MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9b018f68690323664a620a8e68fde297268218cf648d3575562d4e0cb689b6fd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

QuasarRAT

Vendor detections: 11

Intelligence 11 IOCs YARA 23 File information Comments

SHA256 hash:	9b018f68690323664a620a8e68fde297268218cf648d3575562d4e0cb689b6fd
SHA3-384 hash:	3d0f1fc6e335a5034fb2bce2660aa1521c7167c8d7bb96a982087896d7be09fc83da5081d953cfa65853450741ac875b
SHA1 hash:	95c80db9a5befbd95a9af29166fa8ccd71afc9f6
MD5 hash:	553eb6d6620cb84713f2958fceb05f0b
humanhash:	gee-four-ten-fourteen
File name:	file
Download:	download sample
Signature	QuasarRAT Create hunting rule
File size:	18'124'288 bytes
First seen:	2026-01-29 18:19:18 UTC
Last seen:	2026-01-29 18:56:24 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'752 x AgentTesla, 19'657 x Formbook, 12'248 x SnakeKeylogger)
ssdeep	196608:YP2op6fHR6QqOyjr2LF3Ye6YmnwqdU142Ua4jzy8DR:m6fHR1cjSLFoBYmn5U1PuTD
TLSH	T1F407AF02ABE88F2AD0BF47B1A47150145BF1E8966756DA49358CF1BA3B237007B1637F
TrID	72.2% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.3% (.EXE) Win64 Executable (generic) (10522/11/4) 4.9% (.EXE) Win16 NE executable (generic) (5038/12/1) 4.4% (.EXE) Win32 Executable (generic) (4504/4/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika	pebin
Reporter	Bitsight
Tags:	dropped-by-amadey exe fbf543 QuasarRAT

Bitsight

url: http://130.12.180.43/files/7019456639/KNCV6E4.exe

Intelligence

File Origin

# of uploads :

# of downloads :

114

Origin country :

Vendor Threat Intelligence

No detections

Malware family:

n/a

ID:

File name:

file

Verdict:

Suspicious activity

Analysis date:

2026-01-29 18:20:55 UTC

Tags:

evasion

Link:

https://app.any.run/tasks/b8669ce8-fa2b-47c3-8cce-8a35550e6ba4

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Gathering data

Detection(s):

Win.Packed.Msilperseus-9956592-0

Verdict:

Malicious

Score:

97.4%

Link:

https://cyber-fortress.com/docs/result/index.php?id=697ba4b56fa3eed165304e34

Tags:

vmdetect quasar

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Connection attempt

Creating a window

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/9b018f68690323664a620a8e68fde297268218cf648d3575562d4e0cb689b6fd

Verdict:

Malicious

File Type:

exe x32

First seen:

2026-01-29T15:30:00Z UTC

Last seen:

2026-01-30T12:53:00Z UTC

Hits:

~100

Detections:

HEUR:Exploit.MSIL.BypassUAC.c Backdoor.MSIL.Crysan.d

Link:

https://opentip.kaspersky.com/9b018f68690323664a620a8e68fde297268218cf648d3575562d4e0cb689b6fd/results?tab=lookup

Score:

99%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/9b018f68690323664a620a8e68fde297268218cf648d3575562d4e0cb689b6fd

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/9b018f68690323664a620a8e68fde297268218cf648d3575562d4e0cb689b6fd/

Verdict:

Malicious

Threat:

Family.DEEPSEAOBFUSCATOR

Link:

https://tip.neiki.dev/file/9b018f68690323664a620a8e68fde297268218cf648d3575562d4e0cb689b6fd

Threat name:

ByteCode-MSIL.Infostealer.ClipBanker

Status:

Malicious

First seen:

2026-01-29 18:20:48 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

24 of 36 (66.67%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=tmay62djamrwmstcbkhgr7pcs4tieggpmsgtk5kwfvhaznujw36q._file

Result

Malware family:

n/a

Score:

6/10

Tags:

defense_evasion

Link:

https://tria.ge/reports/260129-wyc7qsby7d/

Behaviour

Delays execution with timeout.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Looks up external IP address via web service

Unpacked files

SH256 hash:

9b018f68690323664a620a8e68fde297268218cf648d3575562d4e0cb689b6fd

MD5 hash:

553eb6d6620cb84713f2958fceb05f0b

SHA1 hash:

95c80db9a5befbd95a9af29166fa8ccd71afc9f6

Link:

https://www.unpac.me/results/a2a1c071-08f6-49ae-8831-dbca8bff1ea8/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/9b018f686903/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/9b018f68690323664a620a8e68fde297268218cf648d3575562d4e0cb689b6fd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

Rule name:	DetectEncryptedVariants Create hunting rule
Author:	Zinyth
Description:	Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded

Rule name:	Disable_Defender Create hunting rule
Author:	iam-py-test
Description:	Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen

Rule name:	FreddyBearDropper Create hunting rule
Author:	Dwarozh Hoshiar
Description:	Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	grakate_stealer_nov_2021 Create hunting rule

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	Jupyter_infostealer Create hunting rule
Author:	CD_R0M_
Description:	Rule for Jupyter Infostealer/Solarmarker malware from september 2021-December 2022

Rule name:	Lumma_Stealer_Detection Create hunting rule
Author:	ashizZz
Description:	Detects a specific Lumma Stealer malware sample using unique strings and behaviors
Reference:	https://seanthegeek.net/posts/compromized-store-spread-lumma-stealer-using-fake-captcha/

Rule name:	Multifamily_RAT_Detection Create hunting rule
Author:	Lucas Acha (http://www.lukeacha.com)
Description:	Generic Detection for multiple RAT families, PUPs, Packers and suspicious executables

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Quasar_RAT_1 Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects Quasar RAT
Reference:	https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf

Rule name:	Quasar_RAT_1 Create hunting rule
Author:	@SOCRadar
Description:	Detects Quasar RAT

Rule name:	Quasar_RAT_1_RID2B54 Create hunting rule
Author:	Florian Roth
Description:	Detects Quasar RAT
Reference:	https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf

Rule name:	RANSOMWARE Create hunting rule
Author:	ToroGuitar

Rule name:	Rooter Create hunting rule
Author:	Seth Hardy
Description:	Rooter

Rule name:	RooterStrings Create hunting rule
Author:	Seth Hardy
Description:	Rooter Identifying Strings

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Sus_All_Windows_PE_Malware Create hunting rule
Author:	DiegoAnalytics
Description:	Detects Windows PE malware of all types, avoids non-executables like .html

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

Rule name:	telebot_framework Create hunting rule
Author:	vietdx.mb

Rule name:	vmdetect Create hunting rule
Author:	nex
Description:	Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

QuasarRAT

exe 9b018f68690323664a620a8e68fde297268218cf648d3575562d4e0cb689b6fd

(this sample)

Dropped by

Amadey

Delivery method

Distributed via web download

Dropped by

Amadey

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/50716/

URLhaus

https://urlhaus.abuse.ch/url/3765727/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample