MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a93a1a1329d86384295dd87e4a5b4595afcfd8259ee43290416623fd17949769. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuasarRAT


Vendor detections: 18


Intelligence 18 IOCs 1 YARA 18 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a93a1a1329d86384295dd87e4a5b4595afcfd8259ee43290416623fd17949769
SHA3-384 hash: b3ca8722e30a91809508ab7948886ee8185e440bc0923eb0ce576bf78869d1e5e490eb3173ef63c078ddcf102f0931ab
SHA1 hash: ff7ffd7b2729784370b7122eeef58776b07ce546
MD5 hash: 534239a3c86b8ffb0bef0cc777661d06
humanhash: mirror-beer-finch-mars
File name:534239A3C86B8FFB0BEF0CC777661D06.exe
Download: download sample
Signature QuasarRAT
Create hunting rule
File size:494'080 bytes
First seen:2026-03-01 08:15:19 UTC
Last seen:2026-03-01 09:46:10 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash d68d50e561120d9fc7c0080f8c51969a (1 x QuasarRAT)
ssdeep 12288:/ftnDqWGPKxyMn9Ad9uc4IvCPTyRIcUqi5Tty904L:tD3GyxyMn9S9uxuqXqi5JyB
TLSH T114B423C6B3155985D07563721C3B839418287C72DA6043F236EEF737AE36B24A5EFA12
TrID 52.9% (.EXE) Win32 Executable (generic) (4504/4/1)
23.5% (.EXE) Generic Win/DOS Executable (2002/3)
23.5% (.EXE) DOS Executable (generic) (2000/1)
Magika pebin
Reporter abuse_ch
Tags:exe QuasarRAT RAT


Avatar
abuse_ch
QuasarRAT C2:
http://cheapeboobler.cc:8080/updater?for=97B7721C4994E2556FF6A439510F665D

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://cheapeboobler.cc:8080/updater?for=97B7721C4994E2556FF6A439510F665D https://threatfox.abuse.ch/ioc/1756099/

Intelligence

File Origin
# of uploads :
2
# of downloads :
165
Origin country :
NL NL
Vendor Threat Intelligence
Malware configuration found for:
Archives PEPacker Vidar
Details
Archives
an extracted Cabinet archive from the resources and SFX parameters
PEPacker
an unpacked component
Vidar
c2 urls, useragents, c2 handshake magic parameters, a version, and a missionid
Link:
https://research.acce.ciphertechsolutions.com/results/75767d99-e6d2-4031-94f9-715693ac2137/
Malware family:
vidar
Create hunting rule
ID:
1
File name:
_0b619104205152fa5d574ee6228d070b89c00296beecc681ac9b5d847ce36e5c.exe
Verdict:
Malicious activity
Analysis date:
2026-02-24 08:39:32 UTC
Tags:
gcleaner loader auto-startup inno installer stealer stealc vidar delphi anti-evasion auto-reg xor-url generic golang kamasers botnet auto
Link:
https://app.any.run/tasks/7b085532-a051-4e3c-b77d-b17e09b5d4e2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Amadey
Create hunting rule
Link:
https://www.capesandbox.com/analysis/55049/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader48.46929.18217.31579.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69a3f59fc950ab5d9ab2ce50
Tags:
ransomware obfuscated dridex trojan
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
amadey explorer installer installer lolbin mpress net obfuscated packed packed packed protection_plus_wrapper sfx
Link:
https://www.filescan.io/uploads/69a3f59a97feb4afd6624eb2/reports/20d44441-ec31-4065-b8c4-b8410217d520/overview
Verdict:
Malicious
Labled as:
Suspicious:Packer.Agent.r.gbqh
Link:
https://www.hybrid-analysis.com/sample/a93a1a1329d86384295dd87e4a5b4595afcfd8259ee43290416623fd17949769
Verdict:
Malicious
File Type:
exe x32
Detections:
Trojan-PSW.Lumma.HTTP.Download Trojan-Downloader.Win32.Deyma.sb Trojan.Nymaim.HTTP.ServerRequest Trojan.Agentb.TCP.C&C PDM:Trojan.Win32.Generic HEUR:Trojan-Downloader.Win32.Deyma.gen not-a-virus:PDM:AdWare.Win32.Agent.lnk.5
Link:
https://opentip.kaspersky.com/a93a1a1329d86384295dd87e4a5b4595afcfd8259ee43290416623fd17949769/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/a422fdfb-a151-4ca7-8f7b-07947a7f1918
Result
Threat name:
Amadey, Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1876445
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to detect sleep reduction / modifications
Contains functionality to start a terminal service
Detected unpacking (changes PE section rights)
Found malware configuration
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses string decryption to hide its real strings
Sets debug register (to hijack the execution of another thread)
Suricata IDS alerts for network traffic
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected Amadey
Yara detected Amadeys Clipper DLL
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1876445 Sample: hwvBkjC4lc.exe Startdate: 01/03/2026 Architecture: WINDOWS Score: 100 43 94.154.35.25 SELECTELRU Ukraine 2->43 71 Suricata IDS alerts for network traffic 2->71 73 Found malware configuration 2->73 75 Antivirus detection for URL or domain 2->75 77 10 other signatures 2->77 9 hwvBkjC4lc.exe 1 4 2->9         started        13 rundll32.exe 2->13         started        signatures3 process4 file5 39 C:\Users\user\AppData\Local\...\2V4015.exe, PE32 9->39 dropped 41 C:\Users\user\AppData\Local\...\1g65c4.exe, MS-DOS 9->41 dropped 79 Detected unpacking (changes PE section rights) 9->79 81 Contains functionality to start a terminal service 9->81 15 1g65c4.exe 16 9->15         started        signatures6 process7 dnsIp8 61 192.177.26.243, 443, 49713, 49716 EGIHOSTINGUS United States 15->61 63 Multi AV Scanner detection for dropped file 15->63 65 Detected unpacking (changes PE section rights) 15->65 67 Tries to harvest and steal browser information (history, passwords, etc) 15->67 69 9 other signatures 15->69 19 chrome.exe 1 15->19         started        22 chrome.exe 2 15->22         started        24 chrome.exe 1 15->24         started        26 2 other processes 15->26 signatures9 process10 dnsIp11 45 192.168.2.4, 138, 443, 49385 unknown unknown 19->45 28 chrome.exe 19->28         started        31 chrome.exe 22->31         started        33 chrome.exe 24->33         started        35 chrome.exe 26->35         started        37 chrome.exe 26->37         started        process12 dnsIp13 55 5 other IPs or domains 28->55 47 www.google.com 142.250.65.68, 443, 49738, 49739 GOOGLEUS United States 31->47 49 142.250.217.132, 443, 49761, 49762 GOOGLEUS United States 33->49 51 142.250.191.4, 443, 49819, 49820 GOOGLEUS United States 35->51 53 142.251.210.42, 443, 49826, 49827 GOOGLEUS United States 35->53 57 2 other IPs or domains 35->57 59 2 other IPs or domains 37->59
Score:
93%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/a93a1a1329d86384295dd87e4a5b4595afcfd8259ee43290416623fd17949769
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/534239a3c86b8ffb0bef0cc777661d06
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a93a1a1329d86384295dd87e4a5b4595afcfd8259ee43290416623fd17949769/
Verdict:
Malicious
Threat:
Family.STEALC
Link:
https://tip.neiki.dev/file/a93a1a1329d86384295dd87e4a5b4595afcfd8259ee43290416623fd17949769
Threat name:
Win32.Trojan.Amadey
Create hunting rule
Status:
Malicious
First seen:
2026-02-25 01:46:00 UTC
File Type:
PE (Exe)
Extracted files:
71
AV detection:
23 of 36 (63.89%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ve5buezj3bryikk53b7euw2fswx47wbft3sdfecbmyr72f4us5uq._file
Verdict:
malicious
Label(s):
amadey
Create hunting rule
Similar samples:
error
QuasarRAT
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:goproxy family:vidar botnet:fbf543 backdoor credential_access defense_evasion discovery execution impact persistence ransomware spyware stealer trojan upx
Link:
https://tria.ge/reports/260301-j5rbqae17e/
Behaviour
Checks processor information in registry
GoLang User-Agent
Interacts with shadow copies
Modifies data under HKEY_USERS
Modifies registry class
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy service COM API
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Drops file in Windows directory
Suspicious use of SetThreadContext
UPX packed file
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Badlisted process makes network request
Checks installed software on the system
Drops desktop.ini file(s)
Enumerates connected drives
Checks computer location settings
Credentials from Password Stores: Windows Credential Manager
Executes dropped EXE
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Downloads MZ/PE file
Deletes shadow copies
Renames multiple (9758) files with added filename extension
Amadey
Amadey family
Detects Amadey x86-bit Payload
Detects GoProxy payload
Detects Vidar Stealer
GoProxy
Goproxy family
Vidar
Vidar family
Malware Config
C2 Extraction:
http://94.154.35.25
Unpacked files
SH256 hash:
a93a1a1329d86384295dd87e4a5b4595afcfd8259ee43290416623fd17949769
MD5 hash:
534239a3c86b8ffb0bef0cc777661d06
SHA1 hash:
ff7ffd7b2729784370b7122eeef58776b07ce546
Link:
https://www.unpac.me/results/4364d998-6ce5-49ff-830b-b90a22e135e0/
Malware family:
Vidar
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a93a1a1329d8/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a93a1a1329d86384295dd87e4a5b4595afcfd8259ee43290416623fd17949769

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Active
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:dgaagas
Create hunting rule
Author:Harshit
Description:Uses certutil.exe to download a file named test.txt
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:INDICATOR_EXE_Packed_MPress
Create hunting rule
Author:ditekSHen
Description:Detects executables built or packed with MPress PE compressor
Rule name:INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
Author:ditekSHen
Description:Detects Windows executables referencing non-Windows User-Agents
Rule name:mpress_2_xx_x86
Create hunting rule
Author:Kevin Falcoz
Description:MPRESS v2.XX x86 - no .NET
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:SUSP_XORed_URL_In_EXE
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:SUSP_XORed_URL_in_EXE_RID2E46
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:telebot_framework
Create hunting rule
Author:vietdx.mb
Rule name:TeslaCryptPackedMalware
Create hunting rule
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:win_redline_wextract_hunting_oct_2023
Create hunting rule
Author:Matthew @ Embee_Research
Description:Detects wextract archives related to redline/amadey

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/55049/

Comments