MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bbfb1b5542f73bfd598e587ccab52da52ff59ff120708900a0a15484deaa18fa. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

QuasarRAT

Vendor detections: 16

Intelligence 16 IOCs YARA 15 File information Comments

SHA256 hash:	bbfb1b5542f73bfd598e587ccab52da52ff59ff120708900a0a15484deaa18fa
SHA3-384 hash:	7722fd1c4aa796bb26e0a27f5d61f5d2c08b0ac18e4f753efe3706fe52ec08381b6e40cbd2f7a049e67b51c87c3a9a78
SHA1 hash:	31f2781d576ccff91f32952f3a93a3ea001831b1
MD5 hash:	3afb38bfad87cb9e00d81d90dd467cd9
humanhash:	louisiana-alpha-july-five
File name:	bbfb1b5542f73bfd598e587ccab52da52ff59ff120708900a0a15484deaa18fa
Download:	download sample
Signature	QuasarRAT Create hunting rule
File size:	862'720 bytes
First seen:	2026-06-08 08:31:21 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (49'067 x AgentTesla, 20'020 x Formbook, 12'352 x SnakeKeylogger)
ssdeep	24576:m+1SHvhthpBqs/F/uwn+cshmk8/upcUjI:xchp0i9n+uGy
Threatray	809 similar samples on MalwareBazaar
TLSH	T19B050289A7C08E35D90A5D34C4301E7842379F0A7E55F285EE28BD7337B3ADB189199B
TrID	70.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 6.2% (.EXE) Win64 Executable (generic) (6522/11/2) 4.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika	pebin
dhash icon	70c0db4eea7ab0fc (24 x QuasarRAT)
Reporter	adrian__luca
Tags:	exe QuasarRAT

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware configuration found for:

ConfuserEx

Details

Link:

https://research.acce.ciphertechsolutions.com/results/9485f8d8-3bf4-46e3-b293-ab5f9d1ab5fa/

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/69535/

Verdict:

Malicious

Score:

99.1%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6a267ed7ae2f98c00a68baff

Tags:

quasar virus remo msil

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Restart of the analyzed sample

Creating a file

Using the Windows Management Instrumentation requests

DNS request

Connection attempt

Sending an HTTP GET request

Creating a file in the %AppData% subdirectories

Launching a process

Enabling the 'hidden' option for recently created files

Creating a process from a recently created file

Searching for synchronization primitives

Launching the default Windows debugger (dwwin.exe)

Creating a window

Creating a file in the %temp% directory

Running batch commands

Creating a process with a hidden window

Unauthorized injection to a recently created process

Unauthorized injection to a recently created process by context flags manipulation

Query of malicious DNS domain

Enabling autorun by creating a file

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

base64 dotfuscator obfuscated obfuscated packed reconnaissance smartassembly vbnet yano

Link:

https://www.filescan.io/uploads/6a267e4c554e843ff863f40d/reports/e811ac73-6aab-42fe-a956-c14127ab345f/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/bbfb1b5542f73bfd598e587ccab52da52ff59ff120708900a0a15484deaa18fa

Verdict:

Malicious

File Type:

exe x32

First seen:

2026-05-21T12:37:00Z UTC

Last seen:

2026-06-09T20:20:00Z UTC

Hits:

~1000

Link:

https://opentip.kaspersky.com/bbfb1b5542f73bfd598e587ccab52da52ff59ff120708900a0a15484deaa18fa/results?tab=lookup

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/1698bd46-bd40-4936-9cab-b0491884ad42

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/bbfb1b5542f73bfd598e587ccab52da52ff59ff120708900a0a15484deaa18fa

Gathering data

Detection:

quasar

Link:

https://mwdb.cert.pl/sample/bbfb1b5542f73bfd598e587ccab52da52ff59ff120708900a0a15484deaa18fa/

Threat name:

Win32.Trojan.Kepavll

Status:

Malicious

First seen:

2026-05-21 16:47:15 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

26 of 36 (72.22%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=xp5rwvkc64572wmolb6mvnjnuux7lh7rebyisafaufkijxvkdd5a._file

Verdict:

malicious

Label(s):

quasarrat

QuasarRAT

902d1dee3000361a49b22d81c52a410a3521e06dcfd5b1422f46a5c2c3f80191

QuasarRAT

b6120aa7ee8cf2475648b7b8a287275e63e4a657b30694123ab8bf47463d5477

QuasarRAT

e084e80abf2e13a02f8e611406a499fd25fcbd84951ca9bff62f72c6897cb4d6

QuasarRAT

efd1e9646641faebb9273e578cc09c0c87b6fef6164cb3e539a3750688a90bfe

QuasarRAT

error

QuasarRAT

+ 799 additional samples on MalwareBazaar

Result

Malware family:

quasar

Score:

10/10

Tags:

family:quasar botnet:toy5 discovery execution persistence spyware trojan

Link:

https://tria.ge/reports/260608-kfsnxsav9p/

Behaviour

Runs ping.exe

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

System Location Discovery: System Language Discovery

System Network Configuration Discovery: Internet Connection Discovery

SmartAssembly .NET packer

Suspicious use of SetThreadContext

Looks up external IP address via web service

Executes dropped EXE

Checks computer location settings

Family: Quasar RAT

Quasar payload

Malware Config

C2 Extraction:

qinerdime.ydns.eu:61542
qinerdime.servehalflife.com:61541

Unpacked files

SH256 hash:

bbfb1b5542f73bfd598e587ccab52da52ff59ff120708900a0a15484deaa18fa

MD5 hash:

3afb38bfad87cb9e00d81d90dd467cd9

SHA1 hash:

31f2781d576ccff91f32952f3a93a3ea001831b1

Link:

https://www.unpac.me/results/d3a2b40c-0469-40f6-8f15-dbed2072046a/

SH256 hash:

24bb33d135b419f586194277976543b2d8b59f283177bd631d8100270d20ccf0

MD5 hash:

c82b059170135eb6a4d4f17a358605b9

SHA1 hash:

3171a330799d888ee2ff8117e035e492afb5f616

Link:

https://www.unpac.me/results/d3a2b40c-0469-40f6-8f15-dbed2072046a/

SH256 hash:

a8f576bb01bb1c6b1c2cfb0c8e39d6b3241949fa21be0097e24993e42f67c622

MD5 hash:

3ac75fcf6f65c28b7736e0aeafa4073d

SHA1 hash:

6241f84ab8c84e9dbd70c70c8af2407a2d1083e4

Detections:

QuasarRAT

Link:

https://www.unpac.me/results/d3a2b40c-0469-40f6-8f15-dbed2072046a/

Parent samples :

a3b3c9e9c1c68df7a1902750cef695b9b5518f19c5ecbb8e3796f5b80468e361
bbfb1b5542f73bfd598e587ccab52da52ff59ff120708900a0a15484deaa18fa

Malware family:

xRAT

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/bbfb1b5542f7/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

iSpy Keylogger

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/bbfb1b5542f73bfd598e587ccab52da52ff59ff120708900a0a15484deaa18fa

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__RemoteAPI Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DetectEncryptedVariants Create hunting rule
Author:	Zinyth
Description:	Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded

Rule name:	INDICATOR_EXE_Packed_Dotfuscator Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with Dotfuscator

Rule name:	INDICATOR_EXE_Packed_Goliath Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with Goliath

Rule name:	INDICATOR_EXE_Packed_SmartAssembly Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with SmartAssembly

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	RANSOMWARE Create hunting rule
Author:	ToroGuitar

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

Rule name:	VECT_Ransomware Create hunting rule
Author:	Mustafa Bakhit
Description:	Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/69535/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample