MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ccfcfe2d1d0ef829be00c388b38f2150ede1665e26f5b7339661a0df85850dfa. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuasarRAT


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ccfcfe2d1d0ef829be00c388b38f2150ede1665e26f5b7339661a0df85850dfa
SHA3-384 hash: ab71eba4a4775ec75ee9bfdc7f0da2d78d243b7956af413bff65756b54ecf0624231e395cdb804d93d39d05ec26e0411
SHA1 hash: f68756191669e3587ca6f7f769dc866d3050af1f
MD5 hash: 1e2d454f68ab6ab98b425a366b739da1
humanhash: carolina-red-india-magazine
File name:BootstrapperNew.bat
Download: download sample
Signature QuasarRAT
Create hunting rule
File size:3'189'310 bytes
First seen:2025-10-22 17:19:10 UTC
Last seen:Never
File type:Batch (bat) bat
MIME type:text/plain
ssdeep 49152:yaMWmg8DUUUUU2l8vbbbbbeQwX4+E/p1CE80ZzZ/SxnTQJ9o:C
Threatray 227 similar samples on MalwareBazaar
TLSH T1B5E523387DFE6DCF4928E4ACB79B3C4738308894A44A5DE213D2C89B76D8C550E6B857
Magika unknown
Reporter smica83
Tags:bat QuasarRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
57
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
_ccfcfe2d1d0ef829be00c388b38f2150ede1665e26f5b7339661a0df85850dfa.txt
Verdict:
No threats detected
Analysis date:
2025-10-22 17:21:49 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/13359105-cfc7-4e96-9dde-0825d3293f36

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/33785/
Detection(s):
no reply from clamd
Create hunting rule

Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68f912373edd081eba40cf33
Tags:
metasploit backdoor shell sage
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm base64 evasive evasive exploit fingerprint lolbin obfuscated packed powershell reconnaissance wscript
Link:
https://www.filescan.io/uploads/68f91234fd2d7e012f4c82b2/reports/18a4144b-f322-4721-b321-941e1996b7a7/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/ccfcfe2d1d0ef829be00c388b38f2150ede1665e26f5b7339661a0df85850dfa
Verdict:
Malicious
File Type:
ps1
First seen:
2025-10-22T16:03:00Z UTC
Last seen:
2025-10-24T07:31:00Z UTC
Hits:
~10
Detections:
UDS:DangerousObject.Multi.Generic
Link:
https://opentip.kaspersky.com/ccfcfe2d1d0ef829be00c388b38f2150ede1665e26f5b7339661a0df85850dfa/results?tab=lookup
Result
Threat name:
Quasar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1800033
Signature
.NET source code contains potential unpacker
Antivirus detection for dropped file
Bypasses PowerShell execution policy
Contains functionality to disable the Task Manager (.Net Source)
Found large BAT file
Hides that the sample has been downloaded from the Internet (zone.identifier)
Installs a global keyboard hook
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Sets debug register (to hijack the execution of another thread)
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Malicious Base64 Encoded PowerShell Keywords in Command Lines
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Powerup Write Hijack DLL
Sigma detected: Suspicious PowerShell Parameter Substring
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Uses Register-ScheduledTask to add task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Yara detected Powershell decode and execute
Yara detected Quasar RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1800033 Sample: BootstrapperNew.bat Startdate: 22/10/2025 Architecture: WINDOWS Score: 100 41 ipwho.is 2->41 61 Malicious sample detected (through community Yara rule) 2->61 63 Antivirus detection for dropped file 2->63 65 Yara detected Powershell decode and execute 2->65 67 12 other signatures 2->67 10 cmd.exe 1 2->10         started        13 wscript.exe 1 2->13         started        signatures3 process4 signatures5 73 Suspicious powershell command line found 10->73 75 Wscript starts Powershell (via cmd or directly) 10->75 77 Bypasses PowerShell execution policy 10->77 15 powershell.exe 3 19 10->15         started        19 conhost.exe 10->19         started        79 Windows Scripting host queries suspicious COM object (likely to drop second stage) 13->79 81 Suspicious execution chain found 13->81 process6 file7 37 C:\Users\user\AppData\...\Windows_Log_27.vbs, ASCII 15->37 dropped 39 C:\Users\user\AppData\...\Windows_Log_27.bat, ASCII 15->39 dropped 47 Suspicious powershell command line found 15->47 49 Sets debug register (to hijack the execution of another thread) 15->49 51 Modifies the context of a thread in another process (thread injection) 15->51 53 Uses Register-ScheduledTask to add task schedules 15->53 21 wscript.exe 1 15->21         started        24 powershell.exe 37 15->24         started        signatures8 process9 signatures10 69 Wscript starts Powershell (via cmd or directly) 21->69 26 cmd.exe 1 21->26         started        71 Loading BitLocker PowerShell Module 24->71 29 conhost.exe 24->29         started        process11 signatures12 83 Suspicious powershell command line found 26->83 85 Wscript starts Powershell (via cmd or directly) 26->85 31 powershell.exe 14 26 26->31         started        35 conhost.exe 26->35         started        process13 dnsIp14 43 5.182.206.88, 49721, 49723, 9995 SERVERFIELD-ASServerfieldCoLtdTW Germany 31->43 45 ipwho.is 15.204.213.5, 443, 49722 HP-INTERNET-ASUS United States 31->45 55 Modifies the context of a thread in another process (thread injection) 31->55 57 Hides that the sample has been downloaded from the Internet (zone.identifier) 31->57 59 Installs a global keyboard hook 31->59 signatures15
Score:
92%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/ccfcfe2d1d0ef829be00c388b38f2150ede1665e26f5b7339661a0df85850dfa
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ccfcfe2d1d0ef829be00c388b38f2150ede1665e26f5b7339661a0df85850dfa/
Verdict:
Clean
Link:
https://tip.neiki.dev/file/ccfcfe2d1d0ef829be00c388b38f2150ede1665e26f5b7339661a0df85850dfa
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zt6p4li5b34ctpqayoelhdzbkdw6czs6e323om4wmgqn7bmfbx5a._file
Verdict:
malicious
Label(s):
quasarrat
Create hunting rule
Similar samples:
128b564d48862fe887ccebb64542c66a29b9943ed8bc7882bbb3992d4fe4792c
QuasarRAT
182272eef867fc6f3bcb4dfd68e7e9d27098a68f8f05dd45c12bb000537ea2bd
QuasarRAT
1c66ad71b16931d7d2d5c4f86fd5abc1dc07afbc32e112e29ba424a8f302d5f6
QuasarRAT
3662a8d4f950c9ebd0851e0b0713f2e48dfb7dd5ac3de02bae8acd1d6c4efd1d
QuasarRAT
37565b55aafaf0e15de3bbc9ee91d4c3f42f86d569c41048c92f5dc380d11e77
QuasarRAT
5df7a18c5674abbab89a53d3398c3398b800b14f8ff08488d89407402325f75a
QuasarRAT
6dbb22d7e0e30cbba3a888b9e736c9953c7edd4bb04a8855ff998f188e77e661
QuasarRAT
8fb0cb3397fd345f1c0d4406d6e07acce51ea58d3037cc58c1d86204e897e0a5
QuasarRAT
d77857e39d36842225e58a9d5977d73c86e5158858225a92ec16b2f2ca522fe3
QuasarRAT
error
QuasarRAT
f3e081a4b2e4302d3b14e5f16aca269ea93aa5cb816bb7ac2a8e4f51a80f0fde
QuasarRAT
+ 217 additional samples on MalwareBazaar
Result
Malware family:
quasar
Create hunting rule
Score:
  10/10
Tags:
family:quasar execution spyware trojan
Link:
https://tria.ge/reports/251022-vv729sfx5c/
Behaviour
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Badlisted process makes network request
Command and Scripting Interpreter: PowerShell
Quasar RAT
Quasar family
Quasar payload
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ccfcfe2d1d0ef829be00c388b38f2150ede1665e26f5b7339661a0df85850dfa

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/33785/

Comments