MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c598101df884baa2a9db9162b00fe4ab7adf469ae87d764e6d8b210fe095e565. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuasarRAT


Vendor detections: 15


Intelligence 15 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c598101df884baa2a9db9162b00fe4ab7adf469ae87d764e6d8b210fe095e565
SHA3-384 hash: c9c1fd3b6bd7e25d89eea84fb1b5c0850b81d56becb338fa12ce081b5d2cd97ff1976594fcde704714164866230b4ca2
SHA1 hash: 32f77327ba5eb6251d90aedd7ebe144b2cd80677
MD5 hash: c7a64827a51b9e2b028cc2a96bbe6ba2
humanhash: don-kilo-steak-eleven
File name:Pls.exe
Download: download sample
Signature QuasarRAT
Create hunting rule
File size:7'241'799 bytes
First seen:2025-06-09 11:53:47 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 12e12319f1029ec4f8fcbed7e82df162 (388 x DCRat, 52 x RedLineStealer, 51 x Formbook)
ssdeep 196608:pAjTWdoZO1DCuJI0wqavB85Pa3onMRRA3D5L83PzRU:pnNQ58gfExkPVU
Threatray 690 similar samples on MalwareBazaar
TLSH T1C0763312FED594B7C9A219B00B789B10A329BD602F629FFF7784365CCA215D1C933B52
TrID 89.0% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
3.5% (.EXE) Win64 Executable (generic) (10522/11/4)
2.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
1.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.5% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
dhash icon 9494b494d4aeaeac (832 x DCRat, 172 x RedLineStealer, 134 x CryptOne)
Reporter abuse_ch
Tags:exe QuasarRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
279
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
bomb.exe.bin
Verdict:
Malicious activity
Analysis date:
2025-06-09 13:32:18 UTC
Tags:
github hausbomber loader phishing lumma stealer auto generic telegram remote xworm amadey botnet rat dcrat darkcrystal delphi inno installer gcleaner golang exfiltration pastebin winring0x64-sys vuln-driver crypto-regex miner
Link:
https://app.any.run/tasks/8f37b645-c371-4196-ad03-0a9e10ea2466

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/8087/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.38920448.13962.7593.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6846cb6e8bd5d68a12e71143
Tags:
vmdetect autorun quasar
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file
Creating a process from a recently created file
Creating a file in the %AppData% directory
Launching a process
Using the Windows Management Instrumentation requests
Running batch commands
Creating a process with a hidden window
Creating a file in the %temp% directory
Loading a suspicious library
Creating a file in the Windows subdirectories
Creating a file in the Program Files subdirectories
Moving a recently created file
Replacing files
Adding an access-denied ACE
DNS request
Connection attempt
Sending a custom TCP request
Creating a file in the %AppData% subdirectories
Launching a service
Forced system process termination
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun by creating a file
Enabling autorun
Adding an exclusion to Microsoft Defender
Unauthorized injection to a system process
Verdict:
Malicious
Labled as:
Trojan.Uztuby
Link:
https://www.hybrid-analysis.com/sample/c598101df884baa2a9db9162b00fe4ab7adf469ae87d764e6d8b210fe095e565
Result
Verdict:
MALICIOUS
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a6766c26-121b-4c8c-a72b-a2e6998fd13a
Result
Threat name:
DCRat, PureLog Stealer, Quasar, zgRAT
Create hunting rule
Detection:
malicious
Classification:
spre.troj.spyw.expl.evad.adwa
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1709505
Signature
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Creates an undocumented autostart registry key
Creates multiple autostart registry keys
Creates processes via WMI
Drops executable to a common third party application directory
Drops PE files to the user root directory
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Infects executable files (exe, dll, sys, html)
Installs a global keyboard hook
Installs new ROOT certificates
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Capture Wi-Fi password
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Execution from Suspicious Folder
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Suricata IDS alerts for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal WLAN passwords
Uses netsh to modify the Windows network and firewall settings
Uses schtasks.exe or at.exe to add and modify task schedules
Uses threadpools to delay analysis
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Yara detected AntiVM3
Yara detected DCRat
Yara detected PureLog Stealer
Yara detected Quasar RAT
Yara detected UAC Bypass using CMSTP
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1709505 Sample: Pls.exe Startdate: 09/06/2025 Architecture: WINDOWS Score: 100 112 ipwho.is 2->112 114 Suricata IDS alerts for network traffic 2->114 116 Found malware configuration 2->116 118 Malicious sample detected (through community Yara rule) 2->118 120 17 other signatures 2->120 11 Pls.exe 3 9 2->11         started        15 yv2vPIzWzZIVY.exe 2->15         started        17 DsVepkhH9hyQ091houe0XT.exe 2->17         started        19 6 other processes 2->19 signatures3 process4 file5 100 C:\Refbrokersvc\infinity.exe, PE32+ 11->100 dropped 102 C:\Refbrokersvc\bridgeBlock.exe, PE32 11->102 dropped 104 C:\Refbrokersvc\RunProtect.exe, PE32 11->104 dropped 106 2 other malicious files 11->106 dropped 158 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 11->158 21 wscript.exe 1 11->21         started        24 RunProtect.exe 4 11->24         started        27 FinalMom.exe 1 11->27         started        29 infinity.exe 1 11->29         started        160 Antivirus detection for dropped file 15->160 162 Multi AV Scanner detection for dropped file 15->162 signatures6 process7 file8 130 Windows Scripting host queries suspicious COM object (likely to drop second stage) 21->130 31 cmd.exe 21->31         started        88 C:\Users\user\AppData\...