MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ba8d38575e15f2a8a3c819d3f2e189acdf9249c99240236c8be4f96d7284530d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuasarRAT


Vendor detections: 18


Intelligence 18 IOCs 1 YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ba8d38575e15f2a8a3c819d3f2e189acdf9249c99240236c8be4f96d7284530d
SHA3-384 hash: a23efd256b8e887dd4586d7931c59ea4d3e29d5579c5269944eb19ff74175bab11ec93acfef1fa1af05a7e64339082ff
SHA1 hash: acbd14848a8421926f585b37cdffa70a6e4b9e95
MD5 hash: 7dbf1cd5241dd382d74ce86edd1f5950
humanhash: floor-nebraska-friend-georgia
File name:Valosysinfo.exe
Download: download sample
Signature QuasarRAT
Create hunting rule
File size:326'144 bytes
First seen:2026-06-05 01:45:12 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (49'067 x AgentTesla, 20'020 x Formbook, 12'352 x SnakeKeylogger)
ssdeep 6144:adnzzkMHitAUXObRVAhQ6qOLayreVZUFQnmgn6aha3lkMMeNUFoEWOMscig8hnlL:SnzzkMCtAUXObRVAh8TYiTo8hnlgAZ6O
Threatray 201 similar samples on MalwareBazaar
TLSH T1F464455D4F6845C0CA4CAA388ED2DE1A637E1E73AC46D755AC183FC17632F4C2AA3356
TrID 72.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.4% (.EXE) Win64 Executable (generic) (6522/11/2)
4.4% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Magika pebin
dhash icon ccb2706971d4f0f0 (1 x QuasarRAT)
Reporter abuse_ch
Tags:exe QuasarRAT RAT


Avatar
abuse_ch
QuasarRAT C2:
95.70.188.185:1337

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
95.70.188.185:1337 https://threatfox.abuse.ch/ioc/1822624/

Intelligence

File Origin
# of uploads :
1
# of downloads :
146
Origin country :
NL NL
Vendor Threat Intelligence
Malware configuration found for:
PS2EXE
Details
PS2EXE
an extracted PowerShell script
Link:
https://research.acce.ciphertechsolutions.com/results/4a7f4ffb-20fe-4afe-be2f-50c13fb4eed4/
Malware family:
quasar
Create hunting rule
ID:
1
File name:
Valosysinfo.exe
Verdict:
Malicious activity
Analysis date:
2026-06-04 16:26:15 UTC
Tags:
susp-powershell loader auto-sch quasar
Link:
https://app.any.run/tasks/67d6808d-77f8-4855-8b83-50369b8d8900

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/69061/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader48.60245.10794.13410.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6a21a72657b7bf261d60dd92
Tags:
infosteal autorun quasar
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Deleting a recently created file
Creating a window
Creating a file
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/ba8d38575e15f2a8a3c819d3f2e189acdf9249c99240236c8be4f96d7284530d
Verdict:
Malicious
File Type:
exe x32
First seen:
2026-06-04T13:42:00Z UTC
Last seen:
2026-06-06T21:47:00Z UTC
Hits:
~100
Detections:
Trojan.Win32.Agent.sb Trojan.MSIL.Quasar.hhh Trojan-Downloader.Agent.HTTP.C&C Backdoor.Agent.TCP.C&C NetTool.PowerShellUA.HTTP.C&C NetTool.PowerShellGet.HTTP.C&C
Link:
https://opentip.kaspersky.com/ba8d38575e15f2a8a3c819d3f2e189acdf9249c99240236c8be4f96d7284530d/results?tab=lookup
Malware family:
Quasar RAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f8773817-bdd3-450f-9994-a85c0289d7f9
Result
Threat name:
Quasar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1923356
Signature
.NET source code contains potential unpacker
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Installs a global keyboard hook
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Potential Privilege Escalation using Task Scheduler highest RunLevel
Reads the Security eventlog
Reads the System eventlog
Sample uses string decryption to hide its real strings
Sigma detected: Files With System Process Name In Unsuspected Locations
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Quasar RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1923356 Sample: Valosysinfo.exe Startdate: 05/06/2026 Architecture: WINDOWS Score: 100 31 branleet.duckdns.org 2->31 45 Found malware configuration 2->45 47 Malicious sample detected (through community Yara rule) 2->47 49 Multi AV Scanner detection for submitted file 2->49 53 5 other signatures 2->53 9 Valosysinfo.exe 29 2->9         started        13 fontdrvhost.exe 3 2->13         started        signatures3 51 Uses dynamic DNS services 31->51 process4 file5 29 C:\Users\user\AppData\...\Valosysinfo.exe.log, CSV 9->29 dropped 55 Loading BitLocker PowerShell Module 9->55 57 Reads the Security eventlog 9->57 59 Reads the System eventlog 9->59 15 fontdrvhost.exe 2 9->15         started        19 powershell.exe 14 16 9->19         started        21 WmiPrvSE.exe 9->21         started        signatures6 process7 dnsIp8 33 branleet.duckdns.org 95.70.188.185, 1337 ASTURKNETTR Turkey 15->33 37 Uses schtasks.exe or at.exe to add and modify task schedules 15->37 39 Hides that the sample has been downloaded from the Internet (zone.identifier) 15->39 41 Installs a global keyboard hook 15->41 43 Potential Privilege Escalation using Task Scheduler highest RunLevel 15->43 23 schtasks.exe 1 15->23         started        35 185.233.164.109, 49713, 80 SAGANETWORKTR Turkey 19->35 25 conhost.exe 19->25         started        signatures9 process10 process11 27 conhost.exe 23->27         started       
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/ba8d38575e15f2a8a3c819d3f2e189acdf9249c99240236c8be4f96d7284530d
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ba8d38575e15f2a8a3c819d3f2e189acdf9249c99240236c8be4f96d7284530d/
Verdict:
Malicious
Threat:
Family.QUASAR
Link:
https://tip.neiki.dev/file/ba8d38575e15f2a8a3c819d3f2e189acdf9249c99240236c8be4f96d7284530d
Threat name:
Win32.Backdoor.Quasar
Create hunting rule
Status:
Suspicious
First seen:
2026-06-04 16:26:18 UTC
File Type:
PE (.Net Exe)
Extracted files:
6
AV detection:
24 of 38 (63.16%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=xkgtqv26cxzkri6idhj7fymjvtpzesojsjacg3el4t4w24uekmgq._file
Verdict:
suspicious
Label(s):
admintool_ps2exe
Create hunting rule
Similar samples:
09b365f767803f55168c63c903002995836a1b5b1ddf6163c6db6793a21f8cf9
QuasarRAT
2d40d1451168527bfc31d965658b5afc6cb76593b4b38ec7b9b1bd85e5416662
QuasarRAT
2e9338feb1b56d1da46cddc5013570812236b9ea5f860d16f8d1c18ac08d7945
QuasarRAT
5c799922f4e11ec30bbb60e39868b9d1892a681ff553c1da8df4bd0405e7374e
QuasarRAT
d1141527eda59ac84ad2a56869db08c7e236bc0cd8ba606b723b123911239ea9
QuasarRAT
+ 191 additional samples on MalwareBazaar
Result
Malware family:
quasar
Create hunting rule
Score:
  10/10
Tags:
family:quasar botnet:office04 execution persistence spyware trojan
Link:
https://tria.ge/reports/260605-b6pkhsat4s/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Command and Scripting Interpreter: PowerShell
Executes dropped EXE
Badlisted process makes network request
Downloads MZ/PE file
Family: Quasar RAT
Quasar payload
Malware Config
C2 Extraction:
branleet.duckdns.org:1337
Unpacked files
SH256 hash:
ba8d38575e15f2a8a3c819d3f2e189acdf9249c99240236c8be4f96d7284530d
MD5 hash:
7dbf1cd5241dd382d74ce86edd1f5950
SHA1 hash:
acbd14848a8421926f585b37cdffa70a6e4b9e95
Link:
https://www.unpac.me/results/b387a628-40cd-4ed3-83b6-c2a0e405c9e4/
Malware family:
QuasarRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ba8d38575e15/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.77
Link:
https://yomi.yoroi.company/submissions/ba8d38575e15f2a8a3c819d3f2e189acdf9249c99240236c8be4f96d7284530d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_powershell
Create hunting rule
Author:daniyyell
Description:Detects suspicious PowerShell activity related to malware execution
Rule name:Detect_PowerShell_Obfuscation
Create hunting rule
Author:daniyyell
Description:Detects obfuscated PowerShell commands commonly used in malicious scripts.
Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/69061/

Comments