MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 90da7bbef1690e6d49ca7e712cae2506ac71d5afb0a01779bcda457fef4ea43d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuasarRAT


Vendor detections: 17


Intelligence 17 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 90da7bbef1690e6d49ca7e712cae2506ac71d5afb0a01779bcda457fef4ea43d
SHA3-384 hash: 6664f1cd0330dc66813a64e815d83854e75027992bcfd473d6efdf7bafdd865436292179654a735db0cbcd26178f333c
SHA1 hash: e3dff8f71da30f76b978f3117276c5deeeecdb97
MD5 hash: 9612d86094f4029cc25ca80ea256c9ee
humanhash: lactose-crazy-tango-indigo
File name:mJOBEbi.bat
Download: download sample
Signature QuasarRAT
Create hunting rule
File size:2'452'576 bytes
First seen:2025-10-20 13:31:26 UTC
Last seen:Never
File type:Batch (bat) bat
MIME type:text/x-msdos-batch
ssdeep 24576:YdTXLU5T0CuEn2E5iNR6nqjHwbxHohEhq0mTYIDpMJgsjH5gXqNPgYpRFLNng1rB:a2uZ96nCKxIewXTY7hU6PBf0wukNq
Threatray 178 similar samples on MalwareBazaar
TLSH T145B5025CE69AE830843A5AEA2F6E6809096D321403DC24BD14472DBF93CF3A65F5F3D5
Magika batch
Reporter abuse_ch
Tags:bat QuasarRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
45
Origin country :
SE SE
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
random.exe
Verdict:
Malicious activity
Analysis date:
2025-10-18 21:31:16 UTC
Tags:
amadey botnet stealer themida rdp github stealc remote xworm loader auto generic gcleaner python amsi-bypass telegram vidar discord evasion payload
Link:
https://app.any.run/tasks/abf4571c-3135-4f52-9211-dae3cc6d2f22

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
ArrowRAT
Create hunting rule
Link:
https://www.capesandbox.com/analysis/33456/
Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68f639f4c949ca4fcbe3b0d3
Tags:
xtreme shell sage
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated
Link:
https://www.filescan.io/uploads/68f639f7c85c5c56972f13da/reports/20b18c7c-eca2-43d5-a6d0-6e791bd31ca2/overview
Verdict:
Suspicious
Labled as:
Troj/BatObf
Link:
https://www.hybrid-analysis.com/sample/90da7bbef1690e6d49ca7e712cae2506ac71d5afb0a01779bcda457fef4ea43d
Verdict:
Malicious
File Type:
unix shell
First seen:
2025-10-18T18:30:00Z UTC
Last seen:
2025-10-19T03:57:00Z UTC
Hits:
~10
Detections:
PDM:Trojan.Win32.Generic PDM:Exploit.Win32.Generic HEUR:Trojan.BAT.Agent.gen Trojan.BAT.Agent.sb
Link:
https://opentip.kaspersky.com/90da7bbef1690e6d49ca7e712cae2506ac71d5afb0a01779bcda457fef4ea43d/results?tab=lookup
Result
Threat name:
Quasar
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1798365
Signature
.NET source code contains potential unpacker
Antivirus detection for dropped file
Bypasses PowerShell execution policy
Found large BAT file
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Powerup Write Hijack DLL
Sigma detected: Suspicious PowerShell Parameter Substring
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses Register-ScheduledTask to add task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Yara detected Powershell decode and execute
Yara detected Quasar RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1798365 Sample: mJOBEbi.bat Startdate: 20/10/2025 Architecture: WINDOWS Score: 100 48 Found malware configuration 2->48 50 Malicious sample detected (through community Yara rule) 2->50 52 Antivirus detection for dropped file 2->52 54 13 other signatures 2->54 9 cmd.exe 1 2->9         started        12 wscript.exe 1 2->12         started        process3 signatures4 64 Suspicious powershell command line found 9->64 66 Wscript starts Powershell (via cmd or directly) 9->66 68 Bypasses PowerShell execution policy 9->68 14 powershell.exe 3 19 9->14         started        18 conhost.exe 9->18         started        70 Windows Scripting host queries suspicious COM object (likely to drop second stage) 12->70 72 Suspicious execution chain found 12->72 20 cmd.exe 12->20         started        process5 file6 42 C:\Users\user\AppData\...\startup_str_162.vbs, ASCII 14->42 dropped 44 C:\Users\user\AppData\...\startup_str_162.bat, DOS 14->44 dropped 74 Suspicious powershell command line found 14->74 76 Uses Register-ScheduledTask to add task schedules 14->76 22 wscript.exe 1 14->22         started        25 powershell.exe 37 14->25         started        78 Wscript starts Powershell (via cmd or directly) 20->78 27 conhost.exe 20->27         started        29 powershell.exe 20->29         started        signatures7 process8 signatures9 60 Wscript starts Powershell (via cmd or directly) 22->60 31 cmd.exe 1 22->31         started        62 Loading BitLocker PowerShell Module 25->62 34 conhost.exe 25->34         started        process10 signatures11 80 Suspicious powershell command line found 31->80 82 Wscript starts Powershell (via cmd or directly) 31->82 36 powershell.exe 20 31->36         started        40 conhost.exe 31->40         started        process12 dnsIp13 46 206.188.196.159, 8990 DEFENSE-NETUS United States 36->46 56 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 36->56 58 Hides that the sample has been downloaded from the Internet (zone.identifier) 36->58 signatures14
Score:
99%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/90da7bbef1690e6d49ca7e712cae2506ac71d5afb0a01779bcda457fef4ea43d
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/90da7bbef1690e6d49ca7e712cae2506ac71d5afb0a01779bcda457fef4ea43d/
Verdict:
Malicious
Threat:
Trojan.BAT.Agent
Link:
https://tip.neiki.dev/file/90da7bbef1690e6d49ca7e712cae2506ac71d5afb0a01779bcda457fef4ea43d
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-10-18 20:55:06 UTC
File Type:
Text
AV detection:
8 of 24 (33.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=sdnhxpxrnehg2sokpzyszlrfa2whdvnpwcqbo6n43jcx732ouq6q._file
Verdict:
malicious
Label(s):
quasarrat
Create hunting rule
Similar samples:
128b564d48862fe887ccebb64542c66a29b9943ed8bc7882bbb3992d4fe4792c
QuasarRAT
1af2e11cbb60bee87efab50083b64d9051a8255c0b9143d9105703e5f2a2c588
QuasarRAT
3662a8d4f950c9ebd0851e0b0713f2e48dfb7dd5ac3de02bae8acd1d6c4efd1d
QuasarRAT
5bf621e8d7c8590e3a2a5bb9779b5458b28f85b8887076b4a4885d1ee3e2c7f0
QuasarRAT
678fec195529ac67002cf29197d43af393d9e1d27d42c29f1b9bc1635f1a2d00
QuasarRAT
6e6e691a7f98fc4086f2bec28b34b2474ab783e9408c611e789a00107a24c227
QuasarRAT
9d41a7f6b0839b545420494065a7a5e3fa36006d763340a1e1b1ab33eb47e17a
QuasarRAT
c6e92bc1395d1865f41e0d10256f7de0fd6913a07c414b2489a191227b3730f6
QuasarRAT
d17f5a248883a81f2d0b01f801c62d60bdf5bda00c455f7823ffac056b4165c6
QuasarRAT
d77857e39d36842225e58a9d5977d73c86e5158858225a92ec16b2f2ca522fe3
QuasarRAT
error
QuasarRAT
+ 168 additional samples on MalwareBazaar
Result
Malware family:
quasar
Create hunting rule
Score:
  10/10
Tags:
family:quasar execution spyware trojan
Link:
https://tria.ge/reports/251020-qs7lhagx4c/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Enumerates physical storage devices
Checks computer location settings
Badlisted process makes network request
Command and Scripting Interpreter: PowerShell
Contains code to disable Windows Defender
Quasar RAT
Quasar family
Quasar payload
Malware family:
QuasarRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/90da7bbef169/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/90da7bbef1690e6d49ca7e712cae2506ac71d5afb0a01779bcda457fef4ea43d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

QuasarRAT

Batch (bat) bat 90da7bbef1690e6d49ca7e712cae2506ac71d5afb0a01779bcda457fef4ea43d

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3681441/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/33456/

Comments