MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cb91a07bcde29ad710bcc98259ea71f15b4a0fe65082fa6481ab8ac8b8b641e0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

QuasarRAT

Vendor detections: 18

Intelligence 18 IOCs YARA 7 File information Comments

SHA256 hash:	cb91a07bcde29ad710bcc98259ea71f15b4a0fe65082fa6481ab8ac8b8b641e0
SHA3-384 hash:	b53be0f2c69feaa8cd8e47900921862f3bdd4e156c3e6bb4044de8f5fd20c3bd3c57587a8fe466ccf866eb967dec0038
SHA1 hash:	940c01dd0cd625b8b3fab93e57614cb36d464c7a
MD5 hash:	60eb9c7500e862b147abe91eae94579c
humanhash:	twenty-steak-purple-sink
File name:	q8d90.exe
Download:	download sample
Signature	QuasarRAT Create hunting rule
File size:	264'446 bytes
First seen:	2025-07-27 11:37:40 UTC
Last seen:	2025-08-02 22:55:15 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'471 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	3072:44NpVq8BxFRzaqF+o2GQJ7/JzqVfGvq/qieg9okIrVueJ0oFFKjX5myEZpv+LuTb:4gVqwlLx9eg9okROFQjjEZpTpm0wMJ
TLSH	T16F446B6A8EEBB242C5425474B93363814A7D1F75A5CF35518EF33FAD4AF3CA521230A2
TrID	52.9% (.EXE) Win32 Executable (generic) (4504/4/1) 23.5% (.EXE) Generic Win/DOS Executable (2002/3) 23.5% (.EXE) DOS Executable Generic (2000/1)
Magika	pebin
dhash icon	f0d0c8cdcd88c0e0 (10 x AsyncRAT, 5 x XWorm, 4 x Formbook)
Reporter	skocherhan
Tags:	exe QuasarRAT

skocherhan

http://167.160.161.247/q8d90.exe

C2:
66.63.187.164:8596
167.160.161.247:8596

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware family:

quasar

ID:

File name:

_cb91a07bcde29ad710bcc98259ea71f15b4a0fe65082fa6481ab8ac8b8b641e0.exe

Verdict:

Malicious activity

Analysis date:

2025-07-27 11:38:53 UTC

Tags:

evasion auto-reg quasar

Link:

https://app.any.run/tasks/8d987847-0b18-47aa-b647-0873b9a465dd

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

QuasarRAT

Link:

https://www.capesandbox.com/analysis/17139/

Detection(s):

Win.Packed.Passwordstealera-7544289-0

Win.Packed.Passwordstealera-7544294-0

Verdict:

Malicious

Score:

99.1%

Link:

https://cyber-fortress.com/docs/result/index.php?id=68860fa4af3050dc8d3185cf

Tags:

autorun quasar

Result

Verdict:

Malware

Maliciousness:

Behaviour

Using the Windows Management Instrumentation requests

Сreating synchronization primitives

DNS request

Connection attempt

Sending an HTTP GET request

Creating a file in the %AppData% subdirectories

Launching a process

Enabling the 'hidden' option for recently created files

Creating a process from a recently created file

Creating a file

Creating a window

Unauthorized injection to a recently created process

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Connection attempt to an infection source

Enabling autorun by creating a file

Enabling threat expansion on mass storage devices

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

mpress net overlay packed quasarrat

Link:

https://www.filescan.io/uploads/68860fa513488cfd44da48a0/reports/0aa2a515-2b47-43aa-a31f-93dd3a96a3b5/overview

Verdict:

Malicious

Labled as:

Ransom.Imps.Generic

Link:

https://www.hybrid-analysis.com/sample/cb91a07bcde29ad710bcc98259ea71f15b4a0fe65082fa6481ab8ac8b8b641e0

Malware family:

Quasar RAT

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/9ce223c7-4c31-4ab9-9bbe-6c73ddc3d667

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/cb91a07bcde29ad710bcc98259ea71f15b4a0fe65082fa6481ab8ac8b8b641e0

Verdict:

inconclusive

YARA:

10 match(es)

Tags:

.Net Executable PE (Portable Executable) SOS: 0.29 Win 32 Exe x86

Link:

https://app.malva.re/file/60eb9c7500e862b147abe91eae94579c

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/cb91a07bcde29ad710bcc98259ea71f15b4a0fe65082fa6481ab8ac8b8b641e0/

Verdict:

Malicious

Threat:

Trojan.MSIL.Quasar

Link:

https://tip.neiki.dev/file/cb91a07bcde29ad710bcc98259ea71f15b4a0fe65082fa6481ab8ac8b8b641e0

Threat name:

ByteCode-MSIL.Backdoor.Quasar

Status:

Malicious

First seen:

2025-07-22 03:30:58 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

30 of 35 (85.71%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=zoi2a66n4knnoef4zgbft2tr6fnuud7gkcbpuzebvofmrofwihqa._file

Verdict:

malicious

Label(s):

quasarrat

Similar samples:

error

QuasarRAT

Result

Malware family:

quasar

Score:

10/10

Tags:

family:quasar botnet:office04 execution persistence spyware trojan

Link:

https://tria.ge/reports/250727-nrtbdaxms6/

Behaviour

Scheduled Task/Job: Scheduled Task

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Drops autorun.inf file

Adds Run key to start application

Looks up external IP address via web service

Executes dropped EXE

Quasar RAT

Quasar family

Quasar payload

Malware Config

C2 Extraction:

66.63.187.164:8596
167.160.161.247:8596

Verdict:

Malicious

Tags:

Win.Packed.Passwordstealera-7544289-0 Qasar_Rat AZORult External_IP_Lookup VoidRat

YARA:

n/a

Link:

https://app.threat.zone/submission/f4638997-e2eb-4312-9dfd-d409c1a95121

Unpacked files

SH256 hash:

cb91a07bcde29ad710bcc98259ea71f15b4a0fe65082fa6481ab8ac8b8b641e0

MD5 hash:

60eb9c7500e862b147abe91eae94579c

SHA1 hash:

940c01dd0cd625b8b3fab93e57614cb36d464c7a

Link:

https://www.unpac.me/results/f6cb5d12-4f1a-407a-bc9f-57509540676b/

SH256 hash:

ed2cab53c796d4c2680980c72d5130a0277b2d4cf5630e1aa614ce2316435ab1

MD5 hash:

57f7b26159e020bee341b11a949705ad

SHA1 hash:

1dbf4e84ad80c2856a2fa9d7d9e0fbacf566468a

Detections:

win_blackshades_w0

QuasarRAT

cn_utf8_windows_terminal

malware_windows_xrat_quasarrat

Quasar_RAT_1

Quasar_RAT_2

MAL_QuasarRAT_May19_1

Vermin_Keylogger_Jan18_1

xRAT_1

CN_disclosed_20180208_KeyLogger_1

win_quasarrat_j1

Quasar

win_quasar_rat_client

INDICATOR_SUSPICIOUS_GENRansomware

INDICATOR_SUSPICIOUS_GENInfoStealer

INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA

MALWARE_Win_QuasarRAT

Link:

https://www.unpac.me/results/f6cb5d12-4f1a-407a-bc9f-57509540676b/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

iSpy Keylogger

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/cb91a07bcde29ad710bcc98259ea71f15b4a0fe65082fa6481ab8ac8b8b641e0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	mpress_2_xx_net Create hunting rule
Author:	Kevin Falcoz
Description:	MPRESS v2.XX .NET

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

Rule name:	TeslaCryptPackedMalware Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

QuasarRAT

exe cb91a07bcde29ad710bcc98259ea71f15b4a0fe65082fa6481ab8ac8b8b641e0

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/3590316/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/17139/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample