MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9f8b05f57597f6a61089e954ea1c2dfa24f1a4a72c5a2ff883a9fabb1203f658. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuasarRAT


Vendor detections: 16


Intelligence 16 IOCs YARA 11 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9f8b05f57597f6a61089e954ea1c2dfa24f1a4a72c5a2ff883a9fabb1203f658
SHA3-384 hash: d9dafe861c857ebf631f2d67173452ecfb92636c5caae5552b28789459a12c7b02a9a99f10cbf46becde88d34e778e8c
SHA1 hash: 7824fa51113506fb7626df22ea388280d547f101
MD5 hash: 3d9f03ca7ba50529c96cf32720d2ae16
humanhash: green-angel-lemon-steak
File name:realityengine.exe
Download: download sample
Signature QuasarRAT
Create hunting rule
File size:2'891'473 bytes
First seen:2025-09-06 06:22:18 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 8b4d0760d426c9138154c52a7dcc4339 (5 x Rhadamanthys, 5 x HijackLoader, 2 x SheetRAT)
ssdeep 49152:3ANQQ/Nk5x3UGVgdHCLK3Pn6t3oJAVkBjTRQTdAViK8NCOIvRPVGtAPeq1X1w8/f:3xfxkxH/3P6tYRjTRWOJ84OmVl11w8/f
Threatray 61 similar samples on MalwareBazaar
TLSH T1AED5221AE7F815F4F573A6B88D625A12E7777C4903319A8F13AC695A2F23250CD3D322
TrID 92.4% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
3.6% (.EXE) Win64 Executable (generic) (10522/11/4)
1.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
0.7% (.EXE) OS/2 Executable (generic) (2029/13)
0.6% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter abuse_ch
Tags:exe QuasarRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
80
Origin country :
SE SE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
realityengine.exe
Verdict:
Suspicious activity
Analysis date:
2025-09-06 00:55:09 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/3a24d698-2a74-4bdf-a31c-0a8519f56521

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/25948/
Detection(s):
Win.Dropper.Formbook-9852806-0
Create hunting rule

Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68bb866c3e988eb6ab83eae9
Tags:
autorun autoit emotet
Result
Verdict:
Malware
Maliciousness:
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
fingerprint formbook krypt microsoft_visual_cc overlay quasar
Link:
https://www.filescan.io/uploads/68bbd333fe1969faa8a70172/reports/09b8bceb-db03-42ee-a7b6-7a56712782eb/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/9f8b05f57597f6a61089e954ea1c2dfa24f1a4a72c5a2ff883a9fabb1203f658
Verdict:
Malicious
File Type:
exe x64
First seen:
2025-09-05T22:02:00Z UTC
Last seen:
2025-09-05T22:02:00Z UTC
Hits:
~10
Detections:
Trojan.MSIL.Crypt.sb HEUR:Trojan.MSIL.Quasar.gen Trojan-PSW.MSIL.Agent.sb Trojan.MSIL.Quasar.a PDM:Trojan.Win32.Tasker.cust PDM:Trojan.Win32.Generic
Link:
https://opentip.kaspersky.com/9f8b05f57597f6a61089e954ea1c2dfa24f1a4a72c5a2ff883a9fabb1203f658/results?tab=lookup
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/952c3247-12e4-4082-99e0-3d9eb254ee1c
Result
Threat name:
Quasar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1772234
Signature
Binary is likely a compiled AutoIt script file
Connects to many ports of the same IP (likely port scanning)
Drops executables to the windows directory (C:\Windows) and starts them
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Installs a global keyboard hook
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Quasar RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1772234 Sample: realityengine.exe Startdate: 06/09/2025 Architecture: WINDOWS Score: 100 39 ferjesus-64891.portmap.host 2->39 53 Found malware configuration 2->53 55 Multi AV Scanner detection for dropped file 2->55 57 Multi AV Scanner detection for submitted file 2->57 59 4 other signatures 2->59 10 realityengine.exe 10 2->10         started        13 winUpdater24H2.exe 3 2->13         started        signatures3 process4 file5 33 C:\Users\user\AppData\Local\...\Hackmta.exe, PE32 10->33 dropped 35 C:\Users\user\...behaviorgraphH Injector - x64.exe, PE32+ 10->35 dropped 15 Hackmta.exe 5 10->15         started        19 GH Injector - x64.exe 10->19         started        process6 file7 37 C:\Windows\System32\...\winUpdater24H2.exe, PE32 15->37 dropped 43 Multi AV Scanner detection for dropped file 15->43 45 Drops executables to the windows directory (C:\Windows) and starts them 15->45 47 Uses schtasks.exe or at.exe to add and modify task schedules 15->47 49 Hides that the sample has been downloaded from the Internet (zone.identifier) 15->49 21 winUpdater24H2.exe 2 15->21         started        25 schtasks.exe 1 15->25         started        51 Binary is likely a compiled AutoIt script file 19->51 signatures8 process9 dnsIp10 41 ferjesus-64891.portmap.host 193.161.193.99, 49693, 49694, 49695 BITREE-ASRU Russian Federation 21->41 61 Multi AV Scanner detection for dropped file 21->61 63 Hides that the sample has been downloaded from the Internet (zone.identifier) 21->63 65 Installs a global keyboard hook 21->65 27 schtasks.exe 1 21->27         started        29 conhost.exe 25->29         started        signatures11 process12 process13 31 conhost.exe 27->31         started       
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/9f8b05f57597f6a61089e954ea1c2dfa24f1a4a72c5a2ff883a9fabb1203f658
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PDB Path PE (Portable Executable) PE File Layout Win 64 Exe x64
Link:
https://app.malva.re/file/3d9f03ca7ba50529c96cf32720d2ae16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9f8b05f57597f6a61089e954ea1c2dfa24f1a4a72c5a2ff883a9fabb1203f658/
Verdict:
Malicious
Threat:
Trojan.MSIL.Quasar
Link:
https://tip.neiki.dev/file/9f8b05f57597f6a61089e954ea1c2dfa24f1a4a72c5a2ff883a9fabb1203f658
Threat name:
Win64.Trojan.Egairtigado
Create hunting rule
Status:
Malicious
First seen:
2025-09-06 00:55:10 UTC
File Type:
PE+ (Exe)
Extracted files:
49
AV detection:
23 of 38 (60.53%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=t6fql5lvs73kmeej5fkouhbn7ispdjfhfrnc76edvh5lweqd6zma._file
Verdict:
malicious
Label(s):
quasarrat
Create hunting rule
Similar samples:
62e2c7d860a0e3e0975c5b9da5193f9ab3ca6c56ef4eea46d17cc87ac4598b90
QuasarRAT
a1598314ea680183e6630630e06d6784173bbf32bd895eaf3882d585e22609cb
QuasarRAT
bf2ef5b129882d9a508c72a6afefede8ca7de3db89e5b3754ca8c470e27122ba
QuasarRAT
e553c34b8aabb6ad42dfdb8a77759b32c6c035f2fc82618eefa2261c71dee761
QuasarRAT
eb72d6dd2158ce9ad453f8ecfd5d6900cce588c196ae5806268cbaf3475848da
QuasarRAT
error
QuasarRAT
+ 51 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
execution persistence upx
Link:
https://tria.ge/reports/250906-g49qkahr9v/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: AddClipboardFormatListener
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
AutoIT Executable
Drops file in System32 directory
UPX packed file
Checks computer location settings
Executes dropped EXE
Verdict:
Malicious
Tags:
Win.Dropper.Formbook-9852806-0
YARA:
n/a
Link:
https://app.threat.zone/submission/01684694-a379-450f-abbd-b08890b5c385
Unpacked files
SH256 hash:
9f8b05f57597f6a61089e954ea1c2dfa24f1a4a72c5a2ff883a9fabb1203f658
MD5 hash:
3d9f03ca7ba50529c96cf32720d2ae16
SHA1 hash:
7824fa51113506fb7626df22ea388280d547f101
Link:
https://www.unpac.me/results/796bb646-32c7-4719-a678-177b814c6ede/
SH256 hash:
fb3315d01942a69b2fe2380e1b2123f4fee7abe25753195f1e53ad1bb3f39d4d
MD5 hash:
20e63dfb13aa095fd354e5ea17e023ea
SHA1 hash:
870bb5b70d24bf8c96ff97cfa989672dab08be97
Detections:
INDICATOR_EXE_Packed_Fody
Create hunting rule
Link:
https://www.unpac.me/results/796bb646-32c7-4719-a678-177b814c6ede/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9f8b05f57597f6a61089e954ea1c2dfa24f1a4a72c5a2ff883a9fabb1203f658

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AutoIT_Compiled
Create hunting rule
Author:@bartblaze
Description:Identifies compiled AutoIT script (as EXE). This rule by itself does NOT necessarily mean the detected file is malicious.
Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:upx_largefile
Create hunting rule
Author:k3nr9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/25948/

Comments