MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ae7224287a33de677612229acdf01a5eac12e60bceec1bcbaa47579b154aff28. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

QuasarRAT

Vendor detections: 17

Intelligence 17 IOCs YARA 64 File information Comments

SHA256 hash:	ae7224287a33de677612229acdf01a5eac12e60bceec1bcbaa47579b154aff28
SHA3-384 hash:	33e7510f3c873146d1da2d496556c946c8d43ddf85aa99fb3bca9c57f3aa84883b98d8a1f6186ddca79ba57e98bd82cc
SHA1 hash:	a943a301e1349beb8e823e31a98d117d73e12ea4
MD5 hash:	cece7690eb91f3dcaa7c5bd0d8d0c7f0
humanhash:	cardinal-orange-october-oven
File name:	file
Download:	download sample
Signature	QuasarRAT Create hunting rule
File size:	5'061'120 bytes
First seen:	2025-12-30 18:54:58 UTC
Last seen:	2025-12-30 21:18:48 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'610 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	98304:pV1o5pM4dE7YjoZ8SyuA83HQ5IWCO5g5Km/BralovFpbMaoLB9bLPDN:pLQpMvpZ3RwGWCl//BmlovrwPnPx
Threatray	423 similar samples on MalwareBazaar
TLSH	T1C136121F0B3427C7C0094F71ECA1CCBB9E77D476BC4E8E09B0A447D45A65709A987ABA
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10522/11/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4504/4/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika	pebin
Reporter	Bitsight
Tags:	dropped-by-amadey exe fbf543 QuasarRAT

Bitsight

url: http://130.12.180.43/files/1781548144/RM9zrCG.exe

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware configuration found for:

EvilCoder SilentCryptoMiner XWorm

Details

EvilCoder

a mutex and AES-ECB decrypted component(s)

PEPacker

a UPX version number and an unpacked binary

SilentCryptoMiner

AES-CBC decryption parameters, decrypted component(s), and possibly urls and a CryptoCurrency address

XWorm

a version, a filepath, a mutex, a c2 socket address or a dead-drop resolver URL, and possibly cryptocurrency wallets and a Telegram URL

Link:

https://research.acce.ciphertechsolutions.com/results/98a4e1d8-69f2-484f-8130-6d8bf748e274/

Malware family:

redline

ID:

File name:

0_c36ed034d523da1f54d43176334d4bda9f9adcb940948646b43902a620ebda45.exe

Verdict:

Malicious activity

Analysis date:

2025-12-30 18:42:07 UTC

Tags:

auto redline stealer amadey botnet anti-evasion uac discord evasion rdp loader screenshot arch-doc skuld telegram ims-api generic crypto-regex susp-powershell ip-check golang neoreklami adware credentialflusher stealc vidar miner gcleaner winring0-sys vuln-driver purecrypter xworm purelogs remote coinminer xmrig xor-url smtp api-base64 upx

Link:

https://app.any.run/tasks/af19b714-7c58-41a1-a0fc-994ac9f3e130

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

R77

Link:

https://www.capesandbox.com/analysis/46596/

Verdict:

Malicious

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=695420217468b4bd1c8ef0aa

Tags:

vmdetect asyncrat quasar

Verdict:

Malicious

Labled as:

MSIL.Cassiopeia.Generic

Link:

https://www.hybrid-analysis.com/sample/ae7224287a33de677612229acdf01a5eac12e60bceec1bcbaa47579b154aff28

Result

Gathering data

Verdict:

Malicious

File Type:

exe x32

Link:

https://opentip.kaspersky.com/ae7224287a33de677612229acdf01a5eac12e60bceec1bcbaa47579b154aff28/results?tab=lookup

Malware family:

XWorm

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/688b5c4c-d7d7-40ed-aa6b-f38a84fadf69

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/ae7224287a33de677612229acdf01a5eac12e60bceec1bcbaa47579b154aff28

Verdict:

inconclusive

YARA:

10 match(es)

Tags:

.Net Executable Managed .NET PE (Portable Executable) PE File Layout SOS: 0.18 Win 32 Exe x86

Link:

https://app.malva.re/file/cece7690eb91f3dcaa7c5bd0d8d0c7f0

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/ae7224287a33de677612229acdf01a5eac12e60bceec1bcbaa47579b154aff28/

Verdict:

Malicious

Threat:

Family.XWORM

Link:

https://tip.neiki.dev/file/ae7224287a33de677612229acdf01a5eac12e60bceec1bcbaa47579b154aff28

Threat name:

ByteCode-MSIL.Trojan.Cassiopeia

Status:

Malicious

First seen:

2025-12-30 18:55:25 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

27 of 36 (75.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=vzzcikd2gppgo5qseknm34a2l2wbfzqlz3wbxs5ki5lzwfkk74ua._file

Verdict:

malicious

Label(s):

quasarrat

unc_loader_055

xworm

QuasarRAT

8db0cd1d0244de2a22f748c4d8fdac91f6850f1fef19bc7f2afe1d5cefb5b228

QuasarRAT

a92496d47628f8ca944290ddf8d791b2cf5f7858397afcff4b609908aaf1fce6

QuasarRAT

bb217671489213dfb4eefff0d0af47621615d9a0c85415c0e31f2cb08786d359

QuasarRAT

error

QuasarRAT

+ 413 additional samples on MalwareBazaar

Gathering data

Verdict:

Malicious

Tags:

External_IP_Lookup

YARA:

n/a

Link:

https://app.threat.zone/submission/3cc38269-25b6-42bb-afec-91d01725d4ce

Unpacked files

SH256 hash:

ae7224287a33de677612229acdf01a5eac12e60bceec1bcbaa47579b154aff28

MD5 hash:

cece7690eb91f3dcaa7c5bd0d8d0c7f0

SHA1 hash:

a943a301e1349beb8e823e31a98d117d73e12ea4

Link:

https://www.unpac.me/results/f371a22e-a009-4a68-9c53-0d4ef496f4e1/

SH256 hash:

d6966099c5998c8fdabf3f7f435856b469a1cefd4c8f8362c2dceebe7dd31c94

MD5 hash:

8001a5a10f6f71e5b93703afad23f8aa

SHA1 hash:

bb3350de5a04c8c48efdb9e7ebeb30826c37ce9a

Link:

https://www.unpac.me/results/f371a22e-a009-4a68-9c53-0d4ef496f4e1/

SH256 hash:

d181d0634a6b8ecda98612e7ac3c19cae9966a001db56df8ef1bf0e69206d9fe

MD5 hash:

5c4fc69c8804c2587c53964635464b19

SHA1 hash:

2d6a2d1a33e01ef0093199c15a3279c6aed876ef

Link:

https://www.unpac.me/results/f371a22e-a009-4a68-9c53-0d4ef496f4e1/

Malware family:

XWorm

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/ae7224287a33/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/ae7224287a33de677612229acdf01a5eac12e60bceec1bcbaa47579b154aff28

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AutoIT_Compiled Create hunting rule
Author:	@bartblaze
Description:	Identifies compiled AutoIT script (as EXE). This rule by itself does NOT necessarily mean the detected file is malicious.

Rule name:	BLOWFISH_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for Blowfish constants

Rule name:	CAS_Malware_Hunting Create hunting rule
Author:	Michael Reinprecht
Description:	DEMO CAS YARA Rules for sample2.exe

Rule name:	Check_Dlls Create hunting rule

Rule name:	cobalt_strike_tmp01925d3f Create hunting rule
Author:	The DFIR Report
Description:	files - file ~tmp01925d3f.exe
Reference:	https://thedfirreport.com

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__MemoryWorkingSet Create hunting rule
Author:	Fernando Mercês
Description:	Anti-debug process memory working set size check
Reference:	http://www.gironsec.com/blog/2015/06/anti-debugger-trick-quicky/

Rule name:	DebuggerCheck__QueryInfo Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerException__SetConsoleCtrl Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerHiding__Thread Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DetectEncryptedVariants Create hunting rule
Author:	Zinyth
Description:	Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded

Rule name:	Detect_PowerShell_Obfuscation Create hunting rule
Author:	daniyyell
Description:	Detects obfuscated PowerShell commands commonly used in malicious scripts.

Rule name:	FreddyBearDropper Create hunting rule
Author:	Dwarozh Hoshiar
Description:	Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	INDICATOR_EXE_Packed_Fody Create hunting rule
Author:	ditekSHen
Description:	Detects executables manipulated with Fody

Rule name:	Indicator_MiniDumpWriteDump Create hunting rule
Author:	Obscurity Labs LLC
Description:	Detects PE files and PowerShell scripts that use MiniDumpWriteDump either through direct imports or string references

Rule name:	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA Create hunting rule
Author:	ditekSHen
Description:	Detects Windows executables referencing non-Windows User-Agents

Rule name:	INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL Create hunting rule
Author:	ditekSHen
Description:	Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion

Rule name:	ldpreload Create hunting rule
Author:	xorseed
Reference:	https://stuff.rop.io/

Rule name:	MacOS_Cryptominer_Xmrig_241780a1 Create hunting rule
Author:	Elastic Security

Rule name:	MALWARE_Win_CoinMiner02 Create hunting rule
Author:	ditekSHen
Description:	Detects coinmining malware

Rule name:	MALWARE_Win_R77 Create hunting rule
Author:	ditekSHen
Description:	Detects r77 rootkit

Rule name:	MAL_BackNet_Nov18_1 Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects BackNet samples
Reference:	https://github.com/valsov/BackNet

Rule name:	MAL_BackNet_Nov18_1_RID2D6D Create hunting rule
Author:	Florian Roth
Description:	Detects BackNet samples
Reference:	https://github.com/valsov/BackNet

Rule name:	MAL_QuasarRAT_May19_1 Create hunting rule
Description:	Detects QuasarRAT malware

Rule name:	MAL_QuasarRAT_May19_1_RID2E1E Create hunting rule
Author:	Florian Roth
Description:	Detects QuasarRAT malware
Reference:	https://blog.ensilo.com/uncovering-new-activity-by-apt10

Rule name:	MAL_XMR_Miner_May19_1 Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects Monero Crypto Coin Miner
Reference:	https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/

Rule name:	MAL_XMR_Miner_May19_1_RID2E1B Create hunting rule
Author:	Florian Roth
Description:	Detects Monero Crypto Coin Miner
Reference:	https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/

Rule name:	MD5_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for MD5 constants

Rule name:	meth_peb_parsing Create hunting rule
Author:	Willi Ballenthin

Rule name:	Mimikatz_Generic Create hunting rule
Author:	Still
Description:	attempts to match all variants of Mimikatz

Rule name:	Multifamily_RAT_Detection Create hunting rule
Author:	Lucas Acha (http://www.lukeacha.com)
Description:	Generic Detection for multiple RAT families, PUPs, Packers and suspicious executables

Rule name:	Multi_Cryptominer_Xmrig_f9516741 Create hunting rule
Author:	Elastic Security

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	pe_imphash Create hunting rule

Rule name:	RANSOMWARE Create hunting rule
Author:	ToroGuitar

Rule name:	rig_win64_xmrig_6_13_1_xmrig Create hunting rule
Author:	yarGen Rule Generator
Description:	rig_win64 - file xmrig.exe
Reference:	https://github.com/Neo23x0/yarGen

Rule name:	RIPEMD160_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for RIPEMD-160 constants

Rule name:	SEH__vectored Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	SHA1_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA1 constants

Rule name:	SHA512_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA384/SHA512 constants

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Suspicious_PssCaptureSnapshot_Usage Create hunting rule
Author:	Dana Behling - Just me not for personal curiosity, no company.
Description:	Detects binaries abusing PssCaptureSnapshot in combination with typical combination that indicates malicious activity.

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

Rule name:	ThreadControl__Context Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	upx_largefile Create hunting rule
Author:	k3nr9

Rule name:	WHIRLPOOL_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for WhirlPool constants

Rule name:	Windows_Cryptominer_Generic_f53cfb9b Create hunting rule
Author:	Elastic Security

Rule name:	Windows_Generic_Threat_d331d190 Create hunting rule
Author:	Elastic Security

Rule name:	Windows_Rootkit_R77_d0367e28 Create hunting rule
Author:	Elastic Security
Reference:	https://www.elastic.co/security-labs/elastic-security-labs-steps-through-the-r77-rootkit

Rule name:	XMRIG_Monero_Miner Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects Monero mining software
Reference:	https://github.com/xmrig/xmrig/releases