MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c770ea7f1671155bc9dad5e6fafaf5e6c8644bf251e042bab6d9bb4391b6473a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuasarRAT


Vendor detections: 11


Intelligence 11 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c770ea7f1671155bc9dad5e6fafaf5e6c8644bf251e042bab6d9bb4391b6473a
SHA3-384 hash: 76847b297f60e908f6018092cb00d335a04adba3cf7b85bea3c72be514fdc521e5fe24ea44421baf266a24a18d861591
SHA1 hash: 5c2339cf616e8ba8820b1faefb1b1bab5059508d
MD5 hash: 510b82abc1eebec46e403a840c554a15
humanhash: asparagus-diet-helium-sodium
File name:stub-crypted.bat
Download: download sample
Signature QuasarRAT
Create hunting rule
File size:2'167'385 bytes
First seen:2025-11-03 21:22:02 UTC
Last seen:Never
File type:Batch (bat) bat
MIME type:text/x-msdos-batch
ssdeep 24576:sNOFFNnGGcfhBQOwqroDFCqlq+AegagtwxDd9SQbPA5IdBsC0fWui4SvryGjwNM5:sQgBN8DY3eVpVA5OyGHNywiO
Threatray 137 similar samples on MalwareBazaar
TLSH T185A5232A7C6EBB380BFCC27A90DB2E546F9ECAE19710F5DF53684081119E71BC907685
Magika batch
Reporter smica83
Tags:bat QuasarRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
59
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
stub-crypted.bat
Verdict:
Malicious activity
Analysis date:
2025-11-03 21:23:48 UTC
Tags:
evasion crypto-regex
Link:
https://app.any.run/tasks/9ab1c8fb-63ca-4c8a-a123-9760a8bdb269

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/35193/
Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69091d26706befaf4ecb786a
Tags:
xtreme shell sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Connection attempt to an infection source
DNS request
Connection attempt
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Sending a TCP request to an infection source
Query of malicious DNS domain
Using obfuscated Powershell scripts
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
base64 base64 evasive evasive obfuscated packed powershell
Link:
https://www.filescan.io/uploads/69091d204425b0b1fd127a1e/reports/1fbd4b40-daff-445b-8790-86d08a33a12d/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/c770ea7f1671155bc9dad5e6fafaf5e6c8644bf251e042bab6d9bb4391b6473a
Verdict:
Clean
File Type:
text
First seen:
2025-11-03T20:04:00Z UTC
Last seen:
2025-11-03T20:20:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/c770ea7f1671155bc9dad5e6fafaf5e6c8644bf251e042bab6d9bb4391b6473a/results?tab=lookup
Result
Threat name:
Quasar
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1807279
Signature
.NET source code contains potential unpacker
Bypasses PowerShell execution policy
Found large BAT file
Hides that the sample has been downloaded from the Internet (zone.identifier)
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Powershell drops PE file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: Powerup Write Hijack DLL
Suspicious powershell command line found
Yara detected Costura Assembly Loader
Yara detected Quasar RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1807279 Sample: stub-crypted.bat Startdate: 03/11/2025 Architecture: WINDOWS Score: 100 35 language-you.gl.at.ply.gg 2->35 37 j-nl.gl.at.ply.gg 2->37 39 ipwho.is 2->39 47 Malicious sample detected (through community Yara rule) 2->47 49 Yara detected Quasar RAT 2->49 51 .NET source code contains potential unpacker 2->51 53 5 other signatures 2->53 9 cmd.exe 1 2->9         started        signatures3 process4 signatures5 55 Suspicious powershell command line found 9->55 57 Bypasses PowerShell execution policy 9->57 12 powershell.exe 15 46 9->12         started        17 conhost.exe 9->17         started        process6 dnsIp7 41 language-you.gl.at.ply.gg 147.185.221.25, 42287, 49690 SALSGIVERUS United States 12->41 43 j-nl.gl.at.ply.gg 147.185.221.26, 15505, 49694 SALSGIVERUS United States 12->43 45 ipwho.is 15.204.213.5, 443, 49691 HP-INTERNET-ASUS United States 12->45 27 C:\Users\user\AppData\Roaming\...\SharpDX.dll, PE32 12->27 dropped 29 C:\Users\user\...\SharpDX.Mathematics.dll, PE32 12->29 dropped 31 C:\Users\user\...\SharpDX.Direct3D11.dll, PE32 12->31 dropped 33 12 other malicious files 12->33 dropped 59 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 12->59 61 Query firmware table information (likely to detect VMs) 12->61 63 Hides that the sample has been downloaded from the Internet (zone.identifier) 12->63 65 Powershell drops PE file 12->65 19 cmd.exe 1 12->19         started        file8 signatures9 process10 process11 21 conhost.exe 19->21         started        23 timeout.exe 1 19->23         started        25 chcp.com 1 19->25         started       
Score:
96%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/c770ea7f1671155bc9dad5e6fafaf5e6c8644bf251e042bab6d9bb4391b6473a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c770ea7f1671155bc9dad5e6fafaf5e6c8644bf251e042bab6d9bb4391b6473a/
Verdict:
Clean
Link:
https://tip.neiki.dev/file/c770ea7f1671155bc9dad5e6fafaf5e6c8644bf251e042bab6d9bb4391b6473a
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=y5you7ywoekvxso22xtpv6xv43egis7skhqefovw3g5uhenwi45a._file
Verdict:
malicious
Label(s):
quasarrat
Create hunting rule
Similar samples:
12ce3769229d84d3e5656fa6d96fbfaefe3a844c5124378c30de5139031dc6b2
QuasarRAT
6a95f54230338584556d3dc370e1da5d4e326aab83c20413d446ab71a8f43d37
QuasarRAT
9614ef4ee182fb6ee147ba8ebad8e68679010e792b0fd4108127e28538791b74
QuasarRAT
9e678705b2f481ed4c6e35891f0dae9aba4ebb2c42fbda7a3095f73e6550ba2d
QuasarRAT
d3ef0e594e1984dfb2a32349c2ca01cecc9de210b3cc4358516a5ee5046b42f7
QuasarRAT
error
QuasarRAT
feda854ecc1a6a8c56fb765c2964a5b2a9dbf1cff7ef9149b4e576d4a96e5269
QuasarRAT
+ 127 additional samples on MalwareBazaar
Result
Malware family:
quasar
Create hunting rule
Score:
  10/10
Tags:
family:quasar execution spyware trojan
Link:
https://tria.ge/reports/251103-z78xjshx5a/
Behaviour
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: PowerShell
Badlisted process makes network request
Quasar RAT
Quasar family
Quasar payload
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.95
Link:
https://yomi.yoroi.company/submissions/c770ea7f1671155bc9dad5e6fafaf5e6c8644bf251e042bab6d9bb4391b6473a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BAT_Chunked_Payload_SetEnv
Create hunting rule
Author:marcin@ulikowski.pl
Description:Detects batch script storing chunks of payload in random environment variables
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/35193/

Comments