MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a8db212713ae89c65692675a67f7ed7a9309b714d62f22f78286a075ff8bc52a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuasarRAT


Vendor detections: 16


Intelligence 16 IOCs 1 YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a8db212713ae89c65692675a67f7ed7a9309b714d62f22f78286a075ff8bc52a
SHA3-384 hash: f4ba858982c79e5bb56773844579e272bb62324486f36d5f7574f5ed1b122a97efcd616714073c6161817900b47101e0
SHA1 hash: 6c85b4edf6314d3ee97f10ca0b62b56886a0844c
MD5 hash: 771c31943b093ac46b296f13950a2a2f
humanhash: may-zebra-beryllium-florida
File name:a8db212713ae89c65692675a67f7ed7a9309b714d62f2.exe
Download: download sample
Signature QuasarRAT
Create hunting rule
File size:7'497'291 bytes
First seen:2026-04-13 06:00:14 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash ac4ded70f85ef621e5f8917b250855be (82 x OffLoader, 7 x Gh0stRAT, 6 x Tofsee)
ssdeep 98304:bN66afZNwtZ+/tieRA6zYlk9Hdin05TzAtS17IFQHlqzVVFf6jm:7+ZNwD+/tiqRqeHw05Tz2W7IFXz32
TLSH T1E4761237B28A633EE06E5B374AB2D6105D3B7A21A55F8C52D6E40C4CDF290A01E7F647
TrID 63.8% (.EXE) Inno Setup installer (107240/4/30)
24.7% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
3.8% (.EXE) Win64 Executable (generic) (6522/11/2)
2.6% (.EXE) Win32 Executable (generic) (4504/4/1)
1.2% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Magika pebin
dhash icon f2f2f0fcfcfcfcf8 (1 x OffLoader, 1 x QuasarRAT)
Reporter abuse_ch
Tags:exe QuasarRAT RAT


Avatar
abuse_ch
QuasarRAT C2:
196.251.107.245:222

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
196.251.107.245:222 https://threatfox.abuse.ch/ioc/1774803/

Intelligence

File Origin
# of uploads :
1
# of downloads :
150
Origin country :
NL NL
Vendor Threat Intelligence
Details
Link:
https://research.acce.ciphertechsolutions.com/results/31924268-9fb6-466c-8dbd-1b0b549601ce/
Malware family:
quasar
Create hunting rule
ID:
1
File name:
a8db212713ae89c65692675a67f7ed7a9309b714d62f2.exe
Verdict:
Malicious activity
Analysis date:
2026-04-13 06:02:32 UTC
Tags:
delphi inno installer sainbox rat evasion quasar remote upx
Link:
https://app.any.run/tasks/7215a310-fd33-4822-8afb-04a9216f5d9e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/61309/
Detection(s):
SecuriteInfo.com.Win32.Malware-gen.16461274.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69dc869045787c53e53934d4
Tags:
injection dropper virus
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Searching for synchronization primitives
DNS request
Using the Windows Management Instrumentation requests
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
adaptive-context anti-debug embarcadero_delphi fingerprint inno installer installer installer-heuristic packed soft-404 unsafe
Link:
https://www.filescan.io/uploads/69dc868a5ea31bc68a24f539/reports/d707c92c-629b-42b1-a276-7cd21728415a/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/a8db212713ae89c65692675a67f7ed7a9309b714d62f22f78286a075ff8bc52a
Verdict:
Malicious
File Type:
exe x32
First seen:
2026-04-08T09:10:00Z UTC
Last seen:
2026-04-11T09:41:00Z UTC
Hits:
~100
Detections:
Trojan.Agent.UDP.ServerRequest Trojan.Win32.Agent.xcdkne
Link:
https://opentip.kaspersky.com/a8db212713ae89c65692675a67f7ed7a9309b714d62f22f78286a075ff8bc52a/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/0454fb10-0952-4fa4-867d-735de1314158
Result
Threat name:
Quasar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1897171
Signature
Antivirus detection for dropped file
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Installs a global keyboard hook
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Suricata IDS alerts for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Unusual module load detection (module proxying)
Yara detected Quasar RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1897171 Sample: a8db212713ae89c65692675a67f... Startdate: 13/04/2026 Architecture: WINDOWS Score: 100 56 yxarwcrrtsomhn4gvxz9idp55mvej8pyrzngordheiwmcsordc6tvbms.com 2->56 58 shed.dual-low.part-0012.t-0009.t-msedge.net 2->58 60 9 other IPs or domains 2->60 68 Suricata IDS alerts for network traffic 2->68 70 Found malware configuration 2->70 72 Malicious sample detected (through community Yara rule) 2->72 74 6 other signatures 2->74 10 a8db212713ae89c65692675a67f7ed7a9309b714d62f2.exe 2 2->10         started        13 GDFwAdmin.exe 2->13         started        16 GDFwAdmin.exe 2->16         started        signatures3 process4 file5 42 a8db212713ae89c656...7a9309b714d62f2.tmp, PE32 10->42 dropped 18 a8db212713ae89c65692675a67f7ed7a9309b714d62f2.tmp 3 5 10->18         started        78 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 13->78 signatures6 process7 file8 36 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 18->36 dropped 38 C:\Users\user\AppData\Local\...\_isdecmp.dll, PE32 18->38 dropped 76 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 18->76 22 a8db212713ae89c65692675a67f7ed7a9309b714d62f2.exe 2 18->22         started        25 GDFwAdmin.exe 18->25         started        signatures9 process10 file11 40 a8db212713ae89c656...7a9309b714d62f2.tmp, PE32 22->40 dropped 27 a8db212713ae89c65692675a67f7ed7a9309b714d62f2.tmp 5 13 22->27         started        30 WerFault.exe 19 16 25->30         started        process12 file13 44 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 27->44 dropped 46 C:\Users\user\AppData\Local\...\_isdecmp.dll, PE32 27->46 dropped 48 C:\ProgramData\...\is-LMNBFMQCXZ.tmp, PE32 27->48 dropped 50 5 other malicious files 27->50 dropped 32 GDFwAdmin.exe 15 2 27->32         started        process14 dnsIp15 52 196.251.107.245, 222, 49702 ANGANI-ASKE Seychelles 32->52 54 ipwho.is 104.20.44.133, 443, 49706 CLOUDFLARENETUS United States 32->54 62 Hides that the sample has been downloaded from the Internet (zone.identifier) 32->62 64 Installs a global keyboard hook 32->64 66 Unusual module load detection (module proxying) 32->66 signatures16
Score:
72%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/a8db212713ae89c65692675a67f7ed7a9309b714d62f22f78286a075ff8bc52a
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a8db212713ae89c65692675a67f7ed7a9309b714d62f22f78286a075ff8bc52a/
Verdict:
Malicious
Threat:
Family.QUASARRAT
Link:
https://tip.neiki.dev/file/a8db212713ae89c65692675a67f7ed7a9309b714d62f22f78286a075ff8bc52a
Threat name:
Win32.Trojan.Qwexlafiba
Create hunting rule
Status:
Malicious
First seen:
2026-04-11 00:59:06 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
13 of 24 (54.17%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=vdnscjytv2e4mvusm5ngp57npkjqtnyu2yxsf54cq2qhl74lyuva._file
Verdict:
malicious
Label(s):
shellcode_loader_008
Create hunting rule
Result
Malware family:
quasar
Create hunting rule
Score:
  10/10
Tags:
family:quasar botnet:builds defense_evasion discovery installer privilege_escalation spyware trojan upx
Link:
https://tria.ge/reports/260413-gqmnwacz5q/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Inno Setup is an open-source installation builder for Windows applications.
Access Token Manipulation: Create Process with Token
Enumerates physical storage devices
System Location Discovery: System Language Discovery
UPX packed file
Looks up external IP address via web service
ACProtect 1.3x - 1.4x DLL software
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Quasar RAT
Quasar family
Quasar payload
Malware Config
C2 Extraction:
196.251.107.245:222
Unpacked files
SH256 hash:
a8db212713ae89c65692675a67f7ed7a9309b714d62f22f78286a075ff8bc52a
MD5 hash:
771c31943b093ac46b296f13950a2a2f
SHA1 hash:
6c85b4edf6314d3ee97f10ca0b62b56886a0844c
Link:
https://www.unpac.me/results/6641ef3c-8a17-4e2a-883c-ada3d280a150/
SH256 hash:
b0e760b8fb74b90962da76762a87dc547c72636222a668be7c945075cfc9596b
MD5 hash:
2092ec5e9b9c4cfc5acc854d6ef354c3
SHA1 hash:
c11f0e4c03779e7006f8b9cdd89fdb68669d81eb
Link:
https://www.unpac.me/results/6641ef3c-8a17-4e2a-883c-ada3d280a150/
SH256 hash:
388a796580234efc95f3b1c70ad4cb44bfddc7ba0f9203bf4902b9929b136f95
MD5 hash:
e4211d6d009757c078a9fac7ff4f03d4
SHA1 hash:
019cd56ba687d39d12d4b13991c9a42ea6ba03da
Link:
https://www.unpac.me/results/6641ef3c-8a17-4e2a-883c-ada3d280a150/
Malware family:
QuasarRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a8db212713ae/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a8db212713ae89c65692675a67f7ed7a9309b714d62f22f78286a075ff8bc52a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:TH_AntiVM_MassHunt_Win_Malware_2026_CYFARE
Create hunting rule
Author:CYFARE
Description:Detects Windows malware employing anti-VM / anti-sandbox evasion techniques across VMware, VirtualBox, Hyper-V, QEMU, Xen, and generic sandbox environments
Reference:https://cyfare.net/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/61309/

Comments