MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a46bec2031259cff4135b985d533e9c0bdb175603d61f031c227103bbb002a7b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuasarRAT


Vendor detections: 21


Intelligence 21 IOCs 1 YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a46bec2031259cff4135b985d533e9c0bdb175603d61f031c227103bbb002a7b
SHA3-384 hash: 4327972ea0f35963af02f00f7433ba23a1ac1825ee25d15ce9bd0fd8870b12001bd834fa997eec25718f15df51c847d5
SHA1 hash: 072633870bcb7b5f76eaad74a0a31ceb54038c11
MD5 hash: 905426cbc53f5a127addb0352997e974
humanhash: lactose-may-mars-ceiling
File name:WORDS.exe
Download: download sample
Signature QuasarRAT
Create hunting rule
File size:4'154'880 bytes
First seen:2026-02-25 20:55:51 UTC
Last seen:2026-02-25 21:32:12 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'817 x AgentTesla, 19'740 x Formbook, 12'286 x SnakeKeylogger)
ssdeep 98304:vjcADthjqXlbIaYs3da4986oss7ZE6bA2WmPIuQVsrb3h9LnXoSr:bbDthjkkaL3dae8TfEQopVsrLjYS
TLSH T1C31633682200C202C419567D95B1F7B8037C8DFFA911E227CFD4BCB7BABAB251E59257
TrID 73.9% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
6.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.6% (.EXE) Win64 Executable (generic) (6522/11/2)
4.5% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter abuse_ch
Tags:exe QuasarRAT RAT


Avatar
abuse_ch
QuasarRAT C2:
91.92.241.145:9792

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
91.92.241.145:9792 https://threatfox.abuse.ch/ioc/1742141/

Intelligence

File Origin
# of uploads :
2
# of downloads :
174
Origin country :
NL NL
Vendor Threat Intelligence
Malware configuration found for:
RoboSki
Details
Link:
https://research.acce.ciphertechsolutions.com/results/48fa1cac-1a62-4acf-94f4-d3348936f7c5/
Malware family:
quasar
Create hunting rule
ID:
1
File name:
_a46bec2031259cff4135b985d533e9c0bdb175603d61f031c227103bbb002a7b.exe
Verdict:
Malicious activity
Analysis date:
2026-02-25 20:57:05 UTC
Tags:
auto-reg quasar
Link:
https://app.any.run/tasks/8e9bca96-56af-4cc7-af17-846dda8fd9db

