MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 941c4c116f4b9bd1963f0cdbb39a35b4208f964de9e4214a616581ee00a91f40. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuasarRAT


Vendor detections: 12


Intelligence 12 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 941c4c116f4b9bd1963f0cdbb39a35b4208f964de9e4214a616581ee00a91f40
SHA3-384 hash: d5e27b2003a77609fb8f1a2cc5c1691b0cd0d10f494215be031145495c2f9c9d1b4e6ecbb2201709c8462dda7e258ea5
SHA1 hash: 3e7c9398e7cd96fb034353b69a37b0bf3745b153
MD5 hash: 3eaa7bd617e95e5a7108cc244782f315
humanhash: robin-summer-batman-nitrogen
File name:3eaa7bd617e95e5a7108cc244782f315.exe
Download: download sample
Signature QuasarRAT
Create hunting rule
File size:1'581'056 bytes
First seen:2025-06-18 06:06:27 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 49152:YZckAaqJReheKrJOxrRfijamAkp4XDhRXL+:Yvn4jKFQRdmA24Ha
Threatray 30 similar samples on MalwareBazaar
TLSH T17675337773DCC9DED2392E3F7614879210693F025DD2C16C7A2A26E648482E72DBDA34
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter abuse_ch
Tags:exe QuasarRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
445
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
3eaa7bd617e95e5a7108cc244782f315.exe
Verdict:
Malicious activity
Analysis date:
2025-06-18 07:48:00 UTC
Tags:
uac
Link:
https://app.any.run/tasks/24934d33-5d90-4e4e-9c1e-dfcdc6f96ee5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/9922/
Gathering data
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Creating a file in the %AppData% subdirectories
Launching a process
Enabling the 'hidden' option for recently created files
Creating a process from a recently created file
Creating a file
Setting a keyboard event handler
Connection attempt
Sending a custom TCP request
DNS request
Using the Windows Management Instrumentation requests
Launching the process to change network settings
Reading critical registry keys
Searching for synchronization primitives
Creating a process with a hidden window
Creating a file in the %temp% directory
Unauthorized injection to a recently created process
Stealing user critical data
Enabling autorun by creating a file
Adding an exclusion to Microsoft Defender
Verdict:
Malicious
Labled as:
Zusy.Generic
Link:
https://www.hybrid-analysis.com/sample/941c4c116f4b9bd1963f0cdbb39a35b4208f964de9e4214a616581ee00a91f40
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d2728fc4-4984-4480-884c-af739d3d8150
Result
Threat name:
Quasar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1717086
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Installs a global keyboard hook
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Sigma detected: Capture Wi-Fi password
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal WLAN passwords
Uses netsh to modify the Windows network and firewall settings
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Quasar RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1717086 Sample: r15ehm5Doi.exe Startdate: 18/06/2025 Architecture: WINDOWS Score: 100 35 ipwho.is 2->35 49 Found malware configuration 2->49 51 Antivirus detection for dropped file 2->51 53 Antivirus / Scanner detection for submitted sample 2->53 55 9 other signatures 2->55 9 r15ehm5Doi.exe 5 2->9         started        13 Updater.exe 3 2->13         started        signatures3 process4 file5 31 C:\Users\user\AppData\Roaming\...\Updater.exe, PE32 9->31 dropped 33 C:\Users\user\AppData\...\r15ehm5Doi.exe.log, CSV 9->33 dropped 57 Uses schtasks.exe or at.exe to add and modify task schedules 9->57 59 Hides that the sample has been downloaded from the Internet (zone.identifier) 9->59 15 Updater.exe 14 2 9->15         started        19 schtasks.exe 1 9->19         started        signatures6 process7 dnsIp8 37 91.107.176.130, 4782, 49717 HETZNER-ASDE Germany 15->37 39 ipwho.is 15.204.213.5, 443, 49719 HP-INTERNET-ASUS United States 15->39 41 Tries to harvest and steal browser information (history, passwords, etc) 15->41 43 Tries to harvest and steal WLAN passwords 15->43 45 Hides that the sample has been downloaded from the Internet (zone.identifier) 15->45 47 Installs a global keyboard hook 15->47 21 netsh.exe 2 15->21         started        23 schtasks.exe 1 15->23         started        25 conhost.exe 19->25         started        signatures9 process10 process11 27 conhost.exe 21->27         started        29 conhost.exe 23->29         started       