\RunShellXDWD.exe, PE32 24->88 dropped 132 Antivirus detection for dropped file 24->132 134 Multi AV Scanner detection for dropped file 24->134 136 Uses schtasks.exe or at.exe to add and modify task schedules 24->136 138 Hides that the sample has been downloaded from the Internet (zone.identifier) 24->138 33 RunShellXDWD.exe 15 23 24->33         started        38 schtasks.exe 1 24->38         started        140 Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) 27->140 142 Queries memory information (via WMI often done to detect virtual machines) 27->142 144 Uses threadpools to delay analysis 27->144 146 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 27->146 40 conhost.exe 29->40         started        signatures9 process10 dnsIp11 42 bridgeBlock.exe 31->42         started        46 conhost.exe 31->46         started        108 94.156.115.95, 4782, 49682 SKATTV-ASBG Bulgaria 33->108 110 ipwho.is 108.181.98.179, 443, 49684 ASN852CA Canada 33->110 84 C:\Users\user\AppData\...\2uKOt2UzimXZ.exe, PE32 33->84 dropped 86 C:\Recovery\OEM\0YZB1HAAK5SVB05XQO1G.exe, PE32 33->86 dropped 122 Antivirus detection for dropped file 33->122 124 Multi AV Scanner detection for dropped file 33->124 126 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 33->126 128 7 other signatures 33->128 48 schtasks.exe 33->48         started        50 netsh.exe 33->50         started        52 powershell.exe 33->52         started        54 sdIjxVVH.exe 33->54         started        56 conhost.exe 38->56         started        file12 signatures13 process14 file15 90 C:\Users\user\Desktop\vaawDxhI.log, PE32 42->90 dropped 92 C:\Users\user\Desktop\UkqBzixL.log, PE32 42->92 dropped 94 C:\Users\user\Desktop\RdssePDQ.log, PE32 42->94 dropped 96 10 other malicious files 42->96 dropped 148 Antivirus detection for dropped file 42->148 150 Multi AV Scanner detection for dropped file 42->150 152 Creates an undocumented autostart registry key 42->152 154 4 other signatures 42->154 58 csc.exe 42->58         started        62 cmd.exe 42->62         started        64 schtasks.exe 42->64         started        72 15 other processes 42->72 66 conhost.exe 48->66         started        68 conhost.exe 50->68         started        70 conhost.exe 52->70         started        signatures16 process17 file18 98 C:\Windows\...\SecurityHealthSystray.exe, PE32 58->98 dropped 156 Infects executable files (exe, dll, sys, html) 58->156 74 conhost.exe 58->74         started        76 cvtres.exe 58->76         started        78 conhost.exe 62->78         started        80 chcp.com 62->80         started        82 w32tm.exe 62->82         started        signatures19 process20
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/c598101df884baa2a9db9162b00fe4ab7adf469ae87d764e6d8b210fe095e565
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c598101df884baa2a9db9162b00fe4ab7adf469ae87d764e6d8b210fe095e565/
Threat name:
ByteCode-MSIL.Trojan.Amadey
Create hunting rule
Status:
Malicious
First seen:
2025-06-09 11:54:22 UTC
File Type:
PE (Exe)
Extracted files:
30
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ywmbahpyqs5kfko3sfrlad7evn5n6ru25b6xmttnrmqq7yev4vsq._file
Verdict:
malicious
Label(s):
quasarrat
Create hunting rule
Similar samples:
1418896b2c726e143a8e27bcd3735cb9e152d173d6568cfde8af1dc920ba61d9
QuasarRAT
25ab561d014bdd7b50d5fa913d111bcb4dd3e41d22a5850764a7659aece4d33f
QuasarRAT
2c3066d84a1942c8a7d0873d6863e47b73dca05a07283e52e567533447a7afc9
QuasarRAT
4d0ab9aa14dba8570588eac3f9eff115b848cc01314827d6ad48751ca8b8c300
QuasarRAT
4dfc09bfab1e813c8122d6f8c3d83966346fe676464497ce100e8c385fe5e5f9
QuasarRAT
6c9d219c1d798335d0de88c138095105be6a727e2ad9cbca8769882359b0f0e5
QuasarRAT
9e112e2a8ca34f215042f5d331b4f79eca8003fe825594fcbf8936d32e9d2d7c
QuasarRAT
error
QuasarRAT
+ 680 additional samples on MalwareBazaar
Result
Malware family:
quasar
Create hunting rule
Score:
  10/10
Tags:
family:celestialrat family:quasar botnet:1 campaign:0�x+� discovery execution persistence privilege_escalation spyware stealer trojan
Link:
https://tria.ge/reports/250609-n214zaar31/
Behaviour
Modifies registry class
Runs ping.exe
Scheduled Task/Job: Scheduled Task
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Browser Information Discovery
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
System Network Configuration Discovery: Wi-Fi Discovery
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
Reads user/profile data of web browsers
Command and Scripting Interpreter: PowerShell
CelestialRAT
Celestialrat family
Detects CelestialRAT.
Modifies WinLogon for persistence
Process spawned unexpected child process
Quasar RAT
Quasar family
Quasar payload
Malware Config
C2 Extraction:
94.156.115.95:4782
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/8f041380-0f5f-427e-a486-ce206236c56f
Unpacked files
SH256 hash:
c598101df884baa2a9db9162b00fe4ab7adf469ae87d764e6d8b210fe095e565
MD5 hash:
c7a64827a51b9e2b028cc2a96bbe6ba2
SHA1 hash:
32f77327ba5eb6251d90aedd7ebe144b2cd80677
Link:
https://www.unpac.me/results/29ea690f-2a9c-47db-9bcc-55d89e9dcf8d/
SH256 hash:
1003fdd6b84f40226ae30fc1e9b0bb6eaedd77d78f67d5fcf37d6074c02aed73
MD5 hash:
2d10c1aec4d288a98cdb96fbe8333415
SHA1 hash:
8dc1b723c10d25e6b4a7ed6489f68b834918c4c9
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
INDICATOR_EXE_Packed_DotNetReactor
Create hunting rule
Link:
https://www.unpac.me/results/29ea690f-2a9c-47db-9bcc-55d89e9dcf8d/
SH256 hash:
bef00cdc5b05fd58f16d4f409a7dce993c2e7e224d3cec7c72a106b40315f022
MD5 hash:
a6ac982cd4c61e35291b87eab5a43984
SHA1 hash:
ce6a8c051116b8635244d900200d5615999fbc7b
Link:
https://www.unpac.me/results/29ea690f-2a9c-47db-9bcc-55d89e9dcf8d/
SH256 hash:
f6e562c67c0b28c422c5fb236e1a567298a306a4cde8d1b060e6e564519565d0
MD5 hash:
460a505cc48ef5d913059d1ec73d7d07
SHA1 hash:
7775615c830aa14d68c4d24e2b1e8450412b2562
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Link:
https://www.unpac.me/results/29ea690f-2a9c-47db-9bcc-55d89e9dcf8d/
SH256 hash:
4d8a9e046c15c6fc8b1709cf429f4aeb3afe3f5f06733fe721020292b4eec819
MD5 hash:
a2f333bbe08b11605c93d4075cfb5459
SHA1 hash:
2aba666e70612b2b872216770f701912eb65c399
Link:
https://www.unpac.me/results/29ea690f-2a9c-47db-9bcc-55d89e9dcf8d/
SH256 hash:
2b93377ea087225820a9f8e4f331005a0c600d557242366f06e0c1eae003d669
MD5 hash:
d8bf2a0481c0a17a634d066a711c12e9
SHA1 hash:
7cc01a58831ed109f85b64fe4920278cedf3e38d
Link:
https://www.unpac.me/results/29ea690f-2a9c-47db-9bcc-55d89e9dcf8d/
SH256 hash:
026bbb05203a69634b68ddcab03a208c68a6063012a229077d94bceb15eac801
MD5 hash:
5144325e3f11fdda4bc645f5ec7ce2c0
SHA1 hash:
85a596d90726ad9e0851ac680492d5a9d5183395
Detections:
QuasarRAT
Create hunting rule
cn_utf8_windows_terminal
Create hunting rule
malware_windows_xrat_quasarrat
Create hunting rule
MAL_QuasarRAT_May19_1
Create hunting rule
MAL_BackNet_Nov18_1
Create hunting rule
INDICATOR_EXE_Packed_Fody
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
Link:
https://www.unpac.me/results/29ea690f-2a9c-47db-9bcc-55d89e9dcf8d/
SH256 hash:
7705a5ea500a05c1754f2d7d70ea20d99bcedbd4dcff9d9eb15f8b0dd7c5f773
MD5 hash:
37bbd5b4a0a8b11720f4a7ca03ab5622
SHA1 hash:
cf1378c1ccab065e22f0a8af2dd1e44a803e5398
Link:
https://www.unpac.me/results/29ea690f-2a9c-47db-9bcc-55d89e9dcf8d/
SH256 hash:
8dfd42f00a9ea5ef7e38e3880073b163af8ea86197f13c2464e495ccb8ce106f
MD5 hash:
80fcc3201573c8e5ed887bac23efaabe
SHA1 hash:
7a163130a91c4c25cd09d0f4af79d3a50cdcef19
Detections:
SUSP_NET_Large_Static_Array_In_Small_File_Jan24
Create hunting rule
HKTL_NET_GUID_Quasar
Create hunting rule
Link:
https://www.unpac.me/results/29ea690f-2a9c-47db-9bcc-55d89e9dcf8d/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:botnet_plaintext_c2
Create hunting rule
Author:cip
Description:Attempts to match at least some of the strings used in some botnet variants which use plaintext communication protocols.
Rule name:dcrat_
Create hunting rule
Author:Michelle Khalil
Description:This rule detects unpacked dcrat malware samples.
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SelfExtractingRAR
Create hunting rule
Author:Xavier Mertens
Description:Detects an SFX archive with automatic script execution
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

QuasarRAT

Executable exe c598101df884baa2a9db9162b00fe4ab7adf469ae87d764e6d8b210fe095e565

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3559801/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/8087/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
GDI_PLUS_APIInterfaces with Graphicsgdiplus.dll::GdiplusStartup
gdiplus.dll::GdiplusShutdown
gdiplus.dll::GdipAlloc
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::LoadLibraryExA
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetSystemInfo
KERNEL32.dll::GetStartupInfoW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::AllocConsole
KERNEL32.dll::AttachConsole
KERNEL32.dll::WriteConsoleW
KERNEL32.dll::FreeConsole
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleMode
KERNEL32.dll::GetConsoleCP
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateHardLinkW
KERNEL32.dll::CreateFileW
KERNEL32.dll::CreateFileMappingW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::MoveFileW
KERNEL32.dll::MoveFileExW

Comments