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
QuasarStealer
Create hunting rule
Link:
https://www.capesandbox.com/analysis/54593/
Detection(s):
SecuriteInfo.com.Trojan.Siggen32.26825.22863.31482.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
70%
Link:
https://cyber-fortress.com/docs/result/index.php?id=699f61f6c950ab5d9ab1a231
Tags:
remo
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Сreating synchronization primitives
Creating a file in the %AppData% subdirectories
Launching a process
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
krypt obfuscated packed
Link:
https://www.filescan.io/uploads/699f61f497feb4afd65afc31/reports/3fc83432-67f7-423d-ad0f-ab7e6350c9f8/overview
Verdict:
Malicious
Labled as:
MSIL/GenKryptik_AGeneric.BVE trojan
Link:
https://www.hybrid-analysis.com/sample/a46bec2031259cff4135b985d533e9c0bdb175603d61f031c227103bbb002a7b
Verdict:
Malicious
File Type:
exe x32
Detections:
PDM:Trojan.Win32.Generic HEUR:Backdoor.MSIL.Remcos.gen PDM:Trojan.Win32.Tasker.cust
Link:
https://opentip.kaspersky.com/a46bec2031259cff4135b985d533e9c0bdb175603d61f031c227103bbb002a7b/results?tab=lookup
Malware family:
Quasar RAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/03c9f336-def9-4112-9129-86f4f91b7560
Result
Threat name:
Quasar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1875023
Signature
.NET source code contains potential unpacker
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Installs new ROOT certificates
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Sample uses string decryption to hide its real strings
Suricata IDS alerts for network traffic
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected Quasar RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1875023 Sample: WORDS.exe Startdate: 25/02/2026 Architecture: WINDOWS Score: 100 40 twart.myfirewall.org 2->40 42 ipwho.is 2->42 50 Suricata IDS alerts for network traffic 2->50 52 Found malware configuration 2->52 54 Malicious sample detected (through community Yara rule) 2->54 56 5 other signatures 2->56 11 WORDS.exe 3 2->11         started        14 Notepadbook.exe 2 2->14         started        signatures3 process4 signatures5 58 Uses schtasks.exe or at.exe to add and modify task schedules 11->58 16 WORDS.exe 4 11->16         started        60 Injects a PE file into a foreign processes 14->60 20 Notepadbook.exe 2 14->20         started        22 Notepadbook.exe 14->22         started        process6 file7 38 C:\Users\user\AppData\...38otepadbook.exe, PE32 16->38 dropped 48 Hides that the sample has been downloaded from the Internet (zone.identifier) 16->48 24 Notepadbook.exe 3 16->24         started        26 schtasks.exe 1 16->26         started        signatures8 process9 process10 28 Notepadbook.exe 15 2 24->28         started        32 conhost.exe 26->32         started        dnsIp11 44 twart.myfirewall.org 91.92.241.145, 49693, 9792 THEZONEBG Bulgaria 28->44 46 ipwho.is 104.20.44.133, 443, 49696 CLOUDFLARENETUS United States 28->46 62 Installs new ROOT certificates 28->62 64 Hides that the sample has been downloaded from the Internet (zone.identifier) 28->64 66 Installs a global keyboard hook 28->66 34 schtasks.exe 1 28->34         started        signatures12 process13 process14 36 conhost.exe 34->36         started       
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/a46bec2031259cff4135b985d533e9c0bdb175603d61f031c227103bbb002a7b
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
.Net Executable Managed .NET PDB Path PE (Portable Executable) PE File Layout SOS: 0.14 Win 32 Exe x86
Link:
https://app.malva.re/file/905426cbc53f5a127addb0352997e974
Detection:
quasar
Create hunting rule
Link:
https://mwdb.cert.pl/sample/a46bec2031259cff4135b985d533e9c0bdb175603d61f031c227103bbb002a7b/
Verdict:
Malicious
Threat:
Family.QUASARRAT
Link:
https://tip.neiki.dev/file/a46bec2031259cff4135b985d533e9c0bdb175603d61f031c227103bbb002a7b
Threat name:
ByteCode-MSIL.Backdoor.Androm
Create hunting rule
Status:
Malicious
First seen:
2026-02-25 20:56:22 UTC
File Type:
PE (.Net Exe)
Extracted files:
4
AV detection:
10 of 36 (27.78%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=urv6yibrewop6qjvxgc5km7jyc63c5lahvq7amoce4idxoyafj5q._file
Verdict:
malicious
Label(s):
quasarrat
Create hunting rule
Similar samples:
error
QuasarRAT
Result
Malware family:
quasar
Create hunting rule
Score:
  10/10
Tags:
family:quasar botnet:spain2 discovery execution persistence spyware trojan
Link:
https://tria.ge/reports/260225-zq55bsfx7g/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Executes dropped EXE
Quasar RAT
Quasar family
Quasar payload
Malware Config
C2 Extraction:
twart.myfirewall.org:9792
rency.ydns.eu:5287
wqo9.firewall-gateway.de:8841
code1.ydns.eu:5287
wqo9.firewall-gateway.de:9792
Unpacked files
SH256 hash:
51c9d562e54c1db3b9ff9329eddda0e92e77043a4849183c5acf8bc142b40490
MD5 hash:
de0d1de886e25d7eb0a6581d46d177f4
SHA1 hash:
9a012667475a0ed6c4f0e8dbfbafbffc35a172ef
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/1b773e73-421b-4567-ba3c-fefb9289f0e7/
SH256 hash:
7e1ad413becb342eab79a517ed8a986d01ef6234248f837b5cce16df255cfcd5
MD5 hash:
fe6918a61784ffe8063e996735293a1e
SHA1 hash:
d4c22969c56656ac95227680eb1fe8d7d7d55bd8
Link:
https://www.unpac.me/results/1b773e73-421b-4567-ba3c-fefb9289f0e7/
SH256 hash:
286a1147424919ea410d54c1a8ba3c34a84183d483f3a4f4ad633aa85b35d1e8
MD5 hash:
46d54844306e6b43f04bfe4825ae87e1
SHA1 hash:
f26fc10c91c0bc589424560a38df41a768811257
Detections:
QuasarRAT
Create hunting rule
cn_utf8_windows_terminal
Create hunting rule
malware_windows_xrat_quasarrat
Create hunting rule
MAL_QuasarRAT_May19_1
Create hunting rule
win_quasarrat_j2
Create hunting rule
win_quasar_rat_client
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_GENInfoStealer
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
MALWARE_Win_QuasarStealer
Create hunting rule
Link:
https://www.unpac.me/results/1b773e73-421b-4567-ba3c-fefb9289f0e7/
Parent samples :
286a1147424919ea410d54c1a8ba3c34a84183d483f3a4f4ad633aa85b35d1e8
e53905be786890e707d3afe844cbb853b3b5db4f52768df923ac867a2659c3b1
83c68b7f1cc15001fc5888f47553d8fbd3573dc8b83327ff778f63e7c5d3f079
4173909d6790cfde1cb60988ad573f014cf71b6bd7fe5ebc26a5284a429748c9
f2ddf3189b83629d36697f9337fbacdad5106024aeafb853f46e8f43042899bb
53aefcb31cf737d2af9779bea562b358bb08c876bb68fbe5614c1084decb6728
a46bec2031259cff4135b985d533e9c0bdb175603d61f031c227103bbb002a7b
SH256 hash:
a46bec2031259cff4135b985d533e9c0bdb175603d61f031c227103bbb002a7b
MD5 hash:
905426cbc53f5a127addb0352997e974
SHA1 hash:
072633870bcb7b5f76eaad74a0a31ceb54038c11
Link:
https://www.unpac.me/results/1b773e73-421b-4567-ba3c-fefb9289f0e7/
Malware family:
QuasarRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a46bec203125/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.45
Link:
https://yomi.yoroi.company/submissions/a46bec2031259cff4135b985d533e9c0bdb175603d61f031c227103bbb002a7b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

QuasarRAT

Executable exe a46bec2031259cff4135b985d533e9c0bdb175603d61f031c227103bbb002a7b

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3679147/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/54593/

Comments