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/941c4c116f4b9bd1963f0cdbb39a35b4208f964de9e4214a616581ee00a91f40
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) Win 32 Exe x86
Link:
https://app.malva.re/file/3eaa7bd617e95e5a7108cc244782f315
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/941c4c116f4b9bd1963f0cdbb39a35b4208f964de9e4214a616581ee00a91f40/
Threat name:
ByteCode-MSIL.Trojan.Zilla
Create hunting rule
Status:
Malicious
First seen:
2025-06-16 02:40:33 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
29 of 38 (76.32%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=sqoeyelpjon5dfr7btn3hgrvwqqi7fsn5hsccstbmwa64afjd5aa._file
Verdict:
malicious
Label(s):
quasarrat
Create hunting rule
Similar samples:
2adbf68e583680bf9804404c43990adf4f011783f4f1cdddcc9afb67039a16a8
QuasarRAT
62e2c7d860a0e3e0975c5b9da5193f9ab3ca6c56ef4eea46d17cc87ac4598b90
QuasarRAT
941c4c116f4b9bd1963f0cdbb39a35b4208f964de9e4214a616581ee00a91f40
QuasarRAT
b77e9d9536abc8e48f5e4c3b3b1b3d212d841b98375bcd2fdc60ac2c10a387fe
QuasarRAT
e553c34b8aabb6ad42dfdb8a77759b32c6c035f2fc82618eefa2261c71dee761
QuasarRAT
error
QuasarRAT
f879f50e21830b34b77fd94a33b6c395b9837bb701a7f5e4dad2e9d287af9e72
QuasarRAT
+ 20 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery persistence privilege_escalation spyware stealer
Link:
https://tria.ge/reports/250618-gt2xzaak5w/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Browser Information Discovery
Event Triggered Execution: Netsh Helper DLL
System Network Configuration Discovery: Wi-Fi Discovery
Executes dropped EXE
Reads user/profile data of web browsers
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/c57cf646-d1e4-45cd-b194-95b6db116088
Unpacked files
SH256 hash:
941c4c116f4b9bd1963f0cdbb39a35b4208f964de9e4214a616581ee00a91f40
MD5 hash:
3eaa7bd617e95e5a7108cc244782f315
SHA1 hash:
3e7c9398e7cd96fb034353b69a37b0bf3745b153
Link:
https://www.unpac.me/results/2a062dbc-9db5-445b-a073-7448497e301c/
SH256 hash:
ecef261361ca1853aa0844d60b509befb9592388bdf6dc91979295493d5c8ef0
MD5 hash:
9709dd6306e5e861911611c2974b946c
SHA1 hash:
27988e79d6c52262087c1224d3703a21536d6bce
Detections:
SUSP_NET_Large_Static_Array_In_Small_File_Jan24
Create hunting rule
HKTL_NET_GUID_Quasar
Create hunting rule
Link:
https://www.unpac.me/results/2a062dbc-9db5-445b-a073-7448497e301c/
Parent samples :
b77e9d9536abc8e48f5e4c3b3b1b3d212d841b98375bcd2fdc60ac2c10a387fe
941c4c116f4b9bd1963f0cdbb39a35b4208f964de9e4214a616581ee00a91f40
f5a8c8e7ae8328c7fc396423188c153fc6a9cfce132b1a5bb288086110fccfc7
1c1d02588f167f909a6ae2ba2d1e4ffba2b2f2fe538e38f92b2434dd08e38068
5b8efcc4d2e4dbabcee1ecd25d97cd0624ea1a9882225e382423079f7907876b
b8c953c0e089328ce75c4a27793d442fe89b14c585c09bcce8a448124d3f64ab
653d9f4361cb046b9f4e376058ac1b2a66bcd014cce1089e68aabc1230430391
SH256 hash:
0e775cfe93d47bf21192b82b2d17268ef2b6d535a05bc0983ce275f4f1c2fb7b
MD5 hash:
ef9e3a7357cff2aa851028c77218e5f7
SHA1 hash:
5b27cbf49f636cd2ff585e39acba0da0a5c789a5
Link:
https://www.unpac.me/results/2a062dbc-9db5-445b-a073-7448497e301c/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/941c4c116f4b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/941c4c116f4b9bd1963f0cdbb39a35b4208f964de9e4214a616581ee00a91f40

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/9922/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments