MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9560ccb061e654db02a3f03e06c14a2c1bbe95d232917fc8f1b83270903d88a6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuasarRAT


Vendor detections: 15


Intelligence 15 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9560ccb061e654db02a3f03e06c14a2c1bbe95d232917fc8f1b83270903d88a6
SHA3-384 hash: 8f1eee27bc82f0cebcbb863c2a0cffeb974eea505acd9d665ecb9ba8b137e1927b6456a5783feceea6cb0d244b0753b4
SHA1 hash: 8dcf20849899c76a5be211dfb513900fd363f37b
MD5 hash: be18c77e5867bf04cd3a2e2545ef596b
humanhash: maine-solar-winner-mexico
File name:ku56mNL.exe
Download: download sample
Signature QuasarRAT
Create hunting rule
File size:4'452'392 bytes
First seen:2025-07-01 07:30:25 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash a466125a9d0f2613cec3e55975386798 (2 x QuasarRAT, 2 x Vidar, 2 x LummaStealer)
ssdeep 98304:URgFBmzmcKr30UzppOFCeH7LF6Rs2ffcKr30UzppOFCeH7LF6Rs2fF:UCBmvSRHzeH7LIZ8SRHzeH7LIZN
TLSH T12926231AB26563E9FD6B10B44050A1C4B9767A3AC2392FFF539093332F172C46E6E355
TrID 63.5% (.EXE) Win64 Executable (generic) (10522/11/4)
12.2% (.EXE) OS/2 Executable (generic) (2029/13)
12.0% (.EXE) Generic Win/DOS Executable (2002/3)
12.0% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter abuse_ch
Tags:exe QuasarRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
377
Origin country :
SE SE
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
main.exe
Verdict:
Malicious activity
Analysis date:
2025-06-30 21:45:31 UTC
Tags:
python possible-phishing loader github remcos rat auto generic pastebin lumma stealer evasion screenconnect rmm-tool nanocore redline neshta snake keylogger dcrat koiloader phorpiex miner amadey botnet sality purelogs purecrypter formbook asyncrat remote masslogger aurotunstealer phantom pyinstaller telegram stealerium coinminer stealc clipper diamotrix ransomware sage aurotun
Link:
https://app.any.run/tasks/8a651d64-87a2-439f-866d-c2cb3bc40aea

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/11782/
Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68638ed237c3436779482e74
Tags:
injection obfusc virus
Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a window
Сreating synchronization primitives
Connection attempt
Sending a custom TCP request
DNS request
Using the Windows Management Instrumentation requests
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
adaptive-context fingerprint invalid-signature microsoft_visual_cc packed packed packer_detected signed
Link:
https://www.filescan.io/uploads/68638ea3714e106cecb880c4/reports/7bf64fab-40f7-4545-82fa-b9af622d0ad8/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/9560ccb061e654db02a3f03e06c14a2c1bbe95d232917fc8f1b83270903d88a6
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/5e616ad7-0417-451e-b77e-fa1f6d1055fb
Result
Threat name:
Quasar
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1726145
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Sigma detected: Silenttrinity Stager Msbuild Activity
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Quasar RAT
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/9560ccb061e654db02a3f03e06c14a2c1bbe95d232917fc8f1b83270903d88a6
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) Win 64 Exe x64
Link:
https://app.malva.re/file/be18c77e5867bf04cd3a2e2545ef596b
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9560ccb061e654db02a3f03e06c14a2c1bbe95d232917fc8f1b83270903d88a6/
Verdict:
Malicious
Link:
https://tip.neiki.dev/file/9560ccb061e654db02a3f03e06c14a2c1bbe95d232917fc8f1b83270903d88a6
Threat name:
Win64.Trojan.LummaStealer
Create hunting rule
Status:
Malicious
First seen:
2025-06-30 22:37:35 UTC
File Type:
PE+ (Exe)
Extracted files:
1
AV detection:
23 of 38 (60.53%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=svqmzmdb4zknwavd6a7anqkkfqn35fosgkix7shrxazhbeb5rcta._file
Result
Malware family:
quasar
Create hunting rule
Score:
  10/10
Tags:
family:quasar botnet:part3 discovery spyware trojan
Link:
https://tria.ge/reports/250701-jcjfeatjs6/
Behaviour
Suspicious behavior: AddClipboardFormatListener
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Quasar RAT
Quasar family
Quasar payload
Malware Config
C2 Extraction:
127.0.0.1:4782
185.121.233.71:4782
Verdict:
Unknown
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/08eed45d-5512-43a8-955b-efd71c2f5b35
Unpacked files
SH256 hash:
9560ccb061e654db02a3f03e06c14a2c1bbe95d232917fc8f1b83270903d88a6
MD5 hash:
be18c77e5867bf04cd3a2e2545ef596b
SHA1 hash:
8dcf20849899c76a5be211dfb513900fd363f37b
Link:
https://www.unpac.me/results/f76cd300-9478-4e3b-a2a2-447b9ec8d1ac/
Malware family:
QuasarRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/9560ccb061e6/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/9560ccb061e654db02a3f03e06c14a2c1bbe95d232917fc8f1b83270903d88a6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

QuasarRAT

Executable exe 9560ccb061e654db02a3f03e06c14a2c1bbe95d232917fc8f1b83270903d88a6

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3571426/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/11782/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetCommandLineA
KERNEL32.dll::GetCommandLineW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::FreeConsole
KERNEL32.dll::ReadConsoleW
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleMode
KERNEL32.dll::GetConsoleOutputCP
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateFileW
WIN_USER_APIPerforms GUI ActionsUSER32.dll::CreateWindowExA

Comments