads/68248d4b0e6398962583f223/reports/b31f2236-7b5b-4e13-95e7-428a89bce98d/overview
Verdict:
Malicious
Labled as:
Jalapeno.Generic
Link:
https://www.hybrid-analysis.com/sample/903387d93c8c1a877a89e1c8cb95b56ae96762f8694b0f95ee05ec6676936aa1
Malware family:
XWorm
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/be3e7d62-258b-4f20-9b2e-3e00a94c1eb2
Result
Threat name:
Quasar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1689890
Signature
Antivirus / Scanner detection for submitted sample
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Installs a global keyboard hook
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Quasar RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1689890 Sample: CqmxUUMR7O.exe Startdate: 14/05/2025 Architecture: WINDOWS Score: 100 43 ip-api.com 2->43 51 Found malware configuration 2->51 53 Malicious sample detected (through community Yara rule) 2->53 55 Antivirus / Scanner detection for submitted sample 2->55 57 8 other signatures 2->57 10 CqmxUUMR7O.exe 14 6 2->10         started        15 yg8367tyt4.exe 3 2->15         started        signatures3 process4 dnsIp5 47 ip-api.com 208.95.112.1, 49682, 80 TUT-ASUS United States 10->47 39 C:\Users\user\AppData\Local\...\bind now.exe, PE32 10->39 dropped 41 C:\Users\user\AppData\...\CqmxUUMR7O.exe.log, CSV 10->41 dropped 65 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 10->65 17 bind now.exe 5 10->17         started        21 cmd.exe 1 10->21         started        file6 signatures7 process8 file9 37 C:\Users\user\AppData\...\yg8367tyt4.exe, PE32 17->37 dropped 49 Hides that the sample has been downloaded from the Internet (zone.identifier) 17->49 23 yg8367tyt4.exe 2 17->23         started        27 schtasks.exe 1 17->27         started        29 conhost.exe 21->29         started        signatures10 process11 dnsIp12 45 176.65.143.168, 3535 WEBTRAFFICDE Germany 23->45 59 Multi AV Scanner detection for dropped file 23->59 61 Hides that the sample has been downloaded from the Internet (zone.identifier) 23->61 63 Installs a global keyboard hook 23->63 31 schtasks.exe 1 23->31         started        33 conhost.exe 27->33         started        signatures13 process14 process15 35 conhost.exe 31->35         started       
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/903387d93c8c1a877a89e1c8cb95b56ae96762f8694b0f95ee05ec6676936aa1
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/903387d93c8c1a877a89e1c8cb95b56ae96762f8694b0f95ee05ec6676936aa1/
Threat name:
ByteCode-MSIL.Trojan.XWormRAT
Create hunting rule
Status:
Malicious
First seen:
2025-05-11 14:11:57 UTC
File Type:
PE (.Net Exe)
Extracted files:
6
AV detection:
23 of 24 (95.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=sazypwj4rqnio6uj4hemxfnvnluwoyxynffq7fpoaxwgm5utnkqq._file
Verdict:
malicious
Label(s):
quasarrat
Create hunting rule
Similar samples:
030c62f201281c0034102b3cab64490e51b0499a9b5fad498f1ded30b23dbf66
QuasarRAT
0901494ca99f6080fd12276cf98de5689cd4e0da9c797954d6d832492ac21e81
QuasarRAT
0d83301aae4af98108f42ccbc7d9b4e3abcd65c91162fc0bfa8d4e3c86733560
QuasarRAT
101786e62aeb6f62129bb39ea1b58cc587de9483a2409a1c95a61a32aa202627
QuasarRAT
9299eddf62904e0b0c32dca0aa811bd686b3d2a0f3c942617b2c5f9c725e110c
QuasarRAT
error
QuasarRAT
+ 10 additional samples on MalwareBazaar
Result
Malware family:
quasar
Create hunting rule
Score:
  10/10
Tags:
family:quasar botnet:menu spyware trojan
Link:
https://tria.ge/reports/250514-pqpggahp3s/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: AddClipboardFormatListener
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Looks up external IP address via web service
Checks computer location settings
Executes dropped EXE
Quasar RAT
Quasar family
Quasar payload
Malware Config
C2 Extraction:
176.65.143.168:3535
Verdict:
Malicious
Tags:
Win.Packed.Msilzilla-10008147-0 external_ip_lookup
YARA:
n/a
Link:
https://app.threat.zone/submission/93e3aced-7d94-41ef-a04f-bfc9f8545878
Unpacked files
SH256 hash:
903387d93c8c1a877a89e1c8cb95b56ae96762f8694b0f95ee05ec6676936aa1
MD5 hash:
3eb5a848ab9411dff2063a1bd8431501
SHA1 hash:
36453ed4b84dfa84daf812d519ab32a1dd7e56f8
Link:
https://www.unpac.me/results/759e8eff-eab8-4b88-93f7-535b4f3b7396/
SH256 hash:
c7428d9d6f4ec4dc75bd4c1dc0036726321384b52735e06b00e1b73e1838c26f
MD5 hash:
0ff4e9c2eb286e1a8414b6969a940810
SHA1 hash:
7d7e6bd73f6d81f53c5184bac8c1c15401ccf6a5
Detections:
QuasarRAT
Create hunting rule
cn_utf8_windows_terminal
Create hunting rule
malware_windows_xrat_quasarrat
Create hunting rule
MAL_QuasarRAT_May19_1
Create hunting rule
MAL_BackNet_Nov18_1
Create hunting rule
INDICATOR_EXE_Packed_Fody
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
Link:
https://www.unpac.me/results/759e8eff-eab8-4b88-93f7-535b4f3b7396/
SH256 hash:
25654bb37f1247374916b140301f61d665238bb723d0c072560635b1f329b7e9
MD5 hash:
2358adfd8c5f1ef45b1cb094d9ddbf50
SHA1 hash:
786fadb531ee90fcfa63ded6f7dd0837b0ed5a3f
Detections:
SUSP_NET_Large_Static_Array_In_Small_File_Jan24
Create hunting rule
HKTL_NET_GUID_Quasar
Create hunting rule
Link:
https://www.unpac.me/results/759e8eff-eab8-4b88-93f7-535b4f3b7396/
Parent samples :
e3028ecd7637653dda1250fa2925e143796e385cda98191f04eec0681fd0c826
50cb6b8d0f572cd355d682a3f3529854b98cc75e141e452c98bec0279ef1ace2
030c62f201281c0034102b3cab64490e51b0499a9b5fad498f1ded30b23dbf66
903387d93c8c1a877a89e1c8cb95b56ae96762f8694b0f95ee05ec6676936aa1
54212c9959363a60f5f5899ba4611351064a0b7b88c54aba33274e6f9e3c8031
78daa33cb739c0b1648f17599695cf0fc5ad0b1c7640d55d91e1d534a024c6f7
6597d0a917f2def35809cfcffd7c9098bc7e97eb62d35fb74486344208faf61a
0b484408c0a7a0d36bd2a1eaebd3030c98c88d786e92eb16b918b3a8b5c8bc9d
295f2ce9cc94f31573bf7b37f7ad43bcb4579ef0fa435c8fec0873214c6a43d2
5aa42451a5ac1ef0da91a240389b95cf535f34931f50540e4b3d6c38c9b68067
Malware family:
QuasarRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/903387d93c8c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/903387d93c8c1a877a89e1c8cb95b56ae96762f8694b0f95ee05ec6676936aa1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__RemoteAPI
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments