MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a92496d47628f8ca944290ddf8d791b2cf5f7858397afcff4b609908aaf1fce6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

QuasarRAT

Vendor detections: 19

Intelligence 19 IOCs YARA 2 File information Comments

SHA256 hash:	a92496d47628f8ca944290ddf8d791b2cf5f7858397afcff4b609908aaf1fce6
SHA3-384 hash:	6b36f6f5e2ff8cbeccfd494b63e3f4e2b83d335ed571dd1b7d7d8fdf3a3d83912bb4f1c94282a11ed4b24256182dca56
SHA1 hash:	1101fc64a487c24ef1e4131a7475063a6341b919
MD5 hash:	ce094dfe85ae5a14d6c4640724ee1d9e
humanhash:	oklahoma-nebraska-virginia-xray
File name:	file
Download:	download sample
Signature	QuasarRAT Create hunting rule
File size:	5'013'504 bytes
First seen:	2025-11-06 21:29:06 UTC
Last seen:	2025-11-06 21:40:11 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	98304:yF4N6nRGSiq9QY9hwmeCBBcFZ8q1bFWvM7SkK5IZekwZhsCtx:JKGvq9QuwmeCBBcTjcMVZ3EhD
TLSH	T17F362346E117D08FD41410709E2E8EBE40393F2BDDA32A16727839E5B1752D258A7FEB
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10522/11/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4504/4/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika	pebin
Reporter	Bitsight
Tags:	dropped-by-amadey exe fbf543 QuasarRAT

Bitsight

url: http://178.16.54.200/files/1781548144/PEC68GW.exe

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware family:

redline

ID:

File name:

http://178.16.54.200:80/testmine/random.exe

Verdict:

Malicious activity

Analysis date:

2025-11-06 21:27:05 UTC

Tags:

auto redline stealer amadey botnet rdp autoit loader stealc vidar generic purelogs evasion purecrypter remote xworm gcleaner miner ms-smartcard winring0-sys vuln-driver ip-check rust inno installer delphi rhadamanthys

Link:

https://app.any.run/tasks/5b222ff0-8501-4468-88f2-a2d7d002ff40

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

R77

Link:

https://www.capesandbox.com/analysis/36390/

Verdict:

Malicious

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=690d13313afb53888cc91a5e

Tags:

vmdetect autorun quasar

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Creating a file in the %temp% directory

Creating a process from a recently created file

Creating a file

Creating a window

Using the Windows Management Instrumentation requests

DNS request

Creating a file in the %AppData% subdirectories

Launching a process

Connection attempt

Sending an HTTP GET request

Creating a process with a hidden window

Running batch commands

Unauthorized injection to a recently created process

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Forced shutdown of a system process

Enabling autorun by creating a file

Adding an exclusion to Microsoft Defender

Unauthorized injection to a system process

Using obfuscated Powershell scripts

Gathering data

Verdict:

Malicious

Labled as:

Jalapeno.Generic

Link:

https://www.hybrid-analysis.com/sample/a92496d47628f8ca944290ddf8d791b2cf5f7858397afcff4b609908aaf1fce6

Verdict:

Malicious

File Type:

exe x32

First seen:

2025-11-06T18:39:00Z UTC

Last seen:

2025-11-06T19:50:00Z UTC

Hits:

~100

Detections:

Trojan.Win32.Agent.sb HEUR:Trojan.Win32.Generic HEUR:Backdoor.MSIL.XClient.b PDM:Trojan.Win32.Tasker.cust Trojan-Banker.Win32.Express.sb Trojan.Win32.Vimditator.sb HEUR:Trojan-Banker.MSIL.ClipBanker.gen HEUR:Trojan.Win32.Agent.pef Backdoor.MSIL.XWorm.b Backdoor.MSIL.XWorm.a Trojan-PSW.MSIL.Agent.sb Trojan.Win32.Agent.rnd Trojan.MSIL.Quasar.a Trojan.MSIL.Agent.sb Trojan.MSIL.Quasar.feb HEUR:Trojan.Win32.Miner.pef Trojan-Dropper.Win32.Agent.sb Trojan.MSIL.Quasar.fea HEUR:Trojan.MSIL.APosT.gen Backdoor.MSIL.Crysan.d Backdoor.Agent.TCP.C&C PDM:Trojan.Win32.Generic Trojan-Dropper.Win32.Injector.sb Trojan.MSIL.DOTHETUK.sb HEUR:Trojan.MSIL.Agent.gen HEUR:Trojan.Multi.Agent.gen HEUR:Backdoor.MSIL.XWorm.gen Backdoor.Win32.Androm RiskTool.BitCoinMiner.UDP.C&C RiskTool.Miner.UDP.C&C

Link:

https://opentip.kaspersky.com/a92496d47628f8ca944290ddf8d791b2cf5f7858397afcff4b609908aaf1fce6/results?tab=lookup

Malware family:

XWorm

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/aeda77c5-e2bf-43e7-b68d-b7733ca8dc50

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/a92496d47628f8ca944290ddf8d791b2cf5f7858397afcff4b609908aaf1fce6

Verdict:

inconclusive

YARA:

10 match(es)

Tags:

.Net Executable Managed .NET PE (Portable Executable) PE File Layout SOS: 0.18 Win 32 Exe x86

Link:

https://app.malva.re/file/ce094dfe85ae5a14d6c4640724ee1d9e

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/a92496d47628f8ca944290ddf8d791b2cf5f7858397afcff4b609908aaf1fce6/

Verdict:

Malicious

Threat:

Family.XWORM

Link:

https://tip.neiki.dev/file/a92496d47628f8ca944290ddf8d791b2cf5f7858397afcff4b609908aaf1fce6

Threat name:

ByteCode-MSIL.Spyware.AsyncRAT

Status:

Malicious

First seen:

2025-11-06 21:30:33 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

19 of 23 (82.61%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=vesjnvdwfd4mvfccsdo7rv4rwlhv66cyhf5pz72lmcmqrkxr7tta._file

Verdict:

malicious

Label(s):

quasarrat

unc_loader_055

xworm

Similar samples:

error

QuasarRAT

Result

Malware family:

xworm

Score:

10/10

Tags:

family:quasar family:xmrig family:xworm defense_evasion discovery execution miner persistence rat spyware trojan upx

Link:

https://tria.ge/reports/251106-1b2n2atrdn/

Behaviour

Checks SCSI registry key(s)

Checks processor information in registry

Delays execution with timeout.exe

Enumerates system info in registry

Modifies data under HKEY_USERS

Modifies registry class

Scheduled Task/Job: Scheduled Task

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Launches sc.exe

Drops file in System32 directory

Suspicious use of SetThreadContext

UPX packed file

Adds Run key to start application

Looks up external IP address via web service

Power Settings

Checks BIOS information in registry

Checks computer location settings

Creates new service(s)

Executes dropped EXE

Stops running service(s)

Command and Scripting Interpreter: PowerShell

XMRig Miner payload

Detect Xworm Payload

Quasar RAT

Quasar family

Quasar payload

Suspicious use of NtCreateUserProcessOtherParentProcess

Xmrig family

Xworm

Xworm family

xmrig

Malware Config

C2 Extraction:

176.160.157.96:8887
uchiwa5.duckdns.org:8887

Verdict:

Malicious

Tags:

External_IP_Lookup

YARA:

n/a

Link:

https://app.threat.zone/submission/eef4f08a-b9b4-4c71-ae4b-96c8c9171f3c

Unpacked files

SH256 hash:

a92496d47628f8ca944290ddf8d791b2cf5f7858397afcff4b609908aaf1fce6

MD5 hash:

ce094dfe85ae5a14d6c4640724ee1d9e

SHA1 hash:

1101fc64a487c24ef1e4131a7475063a6341b919

Link:

https://www.unpac.me/results/fa11c715-ee5e-4129-a7bc-b12df3559d66/

SH256 hash:

5fab987971f3d73bb5046e369273fc3082aecd8585610f24346ed49416807200

MD5 hash:

32483827006de777513d9bb010da7111

SHA1 hash:

ae0f5359d4f0baa7594ddd69619ac27c3613ef7d

Detections:

win_xworm_w0

XWorm

win_xworm_bytestring

win_mal_XWorm

INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA

MALWARE_Win_AsyncRAT

MALWARE_Win_XWorm

Link:

https://www.unpac.me/results/fa11c715-ee5e-4129-a7bc-b12df3559d66/

SH256 hash:

d6966099c5998c8fdabf3f7f435856b469a1cefd4c8f8362c2dceebe7dd31c94

MD5 hash:

8001a5a10f6f71e5b93703afad23f8aa

SHA1 hash:

bb3350de5a04c8c48efdb9e7ebeb30826c37ce9a

Link:

https://www.unpac.me/results/fa11c715-ee5e-4129-a7bc-b12df3559d66/

SH256 hash:

693b25c4719ec2f04971a8fb918a01e8326ec1a9f7d64f95055ff962f3e34ebe

MD5 hash:

aa315a29c0495c595c5da9dfa35554e9

SHA1 hash:

5067f431a2466b5d2268d1b1556f20f9f31f7267

Link:

https://www.unpac.me/results/fa11c715-ee5e-4129-a7bc-b12df3559d66/

Malware family:

XWorm

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/a92496d47628/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/a92496d47628f8ca944290ddf8d791b2cf5f7858397afcff4b609908aaf1fce6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

QuasarRAT

exe a92496d47628f8ca944290ddf8d791b2cf5f7858397afcff4b609908aaf1fce6

(this sample)

Dropped by

Amadey

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/36390/

URLhaus

https://urlhaus.abuse.ch/url/3698444/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample