MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cbceaf45b5442e4693a1cb24116820a26dace4d23c348ba9539b1faa049f70a6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

QuasarRAT

Vendor detections: 16

Intelligence 16 IOCs YARA 15 File information Comments

SHA256 hash:	cbceaf45b5442e4693a1cb24116820a26dace4d23c348ba9539b1faa049f70a6
SHA3-384 hash:	50021dfc1941797e4d2ec921a28afc57243c6592e7f1ac3716dfdafe38e74846fa8738b3e22de76d61bb5a637b9238cc
SHA1 hash:	1fc3c86f1ce442fac037af6072e00ef51442dec8
MD5 hash:	9517ecc03f8378bb6bb1db7ab324201c
humanhash:	lamp-chicken-texas-december
File name:	cbceaf45b5442e4693a1cb24116820a26dace4d23c348ba9539b1faa049f70a6
Download:	download sample
Signature	QuasarRAT Create hunting rule
File size:	32'411'552 bytes
First seen:	2025-12-28 14:37:31 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	ac4ded70f85ef621e5f8917b250855be (37 x OffLoader, 3 x Tofsee, 3 x QuasarRAT)
ssdeep	98304:cN66MH17dWH8glgm7WlcVNMIg/0pH2a++CBsIMCy0we:YMH1UHbgg4SGIm0WbsIcK
Threatray	289 similar samples on MalwareBazaar
TLSH	T1A1671233B28A673EE06E5A3B59B692105D3B7A21A51F8C1696F44C8CCF2D0601E3F757
TrID	60.0% (.EXE) Inno Setup installer (107240/4/30) 23.2% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9) 5.8% (.EXE) Win64 Executable (generic) (10522/11/4) 3.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 2.5% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika	pebin
Reporter	JAMESWT_WT
Tags:	exe hov-kievholod-kiev-ua QuasarRAT

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Details

Link:

https://research.acce.ciphertechsolutions.com/results/ab84ce64-f882-4714-9f38-3c7024757008/

Malware family:

n/a

ID:

File name:

cbceaf45b5442e4693a1cb24116820a26dace4d23c348ba9539b1faa049f70a6

Verdict:

Suspicious activity

Analysis date:

2025-12-28 14:50:16 UTC

Tags:

pastebin upx

Link:

https://app.any.run/tasks/d4b94efc-f66a-43a0-87cb-f0f2842c4073

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Verdict:

Malicious

Score:

90.2%

Link:

https://cyber-fortress.com/docs/result/index.php?id=695140df6de7591fd8fc0d8e

Tags:

dropper virus

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

adaptive-context embarcadero_delphi expand fingerprint inno installer installer installer-heuristic lodarat lolbin overlay packed tofsee

Link:

https://www.filescan.io/uploads/695140d9e126b9ff439406e7/reports/8301d670-aaa3-4c83-92de-24b720d806d4/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_70%

Link:

https://www.hybrid-analysis.com/sample/cbceaf45b5442e4693a1cb24116820a26dace4d23c348ba9539b1faa049f70a6

Verdict:

Malicious

File Type:

exe x32

First seen:

2025-12-25T23:12:00Z UTC

Last seen:

2025-12-28T15:50:00Z UTC

Hits:

~100

Detections:

Trojan.Win32.Quasar.sb Trojan.MSIL.Quasar.a Backdoor.Win32.Zegost.sb Trojan-PSW.MSIL.Agent.sb Trojan.MSIL.Crypt.sb Backdoor.MSIL.Agent.sb Trojan.Win32.Mansabo.sb Trojan.Win32.AntiAV.sb Trojan.Win32.Agent.sb Trojan-PSW.Win32.Stealer.sb Trojan-Dropper.Win32.DLLhijack.sb Trojan.Win32.Shellcode.sb Trojan.Win32.Gatak.sb Trojan.Win32.Foxhiex.sb Trojan.Win32.DLLhijack.sb Trojan.MSIL.Quasar.gco Trojan.MSIL.Quasar.gbz Trojan.Win32.RokRat.sb

Link:

https://opentip.kaspersky.com/cbceaf45b5442e4693a1cb24116820a26dace4d23c348ba9539b1faa049f70a6/results?tab=lookup

Score:

90%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/cbceaf45b5442e4693a1cb24116820a26dace4d23c348ba9539b1faa049f70a6

Gathering data

Verdict:

Malicious

Threat:

Family.QUASAR

Link:

https://tip.neiki.dev/file/cbceaf45b5442e4693a1cb24116820a26dace4d23c348ba9539b1faa049f70a6

Threat name:

Win32.Trojan.Kepavll

Status:

Malicious

First seen:

2025-12-26 04:49:00 UTC

File Type:

PE (Exe)

AV detection:

17 of 24 (70.83%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=zphk6rnviqxene5bzmsbc2baujw2zzgshq2ixkkttmp2ube7octa._file

Verdict:

malicious

Label(s):

quasarrat

QuasarRAT

34001bca6cbcf45ae88a5569ef82671238801cd9c2c0516aef5e3096e310ef40

QuasarRAT

cbceaf45b5442e4693a1cb24116820a26dace4d23c348ba9539b1faa049f70a6

QuasarRAT

d9942a6d35dded924026b36301f00829d2cbf05c57904f167a5d53609219dea5

QuasarRAT

e04c0a63203c01287f3caeb0713dbdaf55cf31a3fbaf5fdefd9e1047beb9436b

QuasarRAT

error

QuasarRAT

+ 279 additional samples on MalwareBazaar

Result

Malware family:

quasar

Score:

10/10

Tags:

family:quasar botnet:day2 discovery installer spyware trojan upx

Link:

https://tria.ge/reports/251228-rzvqysbv2f/

Behaviour

Checks SCSI registry key(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Inno Setup is an open-source installation builder for Windows applications.

Enumerates physical storage devices

System Location Discovery: System Language Discovery

UPX packed file

Legitimate hosting services abused for malware hosting/C2

ACProtect 1.3x - 1.4x DLL software

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Quasar RAT

Quasar family

Quasar payload

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/b1f18839-072e-408c-b48b-452afbaaa4f7

Malware family:

Vidar

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/cbceaf45b544/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/cbceaf45b5442e4693a1cb24116820a26dace4d23c348ba9539b1faa049f70a6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Borland Create hunting rule
Author:	malware-lu

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	MAL_packer_lb_was_detected Create hunting rule
Author:	0x0d4y
Description:	Detect the packer used by Lockbit4.0

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	ProgramLanguage_Rust Create hunting rule
Author:	albertzsigovits
Description:	Application written in Rust programming language

Rule name:	SEH__vectored Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	SHA512_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA384/SHA512 constants

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

Rule name:	ThreadControl__Context Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample