MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c27e5eb9e88677550596d1678ce44d9b4f6dfa69751402e4a5986c297d7b9ef3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuasarRAT


Vendor detections: 13


Intelligence 13 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c27e5eb9e88677550596d1678ce44d9b4f6dfa69751402e4a5986c297d7b9ef3
SHA3-384 hash: fb799d42ed664a7a6e20e1a23e81762d15b905ff116494429a425fa03a45bf5b1b94bc06aa190a3ba36c04b722edec66
SHA1 hash: c17681d135aeb249b4c5f5589c99be5ff948f113
MD5 hash: 99a9db36cee68a161b64061f2d01de35
humanhash: blossom-nine-early-beer
File name:lq.bin
Download: download sample
Signature QuasarRAT
Create hunting rule
File size:598'326 bytes
First seen:2025-11-14 10:59:40 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 45d5865eb6beea32be47e1a203bcc876 (1 x QuasarRAT)
ssdeep 6144:2CvVfeOZgeNalRHaUNOZ0zJJJBJq8CaAasASX+MTzrlyie866BHUWq+9yN86IpKh:yuN6CaAaxSXJkcQFPSH4b/Qtg
Threatray 1'797 similar samples on MalwareBazaar
TLSH T133D43A8336D71CBADA632B7890D753396739FE604B374B7B4608C6322D231D0AE5A764
TrID 41.1% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
26.1% (.EXE) Win64 Executable (generic) (10522/11/4)
12.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
5.1% (.ICL) Windows Icons Library (generic) (2059/9)
5.0% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
Reporter XiAnzheng
Tags:backdoor dll Downloader exe PERSISTENCE QuasarRAT trojan


Avatar
anzheng_xi
Hiding on /System32 as .dll after dropped and renamed

Intelligence

File Origin
# of uploads :
1
# of downloads :
169
Origin country :
ID ID
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
lq.bin
Verdict:
No threats detected
Analysis date:
2025-11-14 11:01:30 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/64f25996-a132-466d-bf2d-2d86eb95a2af

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/38189/
Verdict:
Malicious
Score:
70%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69170bd4bdb0ec3a9dc14301
Tags:
injection
Result
Verdict:
Malware
Maliciousness:

Behaviour
Connection attempt
Sending an HTTP GET request
Launching a process
Creating a window
Сreating synchronization primitives
Connection attempt to an infection source
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-debug masquerade mingw overlay overlay packed
Link:
https://www.filescan.io/uploads/69170bd1870da54314c96b88/reports/6551f731-bfd5-4fb1-8e82-089cf3e8dfd9/overview
Verdict:
Malicious
Labled as:
TrojanDownloader/ShellLoader.bc
Link:
https://www.hybrid-analysis.com/sample/c27e5eb9e88677550596d1678ce44d9b4f6dfa69751402e4a5986c297d7b9ef3
Verdict:
Malicious
File Type:
dll x64
First seen:
2025-11-14T01:37:00Z UTC
Last seen:
2025-11-16T01:59:00Z UTC
Hits:
~100
Detections:
Trojan-PSW.Win32.Stealer.sb Trojan.MSIL.Quasar.a MEM:Trojan.Win64.Shellcode.gen HEUR:Trojan.Win64.Donut.a HEUR:Trojan.Multi.Donut.b Backdoor.Androm.HTTP.Download Trojan.Win64.Agentb.sb Trojan.Win32.Shellcode.sb Trojan.Win32.Quasar.sb Trojan.MSIL.Quasar.fqk MEM:Trojan.Win32.Shellcode.a Trojan.MSIL.Crypt.sb HEUR:Trojan.MSIL.Quasar.gen Trojan-PSW.MSIL.Agent.sb Trojan.Win32.Inject.sb Backdoor.MSIL.Agent.sb
Link:
https://opentip.kaspersky.com/c27e5eb9e88677550596d1678ce44d9b4f6dfa69751402e4a5986c297d7b9ef3/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/8bea1140-7081-41ba-a282-2c4e2f68adb4
Score:
98%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/c27e5eb9e88677550596d1678ce44d9b4f6dfa69751402e4a5986c297d7b9ef3
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 64 Exe x64
Link:
https://app.malva.re/file/99a9db36cee68a161b64061f2d01de35
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c27e5eb9e88677550596d1678ce44d9b4f6dfa69751402e4a5986c297d7b9ef3/
Verdict:
Malicious
Threat:
Family.QUASAR
Link:
https://tip.neiki.dev/file/c27e5eb9e88677550596d1678ce44d9b4f6dfa69751402e4a5986c297d7b9ef3
Threat name:
Win64.Backdoor.Asyncrat
Create hunting rule
Status:
Suspicious
First seen:
2025-11-14 11:00:34 UTC
File Type:
PE+ (Dll)
AV detection:
11 of 24 (45.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=yj7f5opiqz3vkbmw2ftyzzcntnhw36tjoukafzfftbwcs7l3t3zq._file
Verdict:
malicious
Label(s):
quasarrat
Create hunting rule
Similar samples:
1888dad764c782fdb3d8cfce0916fd197e645231f3cdc28e4d45d1558a0935db
QuasarRAT
436575800b95744469c08b2b05fcd3bda915278c57d1d890ce3288e82a88c32a
QuasarRAT
8056a37cd65f2a24c5ddb99843cc744d8f78f7befd95dcd77f9c4c5bfc6f45d3
QuasarRAT
8bedd9a6bc1b9fa0a9158352dae15181e354e187da8ea79c61418802d96b34b5
QuasarRAT
c27e5eb9e88677550596d1678ce44d9b4f6dfa69751402e4a5986c297d7b9ef3
QuasarRAT
ea8d7f024d9d6a84127fe2873d556b7f97525b9815270633b8087b2c9e24389b
QuasarRAT
error
QuasarRAT
f5e49e7ec748a0b4cfdecdddc5fdfaf9f5b7f38f73e962a4017b402ba8143d02
QuasarRAT
+ 1'787 additional samples on MalwareBazaar
Result
Malware family:
quasar
Create hunting rule
Score:
  10/10
Tags:
family:donutloader family:quasar botnet:dll loader spyware trojan
Link:
https://tria.ge/reports/251114-m39xtsyrdz/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Detects DonutLoader
DonutLoader
Donutloader family
Quasar RAT
Quasar family
Quasar payload
Malware Config
C2 Extraction:
146.190.110.91:13000
193.161.193.99:13000
139.59.23.248:13000
Verdict:
Unknown
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/c2f87886-c9a1-4f02-a2a1-552be9889fd0
Unpacked files
SH256 hash:
c27e5eb9e88677550596d1678ce44d9b4f6dfa69751402e4a5986c297d7b9ef3
MD5 hash:
99a9db36cee68a161b64061f2d01de35
SHA1 hash:
c17681d135aeb249b4c5f5589c99be5ff948f113
Link:
https://www.unpac.me/results/ecc4426b-311f-442d-9210-e9e4229ccf50/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c27e5eb9e88677550596d1678ce44d9b4f6dfa69751402e4a5986c297d7b9ef3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

CoinMiner

Shortcut (lnk) lnk 4743c305a4fd08ac36fe1f52f5c6d2933bbad2d727ab64fe5bffa9b73c3b2f21

QuasarRAT

Executable exe c27e5eb9e88677550596d1678ce44d9b4f6dfa69751402e4a5986c297d7b9ef3

(this sample)

  
Link
https://bal-rewards.xyz/lq.txt
  
Dropped by
SHA256 4743c305a4fd08ac36fe1f52f5c6d2933bbad2d727ab64fe5bffa9b73c3b2f21
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/38189/
  
Dropped by
MD5 8ef445fb54bd20c9fef97eb006cbb14f

Comments