MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c32f2184fadc3d690d8b38e83d66a43dc1035399d652f3cf95a97a4cb4912026. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuasarRAT


Vendor detections: 12


Intelligence 12 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c32f2184fadc3d690d8b38e83d66a43dc1035399d652f3cf95a97a4cb4912026
SHA3-384 hash: 2eb4379122c0c9d13ec5e2169ddcbe077f6de69011772a95ae8cb7c7505ce289ed8fd6b43cee0ab00701277567d8c5d0
SHA1 hash: 627aa0d2cf5536a5915f403a0180f124f9876bf2
MD5 hash: fecf2e4a7cffc39baf943701ed4b1924
humanhash: eight-mountain-pizza-cold
File name:startup_str_844.bat
Download: download sample
Signature QuasarRAT
Create hunting rule
File size:2'066'282 bytes
First seen:2025-08-04 05:39:01 UTC
Last seen:Never
File type:Batch (bat) bat
MIME type:text/plain
ssdeep 24576:N9u41gZRzl1VVCnycWezSeGiWbwLUwzwmjHMo1B74qZxIAMhWxs7jy4Kg8irYLhY:NA+yjTIzIbhHAf+c18
Threatray 167 similar samples on MalwareBazaar
TLSH T12CA533094FEA24ED0E78932DC05F6B0D16AA9DD8F8184AC7E310F9C7567ABA1CD0F459
Magika batch
Reporter smica83
Tags:bat QuasarRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
32
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
startup_str_844.bat
Verdict:
Malicious activity
Analysis date:
2025-08-04 05:39:53 UTC
Tags:
auto heodo botnet auto-sch
Link:
https://app.any.run/tasks/ae2ce2c3-d9d0-4809-b515-95f78ad555c7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/18678/
Verdict:
Malicious
Score:
81.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68904799af3050dc8d33fc53
Tags:
shell spawn
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated
Link:
https://www.filescan.io/uploads/6890478e73b8ef6f4afd0da9/reports/879cec3f-1b7d-4eee-9c71-f7cf7d92bf92/overview
Verdict:
Suspicious
Labled as:
TrojanDropper/BAT.Agent
Link:
https://www.hybrid-analysis.com/sample/c32f2184fadc3d690d8b38e83d66a43dc1035399d652f3cf95a97a4cb4912026
Result
Threat name:
Quasar
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1749582
Signature
.NET source code contains a sample name check
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Antivirus detection for dropped file
Bypasses PowerShell execution policy
Drops executables to the windows directory (C:\Windows) and starts them
Found large BAT file
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Powershell drops PE file
Powershell is started from unusual location (likely to bypass HIPS)
Reads the Security eventlog
Reads the System eventlog
Renames powershell.exe to bypass HIPS
Sample uses string decryption to hide its real strings
Sigma detected: HackTool - CrackMapExec PowerShell Obfuscation
Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: Powerup Write Hijack DLL
Sigma detected: Suspicious PowerShell Parameter Substring
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses Register-ScheduledTask to add task schedules
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Yara detected Powershell decode and execute
Yara detected Powershell decrypt and execute
Yara detected Quasar RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1749582 Sample: startup_str_844.bat Startdate: 04/08/2025 Architecture: WINDOWS Score: 100 57 Found malware configuration 2->57 59 Malicious sample detected (through community Yara rule) 2->59 61 Antivirus detection for dropped file 2->61 63 15 other signatures 2->63 11 cmd.exe 1 2->11         started        14 Microsoft.exe 2->14         started        16 wscript.exe 1 2->16         started        process3 signatures4 91 Suspicious powershell command line found 11->91 93 Wscript starts Powershell (via cmd or directly) 11->93 95 Bypasses PowerShell execution policy 11->95 18 powershell.exe 3 19 11->18         started        22 conhost.exe 11->22         started        97 Powershell is started from unusual location (likely to bypass HIPS) 14->97 99 Reads the Security eventlog 14->99 101 Reads the System eventlog 14->101 24 conhost.exe 14->24         started        103 Windows Scripting host queries suspicious COM object (likely to drop second stage) 16->103 105 Suspicious execution chain found 16->105 process5 file6 51 C:\Users\user\AppData\...\startup_str_765.vbs, ASCII 18->51 dropped 53 C:\Users\user\AppData\...\startup_str_765.bat, ASCII 18->53 dropped 65 Suspicious powershell command line found 18->65 67 Uses schtasks.exe or at.exe to add and modify task schedules 18->67 69 Uses Register-ScheduledTask to add task schedules 18->69 71 Powershell drops PE file 18->71 26 wscript.exe 1 18->26         started        29 powershell.exe 31 18->29         started        signatures7 process8 signatures9 81 Wscript starts Powershell (via cmd or directly) 26->81 31 cmd.exe 1 26->31         started        83 Loading BitLocker PowerShell Module 29->83 34 conhost.exe 29->34         started        process10 signatures11 107 Suspicious powershell command line found 31->107 109 Wscript starts Powershell (via cmd or directly) 31->109 36 powershell.exe 17 31->36         started        40 conhost.exe 31->40         started        process12 file13 55 C:\Windows\System32\SubDir\Microsoft.exe, PE32+ 36->55 dropped 73 Drops executables to the windows directory (C:\Windows) and starts them 36->73 75 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 36->75 77 Renames powershell.exe to bypass HIPS 36->77 79 Hides that the sample has been downloaded from the Internet (zone.identifier) 36->79 42 Microsoft.exe 36->42         started        45 schtasks.exe 36->45         started        signatures14 process15 signatures16 85 Powershell is started from unusual location (likely to bypass HIPS) 42->85 87 Reads the Security eventlog 42->87 89 Reads the System eventlog 42->89 47 conhost.exe 42->47         started        49 conhost.exe 45->49         started        process17
Score:
99%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/c32f2184fadc3d690d8b38e83d66a43dc1035399d652f3cf95a97a4cb4912026
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c32f2184fadc3d690d8b38e83d66a43dc1035399d652f3cf95a97a4cb4912026/
Threat name:
Script-BAT.Backdoor.Quasar
Create hunting rule
Status:
Malicious
First seen:
2025-08-04 05:39:29 UTC
File Type:
Text (PowerShell)
AV detection:
6 of 38 (15.79%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ymxsdbh23q6wsdmlhdud2zvehxaqgu4z2zjpht4vvf5eznereata._file
Verdict:
malicious
Label(s):
quasarrat
Create hunting rule
Similar samples:
403a210490c6018a9cf4e6f960a8fdc82fc48cc764de5f79156012b90ce96e12
QuasarRAT
6de60e8731fc16cf91a5efb445e46b44f8cd722989674bfe204fdb92fd60ba74
QuasarRAT
88fde9a2c7f061165c94aea3dea033b834b20cafd7c56e7f906f75b77c9447b9
QuasarRAT
c598101df884baa2a9db9162b00fe4ab7adf469ae87d764e6d8b210fe095e565
QuasarRAT
c66c439cecc85c1c339f113fdd01c628bbb5342fc6e8e094c4f67144926b9695
QuasarRAT
error
QuasarRAT
+ 157 additional samples on MalwareBazaar
Result
Malware family:
quasar
Create hunting rule
Score:
  10/10
Tags:
family:quasar botnet:discord execution persistence spyware trojan
Link:
https://tria.ge/reports/250804-gcg68sej91/
Behaviour
Modifies registry class
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Drops file in System32 directory
Checks computer location settings
Executes dropped EXE
Command and Scripting Interpreter: PowerShell
Quasar RAT
Quasar family
Quasar payload
Malware Config
C2 Extraction:
96.45.244.194:5129
96.45.244.194:5127
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c32f2184fadc3d690d8b38e83d66a43dc1035399d652f3cf95a97a4cb4912026

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:botnet_plaintext_c2
Create hunting rule
Author:cip
Description:Attempts to match at least some of the strings used in some botnet variants which use plaintext communication protocols.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/18678/

Comments