MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 aa8f99ec127ee46baa2d8221a417b8818caee1a8ee25a9200066a92e6eb9f9ae. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

QuasarRAT

Vendor detections: 19

Intelligence 19 IOCs YARA 42 File information Comments

SHA256 hash:	aa8f99ec127ee46baa2d8221a417b8818caee1a8ee25a9200066a92e6eb9f9ae
SHA3-384 hash:	6b1542d6218c06e3254071f1fa89d20da155b9fc6301f93830746274f5737d54ee5bedf5191a1b46f84cb240c6d05538
SHA1 hash:	42cbd5a8006f9d862ebed14335f9a8c9c1c7b8c1
MD5 hash:	ce0d96827a622f67ab639663cccb1a46
humanhash:	princess-pennsylvania-cold-idaho
File name:	file
Download:	download sample
Signature	QuasarRAT Create hunting rule
File size:	4'923'392 bytes
First seen:	2026-03-13 16:31:23 UTC
Last seen:	2026-03-13 16:48:23 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'840 x AgentTesla, 19'772 x Formbook, 12'296 x SnakeKeylogger)
ssdeep	98304:72afhmf758yxBSDnOWAYEacCAGxwxscaLLyqZhfLnpL9kLgYqt3E:yafh9qBS65wKeHy8TpLukYqt0
Threatray	549 similar samples on MalwareBazaar
TLSH	T1D4363306BD54397FFB7406785E12FAE14F1D8EA5F9AA0AC624E5EE7CA390CB04311670
TrID	73.9% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 6.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 6.6% (.EXE) Win64 Executable (generic) (6522/11/2) 4.5% (.EXE) Win32 Executable (generic) (4504/4/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika	pebin
Reporter	Bitsight
Tags:	dropped-by-amadey exe fbf543 QuasarRAT

Bitsight

url: http://158.94.208.7/files/1781548144/okR3iq0.exe

Intelligence

File Origin

# of uploads :

# of downloads :

201

Origin country :

Vendor Threat Intelligence

Malware configuration found for:

EvilCoder SilentCryptoMiner XWorm

Details

EvilCoder

a mutex and AES-ECB decrypted component(s)

PEPacker

a UPX version number and an unpacked binary

SilentCryptoMiner

AES-CBC decryption parameters, decrypted component(s), and possibly urls and a CryptoCurrency address

XWorm

a version, a filepath, a mutex, a c2 socket address or a dead-drop resolver URL, and possibly cryptocurrency wallets and a Telegram URL

Link:

https://research.acce.ciphertechsolutions.com/results/5338bfe1-04d3-4824-a78f-172e4e5ea365/

Malware family:

xmrig

ID:

File name:

file

Verdict:

Malicious activity

Analysis date:

2026-03-13 16:32:40 UTC

Tags:

auto-reg evasion auto-startup anti-evasion xworm remote miner winring0-sys vuln-driver upx xor-url generic xmrig

Link:

https://app.any.run/tasks/d282b9d0-4a70-4be1-9b75-d82f7680fd97

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

R77

Link:

https://www.capesandbox.com/analysis/57318/

Verdict:

Malicious

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=69b43c1788c80c015869b51c

Tags:

vmdetect quasar emotet

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

evasive packed vbnet

Link:

https://www.filescan.io/uploads/69b43c15493cb7d62dfb9047/reports/c1eb836c-7e6f-4e7d-b62b-d89084ebccae/overview

Verdict:

Malicious

Labled as:

MSIL.Cassiopeia.Generic

Link:

https://www.hybrid-analysis.com/sample/aa8f99ec127ee46baa2d8221a417b8818caee1a8ee25a9200066a92e6eb9f9ae

Verdict:

Malicious

File Type:

exe x32

Detections:

Backdoor.Win32.Androm.sb PDM:Trojan.Win32.Generic Trojan.MSIL.Agent.sb HEUR:Trojan.Win32.Miner.pef HEUR:Trojan.MSIL.Tasker.gen HEUR:Backdoor.MSIL.XClient.b VHO:Trojan.Win32.Agent.gen Trojan.MSIL.DOTHETUK.sb HEUR:Trojan.Win32.Generic HEUR:Trojan.Multi.Agent.gen HEUR:Trojan.MSIL.Agent.gen HEUR:Backdoor.MSIL.XWorm.gen Backdoor.MSIL.Crysan.d Trojan-PSW.MSIL.Agent.sb Trojan-Dropper.Win32.Injector.sb Trojan.Win32.Agent.sb Trojan.Win32.Agent.rnd Backdoor.MSIL.XWorm.b Backdoor.MSIL.XWorm.a Backdoor.MSIL.PulsarRAT.sb Trojan-Dropper.Win32.Agent.sb Trojan.Win32.Vimditator.sb HEUR:Trojan-Banker.MSIL.ClipBanker.gen HEUR:Trojan.Win32.Agent.pef HEUR:Trojan.MSIL.APosT.gen RiskTool.Miner.UDP.C&C RiskTool.BitCoinMiner.UDP.C&C Backdoor.Agent.TCP.C&C PDM:Trojan.Win32.Tasker.cust RiskTool.BitCoinMiner.TCP.C&C

Link:

https://opentip.kaspersky.com/aa8f99ec127ee46baa2d8221a417b8818caee1a8ee25a9200066a92e6eb9f9ae/results?tab=lookup

Malware family:

XWorm

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/7c4a17d1-9013-4180-9bfc-083d66729a5e

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/aa8f99ec127ee46baa2d8221a417b8818caee1a8ee25a9200066a92e6eb9f9ae

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/aa8f99ec127ee46baa2d8221a417b8818caee1a8ee25a9200066a92e6eb9f9ae/

Verdict:

Malicious

Threat:

Family.XWORM

Link:

https://tip.neiki.dev/file/aa8f99ec127ee46baa2d8221a417b8818caee1a8ee25a9200066a92e6eb9f9ae

Threat name:

ByteCode-MSIL.Trojan.Cassiopeia

Status:

Malicious

First seen:

2026-03-13 16:32:30 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

19 of 24 (79.17%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=vkhzt3asp3sgxkrnqiq2if5yqggk5yni5ys2siaam2us43vz7gxa._file

Verdict:

malicious

Label(s):

unc_loader_055

xworm

quasarrat

QuasarRAT

8f20020d5b0669c889435750b00452672cb17fc2a87225a5341040bc05afc008

QuasarRAT

bb217671489213dfb4eefff0d0af47621615d9a0c85415c0e31f2cb08786d359

QuasarRAT

bca26771b9c277eb8babfaf06af7dae3f8b063b1b91b090691bf69d265dc0ff8

QuasarRAT

error

QuasarRAT

+ 539 additional samples on MalwareBazaar

Result

Malware family:

xworm

Score:

10/10

Tags:

family:quasar family:xmrig family:xworm defense_evasion discovery execution miner persistence rat spyware trojan upx

Link:

https://tria.ge/reports/260313-t14rcsds8z/

Behaviour

Checks SCSI registry key(s)

Enumerates system info in registry

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Checks for VirtualBox DLLs, possible anti-VM trick

Drops file in Windows directory

Launches sc.exe

Drops file in System32 directory

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

UPX packed file

Adds Run key to start application

Looks up external IP address via web service

Power Settings

Checks BIOS information in registry

Checks computer location settings

Creates new service(s)

Executes dropped EXE

Stops running service(s)

Command and Scripting Interpreter: PowerShell

XMRig Miner payload

Detect Xworm Payload

Quasar RAT

Quasar family

Quasar payload

Suspicious use of NtCreateUserProcessOtherParentProcess

Xmrig family

Xworm

Xworm family

xmrig

Malware Config

C2 Extraction:

176.160.157.96:8887
uchiwa5.duckdns.org:8887
truesir.duckdns.org:8887
chelou.duckdns.org:8887
mauvaise.duckdns.org:8887
:3333

Unpacked files

SH256 hash:

aa8f99ec127ee46baa2d8221a417b8818caee1a8ee25a9200066a92e6eb9f9ae

MD5 hash:

ce0d96827a622f67ab639663cccb1a46

SHA1 hash:

42cbd5a8006f9d862ebed14335f9a8c9c1c7b8c1

Link:

https://www.unpac.me/results/1cf49ff9-c2b4-4ee5-acfe-7517a3cfc996/

SH256 hash:

375a0dfb88e1e3b29fda07e14237f55e68ab01725bdcfccdf8925cc66d683504

MD5 hash:

32d70a391920f9676129e9f895c2bfef

SHA1 hash:

13f8c605b6a0a476e8a19b16376ac9c257af3b0c

Detections:

win_xworm_w0

XWorm

win_xworm_bytestring

win_mal_XWorm

INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA

MALWARE_Win_AsyncRAT

MALWARE_Win_XWorm

Link:

https://www.unpac.me/results/1cf49ff9-c2b4-4ee5-acfe-7517a3cfc996/

SH256 hash:

d6966099c5998c8fdabf3f7f435856b469a1cefd4c8f8362c2dceebe7dd31c94

MD5 hash:

8001a5a10f6f71e5b93703afad23f8aa

SHA1 hash:

bb3350de5a04c8c48efdb9e7ebeb30826c37ce9a

Link:

https://www.unpac.me/results/1cf49ff9-c2b4-4ee5-acfe-7517a3cfc996/

SH256 hash:

b24738cd885e39c0014b96a11851edfdd0ed3e8a99973d2f4c28024d4aefc207

MD5 hash:

ade52597d7336fd2ebd220975ef17d82

SHA1 hash:

3fdfd67356bdc38c41bf9a5467b5db0968abfa98

Link:

https://www.unpac.me/results/1cf49ff9-c2b4-4ee5-acfe-7517a3cfc996/

Malware family:

XWorm

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/aa8f99ec127e/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/aa8f99ec127ee46baa2d8221a417b8818caee1a8ee25a9200066a92e6eb9f9ae

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AutoIT_Compiled Create hunting rule
Author:	@bartblaze
Description:	Identifies compiled AutoIT script (as EXE). This rule by itself does NOT necessarily mean the detected file is malicious.

Rule name:	BLOWFISH_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for Blowfish constants

Rule name:	cobalt_strike_tmp01925d3f Create hunting rule
Author:	The DFIR Report
Description:	files - file ~tmp01925d3f.exe
Reference:	https://thedfirreport.com

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__QueryInfo Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerException__SetConsoleCtrl Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DetectEncryptedVariants Create hunting rule
Author:	Zinyth
Description:	Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	ldpreload Create hunting rule
Author:	xorseed
Reference:	https://stuff.rop.io/

Rule name:	MacOS_Cryptominer_Xmrig_241780a1 Create hunting rule
Author:	Elastic Security

Rule name:	MALWARE_Win_CoinMiner02 Create hunting rule
Author:	ditekSHen
Description:	Detects coinmining malware

Rule name:	MALWARE_Win_R77 Create hunting rule
Author:	ditekSHen
Description:	Detects r77 rootkit

Rule name:	MAL_XMR_Miner_May19_1 Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects Monero Crypto Coin Miner
Reference:	https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/

Rule name:	MAL_XMR_Miner_May19_1_RID2E1B Create hunting rule
Author:	Florian Roth
Description:	Detects Monero Crypto Coin Miner
Reference:	https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/

Rule name:	MD5_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for MD5 constants

Rule name:	meth_peb_parsing Create hunting rule
Author:	Willi Ballenthin

Rule name:	Mimikatz_Generic Create hunting rule
Author:	Still
Description:	attempts to match all variants of Mimikatz

Rule name:	Multi_Cryptominer_Xmrig_f9516741 Create hunting rule
Author:	Elastic Security

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	pe_imphash Create hunting rule

Rule name:	RANSOMWARE Create hunting rule
Author:	ToroGuitar

Rule name:	rig_win64_xmrig_6_13_1_xmrig Create hunting rule
Author:	yarGen Rule Generator
Description:	rig_win64 - file xmrig.exe
Reference:	https://github.com/Neo23x0/yarGen

Rule name:	RIPEMD160_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for RIPEMD-160 constants

Rule name:	SEH__vectored Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	SHA1_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA1 constants

Rule name:	SHA512_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA384/SHA512 constants

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	ThreadControl__Context Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	upx_largefile Create hunting rule
Author:	k3nr9

Rule name:	VECT_Ransomware Create hunting rule
Author:	Mustafa Bakhit
Description:	Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.

Rule name:	WHIRLPOOL_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for WhirlPool constants

Rule name:	Windows_Cryptominer_Generic_f53cfb9b Create hunting rule
Author:	Elastic Security

Rule name:	Windows_Generic_Threat_d331d190 Create hunting rule
Author:	Elastic Security

Rule name:	Windows_Rootkit_R77_d0367e28 Create hunting rule
Author:	Elastic Security
Reference:	https://www.elastic.co/security-labs/elastic-security-labs-steps-through-the-r77-rootkit

Rule name:	XMRIG_Monero_Miner Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects Monero mining software
Reference:	https://github.com/xmrig/xmrig/releases