MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9fc57c6c1e344cdda502eba5ce23b69c6c56f0a4124c2a1fca3ac067ca5f74c0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



QuasarRAT


Vendor detections: 21


Intelligence 21 IOCs YARA 34 File information Comments

SHA256 hash: 9fc57c6c1e344cdda502eba5ce23b69c6c56f0a4124c2a1fca3ac067ca5f74c0
SHA3-384 hash: b1cd4df77c2279224ba7a3c3fd812e926ed82654de44f73b0b4793df60bcff956481a68988db5e5e45ac3f6f4aa035a2
SHA1 hash: 8d53af15d6cbb1f355ce090581e399d67e358598
MD5 hash: 3a4d57fa2cb647a83891cd1cb1ba1461
humanhash: washington-cup-angel-lamp
File name:robloxpas.exe
Download: download sample
Signature QuasarRAT
File size:3'392'000 bytes
First seen:2026-02-02 02:25:11 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (49'097 x AgentTesla, 20'115 x Formbook, 12'356 x SnakeKeylogger)
ssdeep 49152:AvyI22SsaNYfdPBldt698dBcjHbEmOmzU8oGdDTHHB72eh2NT:Avf22SsaNYfdPBldt6+dBcjHbEmf
Threatray 2'074 similar samples on MalwareBazaar
TLSH T1BCF55A1477F85E62E16BD3B3D5F0542363F0F82AF3A3EB0B5191667A1C93B4098426A7
TrID 58.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
13.2% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
8.4% (.EXE) Win64 Executable (generic) (10522/11/4)
5.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.0% (.EXE) Win16 NE executable (generic) (5038/12/1)
Magika pebin
dhash icon 7c74646c6464646c (2 x QuasarRAT)
Reporter abuse_ch
Tags:exe QuasarRAT RAT


Avatar
abuse_ch
QuasarRAT C2:
193.161.193.99:51272

Intelligence


File Origin
# of uploads :
1
# of downloads :
199
Origin country :
NL NL
Vendor Threat Intelligence
Gathering data
Malware family:
ID:
1
File name:
robloxpas.exe
Verdict:
Malicious activity
Analysis date:
2026-02-02 02:06:01 UTC
Tags:
auto-reg quasar

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
99.9%
Tags:
infosteal autorun quasar
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm base64 base64 bladabindi certreq expand explorer fingerprint infostealer lolbin obfuscated obfuscated packed quasar reconnaissance runonce schtasks stealer tiger unsafe vbnet windows zusy
Verdict:
Malicious
File Type:
exe x32
First seen:
2026-02-01T23:08:00Z UTC
Last seen:
2026-02-02T01:35:00Z UTC
Hits:
~100
Detections:
HEUR:Trojan.MSIL.Quasar.gen Backdoor.MSIL.Crysan.a PDM:Trojan.Win32.Generic Trojan-PSW.MSIL.Agent.sb HEUR:Trojan-Spy.MSIL.Agent.sb HEUR:Trojan.MSIL.NetWire.gen Trojan-PSW.Win32.Stealer.sb Trojan.Win32.Quasar.sb Trojan.MSIL.Quasar.a PDM:Trojan.Win32.Tasker.cust
Result
Threat name:
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Drops PE files to the user root directory
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Suricata IDS alerts for network traffic
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Quasar RAT
Behaviour
Behavior Graph:
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1861387 Sample: robloxpas.exe Startdate: 02/02/2026 Architecture: WINDOWS Score: 100 56 yoenacevedo7-51272.portmap.host 2->56 58 ipwho.is 2->58 60 bg.microsoft.map.fastly.net 2->60 68 Suricata IDS alerts for network traffic 2->68 70 Found malware configuration 2->70 72 Malicious sample detected (through community Yara rule) 2->72 74 8 other signatures 2->74 10 robloxpas.exe 3 6 2->10         started        14 Client.exe 3 2->14         started        signatures3 process4 file5 52 C:\Users\user\roblox password.exe, PE32 10->52 dropped 54 C:\Users\user\AppData\...\robloxpas.exe.log, CSV 10->54 dropped 82 Drops PE files to the user root directory 10->82 16 roblox password.exe 5 10->16         started        20 notepad.exe 5 10->20         started        signatures6 process7 file8 48 C:\Users\user\AppData\Roaming\...\Client.exe, PE32 16->48 dropped 66 Hides that the sample has been downloaded from the Internet (zone.identifier) 16->66 22 Client.exe 14 4 16->22         started        27 schtasks.exe 1 16->27         started        signatures9 process10 dnsIp11 62 yoenacevedo7-51272.portmap.host 193.161.193.99, 49690, 51272 BITREE-ASRU Russian Federation 22->62 64 ipwho.is 15.204.213.5, 443, 49696 HP-INTERNET-ASUS United States 22->64 50 C:\Users\user\AppData\...\CVEbkGLkJzOs.bat, DOS 22->50 dropped 76 Antivirus detection for dropped file 22->76 78 Multi AV Scanner detection for dropped file 22->78 80 Hides that the sample has been downloaded from the Internet (zone.identifier) 22->80 29 cmd.exe 1 22->29         started        32 schtasks.exe 1 22->32         started        34 schtasks.exe 1 22->34         started        36 conhost.exe 27->36         started        file12 signatures13 process14 signatures15 84 Uses ping.exe to sleep 29->84 86 Uses ping.exe to check the status of other devices and networks 29->86 38 conhost.exe 29->38         started        40 chcp.com 1 29->40         started        42 PING.EXE 29->42         started        44 conhost.exe 32->44         started        46 conhost.exe 34->46         started        process16
Verdict:
QuasarRat
YARA:
14 match(es)
Tags:
.Net AsyncRAT Executable Malicious Managed .NET PE (Portable Executable) PE File Layout QuasarRat RAT SOS: 0.24 SOS: 0.31 Win 32 Exe x86
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Status:
Malicious
First seen:
2026-02-02 02:25:38 UTC
File Type:
PE (.Net Exe)
Extracted files:
19
AV detection:
23 of 24 (95.83%)
Threat level:
  5/5
Result
Malware family:
Score:
  10/10
Tags:
family:quasar botnet:office04 discovery execution persistence ransomware spyware trojan
Behaviour
Modifies registry class
Opens file in notepad (likely ransom note)
Runs ping.exe
Scheduled Task/Job: Scheduled Task
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
System Network Configuration Discovery: Internet Connection Discovery
Checks computer location settings
Executes dropped EXE
Quasar RAT
Quasar family
Quasar payload
Malware Config
C2 Extraction:
yoenacevedo7-51272.portmap.host:51272
Unpacked files
SH256 hash:
9fc57c6c1e344cdda502eba5ce23b69c6c56f0a4124c2a1fca3ac067ca5f74c0
MD5 hash:
3a4d57fa2cb647a83891cd1cb1ba1461
SHA1 hash:
8d53af15d6cbb1f355ce090581e399d67e358598
Detections:
win_asyncrat_w0 QuasarRAT cn_utf8_windows_terminal malware_windows_xrat_quasarrat MAL_QuasarRAT_May19_1 win_quasarrat_j2 asyncrat win_quasar_rat_client INDICATOR_SUSPICIOUS_Binary_References_Browsers INDICATOR_SUSPICIOUS_GENInfoStealer INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA MALWARE_Win_QuasarStealer
SH256 hash:
2691103939ec9e8deeb0e6b9b5c694213264903a534febfbd7ab9ac9076947e4
MD5 hash:
4de616b56ec6bf9f867d58c9ce4fc060
SHA1 hash:
f1b9e73165ec1f873100575f3cd9e379283207d9
Detections:
QuasarRAT cn_utf8_windows_terminal malware_windows_xrat_quasarrat MAL_QuasarRAT_May19_1 win_quasarrat_j2 win_quasar_rat_client INDICATOR_SUSPICIOUS_Binary_References_Browsers INDICATOR_SUSPICIOUS_GENInfoStealer INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA MALWARE_Win_QuasarStealer
Malware family:
QuasarRAT
Verdict:
Malicious
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:asyncrat
Author:JPCERT/CC Incident Response Group
Description:detect AsyncRat in memory
Reference:internal research
Rule name:BLOWFISH_Constants
Author:phoul (@phoul)
Description:Look for Blowfish constants
Rule name:CP_Script_Inject_Detector
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DetectEncryptedVariants
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:Detect_PowerShell_Obfuscation
Author:daniyyell
Description:Detects obfuscated PowerShell commands commonly used in malicious scripts.
Rule name:FreddyBearDropper
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Author:ditekSHen
Description:Detects Windows executables referencing non-Windows User-Agents
Rule name:INDICATOR_SUSPICIOUS_GENInfoStealer
Author:ditekSHen
Description:Detects executables containing common artifacts observed in infostealers
Rule name:Lumma_Stealer_Detection
Author:ashizZz
Description:Detects a specific Lumma Stealer malware sample using unique strings and behaviors
Reference:https://seanthegeek.net/posts/compromized-store-spread-lumma-stealer-using-fake-captcha/
Rule name:malware_asyncrat
Author:JPCERT/CC Incident Response Group
Description:detect AsyncRat in memory
Reference:internal research
Rule name:malware_asyncrat
Description:detect AsyncRat in memory
Reference:https://github.com/NYAN-x-CAT/AsyncRAT-C-Sharp
Rule name:MALWARE_Win_QuasarStealer
Author:ditekshen
Description:Detects Quasar infostealer
Rule name:MAL_QuasarRAT_May19_1
Description:Detects QuasarRAT malware
Rule name:MAL_QuasarRAT_May19_1
Author:Florian Roth (Nextron Systems)
Description:Detects QuasarRAT malware
Reference:https://blog.ensilo.com/uncovering-new-activity-by-apt10
Rule name:MAL_QuasarRAT_May19_1_RID2E1E
Author:Florian Roth
Description:Detects QuasarRAT malware
Reference:https://blog.ensilo.com/uncovering-new-activity-by-apt10
Rule name:MD5_Constants
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:Multifamily_RAT_Detection
Author:Lucas Acha (http://www.lukeacha.com)
Description:Generic Detection for multiple RAT families, PUPs, Packers and suspicious executables
Rule name:NET
Author:malware-lu
Rule name:NETexecutableMicrosoft
Author:malware-lu
Rule name:pe_imphash
Rule name:quasarrat
Author:jeFF0Falltrades
Rule name:quasarrat_kingrat
Author:jeFF0Falltrades
Rule name:RANSOMWARE
Author:ToroGuitar
Rule name:RC6_Constants
Author:chort (@chort0)
Description:Look for RC6 magic constants in binary
Reference:https://twitter.com/mikko/status/417620511397400576
Rule name:RIPEMD160_Constants
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SHA1_Constants
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SHA512_Constants
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:Skystars_Malware_Imphash
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_All_Windows_PE_Malware
Author:DiegoAnalytics
Description:Detects Windows PE malware of all types, avoids non-executables like .html
Rule name:Sus_CMD_Powershell_Usage
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:Windows_Generic_Threat_803feff4
Author:Elastic Security
Rule name:win_asyncrat_w0
Author:JPCERT/CC Incident Response Group
Description:detect AsyncRat in memory
Reference:internal research
Rule name:win_quasar_rat_client
Author:Matthew @ Embee_Research
Description:Detects strings present in Quasar Rat Samples.

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments