MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b149a11f068f8b4c79681552a82ccf69821b9a87b538ce1c2e4d75198c3fd5f9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuasarRAT


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b149a11f068f8b4c79681552a82ccf69821b9a87b538ce1c2e4d75198c3fd5f9
SHA3-384 hash: be7ccc9dad7cde7b8f450894566ee324143ed67a0963ecfed586661d8851d91d1dd726f3ea0b42afbaca4cc7f383b744
SHA1 hash: 22bf175ad25e7607d99609fe9c43409ba54aa248
MD5 hash: 107a2b5e0acd7246c4608078ca68dd09
humanhash: arizona-lactose-tennessee-mockingbird
File name:kn.bat
Download: download sample
Signature QuasarRAT
Create hunting rule
File size:6'373'891 bytes
First seen:2025-02-25 11:40:12 UTC
Last seen:Never
File type:Batch (bat) bat
MIME type:text/x-msdos-batch
ssdeep 49152:PfhscRvb80e21vU6CH7bcumD1G6JNTjAOcAY0xmmyWsMqHiVRhdUwBQbH8FJbsHU:3
Threatray 162 similar samples on MalwareBazaar
TLSH T1BA56336223F1A89F0DA5A2EBC1EB581D294D4FE24CDFB9F7416118CF0A5FB101D2B951
Magika txt
Reporter JAMESWT_WT
Tags:149-50-97-147 bat QuasarRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
92
Origin country :
IT IT
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
kn.bat
Verdict:
No threats detected
Analysis date:
2025-02-25 11:59:41 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/56c2b4af-ae7c-42b8-b453-bfd011c50370

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
90.2%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67bdacada0fd713c335cb72d
Tags:
vmdetect xtreme shell sage
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-vm obfuscated
Link:
https://www.filescan.io/uploads/67bdac2b6222db7f23db016e/reports/6c22bfae-50de-43b6-9639-e11f671c6079/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/b149a11f068f8b4c79681552a82ccf69821b9a87b538ce1c2e4d75198c3fd5f9
Result
Verdict:
SUSPICIOUS
Details
Hidden Powershell
Detected a pivot to Powershell that utilizes commonly nefarious attributes such as '-windowstyle hidden'.
Result
Threat name:
Quasar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1623637
Signature
Allocates memory in foreign processes
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Found large BAT file
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Installs a global keyboard hook
Joe Sandbox ML detected suspicious sample
Modifies the context of a thread in another process (thread injection)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive service information (via WMI, MSSMBios_RawSMBiosTables, often done to detect sandboxes)
Queries temperature or sensor information (via WMI often done to detect virtual machines)
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Writes to foreign memory regions
Yara detected Quasar RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1623637 Sample: kn.bat Startdate: 25/02/2025 Architecture: WINDOWS Score: 100 36 ipwho.is 2->36 42 Suricata IDS alerts for network traffic 2->42 44 Yara detected Quasar RAT 2->44 46 Found large BAT file 2->46 48 Joe Sandbox ML detected suspicious sample 2->48 9 cmd.exe 1 2->9         started        signatures3 process4 signatures5 58 Suspicious powershell command line found 9->58 12 powershell.exe 28 30 9->12         started        16 powershell.exe 15 9->16         started        18 conhost.exe 9->18         started        20 cmd.exe 1 9->20         started        process6 dnsIp7 38 149.50.97.147, 4782, 59118, 59171 COGENT-174US United States 12->38 40 ipwho.is 195.201.57.90, 443, 59130 HETZNER-ASDE Germany 12->40 68 Writes to foreign memory regions 12->68 70 Modifies the context of a thread in another process (thread injection) 12->70 72 Hides that the sample has been downloaded from the Internet (zone.identifier) 12->72 76 3 other signatures 12->76 22 winlogon.exe 12->22 injected 74 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 16->74 25 findstr.exe 1 16->25         started        signatures8 process9 signatures10 50 Injects code into the Windows Explorer (explorer.exe) 22->50 52 Contains functionality to inject code into remote processes 22->52 54 Writes to foreign memory regions 22->54 56 3 other signatures 22->56 27 svchost.exe 22->27 injected 30 lsass.exe 22->30 injected 32 dwm.exe 22->32 injected 34 32 other processes 22->34 process11 signatures12 60 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 27->60 62 Queries sensitive service information (via WMI, MSSMBios_RawSMBiosTables, often done to detect sandboxes) 27->62 64 Queries temperature or sensor information (via WMI often done to detect virtual machines) 27->64 66 Writes to foreign memory regions 30->66
Score:
83%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/b149a11f068f8b4c79681552a82ccf69821b9a87b538ce1c2e4d75198c3fd5f9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b149a11f068f8b4c79681552a82ccf69821b9a87b538ce1c2e4d75198c3fd5f9/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wfe2chygr6fuy6licvjkqlgpngbbxguhwu4m4hbojv2rtdb72x4q._file
Verdict:
malicious
Label(s):
r77
Create hunting rule
Similar samples:
0999322e8a2a984b5400544b31a91ae8dd49b362a2517fe497a8e1455de07d8f
QuasarRAT
39fa01d351c5cdb6de9c4155f0c7d4241578ea02e5fc735c19faae312487dc20
QuasarRAT
4e722641d45ec7ae5032e827a6b311a82a0e0551865caf00c19e7eab85487f54
QuasarRAT
ac0c9ad2975e52b69068d331e25c0f7e1aaa2976651794b1eeadf5a3529bcaf0
QuasarRAT
b871ed20d46a9be3a4aedb5facad152ab24289b6866076cb7ffc59721ca7525c
QuasarRAT
d829b8ffdb11832632e9799419d78b649481d7b9b261ec587c6fc0fc20a76eee
QuasarRAT
ded12aa1047596d73fd663a8d297bdc36a70e56174e62eeaad3fad48f611890c
QuasarRAT
e12902c413b76be7f75f527a84c41823e4b96417495c264dc09e77761a105931
QuasarRAT
e27fbbd008427ab109877123d328bac58fabbf82febee4a36bf8412c28da73a4
QuasarRAT
e9b236e4b6ba598d2ae4be581c166cf486cbc86a47fffb87b7d05cb09d75073b
QuasarRAT
error
QuasarRAT
+ 152 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/250225-nthbwswky6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b149a11f068f8b4c79681552a82ccf69821b9a87b538ce1c2e4d75198c3fd5f9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments