MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b0455309a1405bee110cf310c555a615dea5644c96812770c80afde298e9d066. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuasarRAT


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b0455309a1405bee110cf310c555a615dea5644c96812770c80afde298e9d066
SHA3-384 hash: 761f40bf8cbb7d060f2e00eb4f0f13ac79d9aa033fc3947475935a66dac9635593f9707fc3d94169b5c6592d1b0d8231
SHA1 hash: b21043185dfd8d23a995ffbd81ccfb5f2b10c083
MD5 hash: fb4bc0f012774a861009689dc3ac709d
humanhash: xray-texas-beer-bravo
File name:Windows330.bat
Download: download sample
Signature QuasarRAT
Create hunting rule
File size:8'674'610 bytes
First seen:2025-12-22 08:23:49 UTC
Last seen:Never
File type:Batch (bat) bat
MIME type:text/plain
ssdeep 49152:cq3aHsFQjvSp4U7mVbxLUX74SuLbXB/v6d3iuaIhhPF0hUpXuYFOnZWWCIZGHQgn:/
Threatray 159 similar samples on MalwareBazaar
TLSH T11F9633269FAE4E6F4A7C619C346F0E4E31B84D804085ACE977D2BCDF648FF24152B169
Magika txt
Reporter smica83
Tags:bat QuasarRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
56
Origin country :
HU HU
Vendor Threat Intelligence
No detections
Malware family:
n/a
ID:
1
File name:
_b0455309a1405bee110cf310c555a615dea5644c96812770c80afde298e9d066.txt
Verdict:
No threats detected
Analysis date:
2025-12-22 08:26:14 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/ffe5cd21-6190-4a67-b460-d94a3a96a98e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/45705/
Verdict:
Malicious
Score:
90.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69490039a6c88bb4cc236cb9
Tags:
metasploit vmdetect
Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Query of malicious DNS domain
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm base64 base64 conhost evasive lolbin obfuscated packed powershell reconnaissance schtasks
Link:
https://www.filescan.io/uploads/69490036e126b9ff438bd8cc/reports/fe008dc7-78c9-4d1f-b625-a54f3d9dad53/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/b0455309a1405bee110cf310c555a615dea5644c96812770c80afde298e9d066
Verdict:
Clean
File Type:
text
Link:
https://opentip.kaspersky.com/b0455309a1405bee110cf310c555a615dea5644c96812770c80afde298e9d066/results?tab=lookup
Result
Threat name:
Quasar
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1837527
Signature
.NET source code contains potential unpacker
Bypasses PowerShell execution policy
Connects to a pastebin service (likely for C&C)
Contains functionality to disable the Task Manager (.Net Source)
Found large BAT file
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Sample uses string decryption to hide its real strings
Sets debug register (to hijack the execution of another thread)
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Malicious Base64 Encoded PowerShell Keywords in Command Lines
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Powerup Write Hijack DLL
Sigma detected: Schedule system process
Sigma detected: Suspicious PowerShell Parameter Substring
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected Powershell decode and execute
Yara detected Quasar RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1837527 Sample: Windows330.bat Startdate: 22/12/2025 Architecture: WINDOWS Score: 100 51 pastebin.com 2->51 53 vtzqu4ora.localto.net 2->53 55 6 other IPs or domains 2->55 59 Found malware configuration 2->59 61 Malicious sample detected (through community Yara rule) 2->61 63 Yara detected Powershell decode and execute 2->63 67 14 other signatures 2->67 10 cmd.exe 1 2->10         started        signatures3 65 Connects to a pastebin service (likely for C&C) 51->65 process4 process5 12 conhost.exe 10->12         started        15 conhost.exe 10->15         started        signatures6 77 Suspicious powershell command line found 12->77 17 powershell.exe 14 977 12->17         started        79 Bypasses PowerShell execution policy 15->79 process7 dnsIp8 47 vtzqu4ora.localto.net 107.152.32.98, 49723, 49725, 49726 TZULOUS United States 17->47 49 pastebin.com 172.66.171.73, 443, 49720 CLOUDFLARENETUS United States 17->49 43 C:\Windows\Windows266.bat, ASCII 17->43 dropped 45 C:\Users\user\AppData\Local\Temp\tmp266.xml, XML 17->45 dropped 69 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 17->69 71 Uses schtasks.exe or at.exe to add and modify task schedules 17->71 73 Sets debug register (to hijack the execution of another thread) 17->73 75 Hides that the sample has been downloaded from the Internet (zone.identifier) 17->75 22 SIHClient.exe 8 17->22         started        25 schtasks.exe 1 17->25         started        27 schtasks.exe 1 17->27         started        29 29 other processes 17->29 file9 signatures10 process11 dnsIp12 57 part-0010.t-0009.t-msedge.net 13.107.246.38, 443, 49724 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 22->57 31 conhost.exe 25->31         started        33 conhost.exe 27->33         started        35 conhost.exe 29->35         started        37 conhost.exe 29->37         started        39 conhost.exe 29->39         started        41 26 other processes 29->41 process13
Score:
98%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/b0455309a1405bee110cf310c555a615dea5644c96812770c80afde298e9d066
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b0455309a1405bee110cf310c555a615dea5644c96812770c80afde298e9d066/
Verdict:
Clean
Link:
https://tip.neiki.dev/file/b0455309a1405bee110cf310c555a615dea5644c96812770c80afde298e9d066
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wbcvgcnbibn64eim6mimkvngcxpkkzcms2aso4gibl66fghj2bta._file
Verdict:
malicious
Label(s):
quasarrat
Create hunting rule
Similar samples:
6eeb5788ce02a71cee8cad314c4f1c467ac0dc77b23cbbef4f3a38bdfbd75f46
QuasarRAT
8b285bfafb3e876e29f04165896276d17f0998e2b02f97c90a28c34ab53ee866
QuasarRAT
e6a5b25f6908df2812d77e1b071f71002eae1c6584da91bbb571d073c2ec2c6b
QuasarRAT
e9c8470cf58fe9e8069d8417528c335201c527a3074a73883304f07a08b816ac
QuasarRAT
error
QuasarRAT
f4e4d9cc74ac2b174a5e3bc41c29eea3fbcbea79ff32f49535bb6a56c6523860
QuasarRAT
+ 149 additional samples on MalwareBazaar
Result
Malware family:
quasar
Create hunting rule
Score:
  10/10
Tags:
family:quasar execution spyware trojan
Link:
https://tria.ge/reports/251223-ltbs1asngx/
Behaviour
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Legitimate hosting services abused for malware hosting/C2
Badlisted process makes network request
Command and Scripting Interpreter: PowerShell
Quasar RAT
Quasar family
Quasar payload
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b0455309a1405bee110cf310c555a615dea5644c96812770c80afde298e9d066

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/45705/

Comments