MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d2e62ae95bb3b29044db0ee7f88c6c3a9839e6dceb41284214cf5b821bd268d0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



QuasarRAT


Vendor detections: 13


Intelligence 13 IOCs YARA 30 File information Comments

SHA256 hash: d2e62ae95bb3b29044db0ee7f88c6c3a9839e6dceb41284214cf5b821bd268d0
SHA3-384 hash: 968c564d48a3ea9661aa69e2e67382078ec769a9d7d10bb26ef96cd0a7d331ac1dfcbd7c74b644988a988b6781f50f36
SHA1 hash: cbb18dba5c3a4cde95fae82f4942966f1cc0de7e
MD5 hash: 561241e879c02689bbe0fcaebfbf2012
humanhash: eleven-glucose-hawaii-kitten
File name:sloppy indian malware script.ps1
Download: download sample
Signature QuasarRAT
File size:1'542'632 bytes
First seen:2026-04-10 18:24:25 UTC
Last seen:Never
File type:PowerShell (PS) ps1
MIME type:text/plain
ssdeep 1536:dqdzhoE7o+LgivFFB0QyGd5zF4WcBXLn6gKXvDIG8D+BLiOaV0vvQRqc0Ahp1kAx:Uw
Threatray 289 similar samples on MalwareBazaar
TLSH T1C565275303851BBDF69D0EC9C94B215B20F2D4677D251298EBB36EEBBC3B9849430636
Magika powershell
Reporter smica83
Tags:ps1 QuasarRAT

Intelligence


File Origin
# of uploads :
1
# of downloads :
124
Origin country :
HU HU
Vendor Threat Intelligence
No detections
Verdict:
Malicious
Score:
94.9%
Tags:
ransomware quasar sage remo
Verdict:
Malicious
Labled as:
Susp.Obfuscted_PowerShell_Code.D.sd
Verdict:
Malicious
File Type:
unix shell
First seen:
2026-04-10T13:23:00Z UTC
Last seen:
2026-04-11T13:29:00Z UTC
Hits:
~10
Detections:
HEUR:Trojan.PowerShell.AmsiBypass.n
Result
Threat name:
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Signature
AI detected malicious Powershell script
Antivirus detection for dropped file
Compiles code for process injection (via .Net compiler)
Detected Quasar RAT
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Sample uses string decryption to hide its real strings
Sigma detected: Dot net compiler compiles file from suspicious location
Suricata IDS alerts for network traffic
Writes to foreign memory regions
Yara detected Quasar RAT
Behaviour
Behavior Graph:
Gathering data
Threat name:
Win32.Trojan.Generic
Status:
Suspicious
First seen:
2026-04-10 18:25:46 UTC
File Type:
Text (PowerShell)
AV detection:
7 of 38 (18.42%)
Threat level:
  5/5
Result
Malware family:
Score:
  10/10
Tags:
family:quasar botnet:initial discovery execution spyware trojan
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: PowerShell
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Looks up external IP address via web service
Quasar RAT
Quasar family
Quasar payload
Malware Config
C2 Extraction:
82.29.96.88:1112
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AppLaunch
Author:iam-py-test
Description:Detect files referencing .Net AppLaunch.exe
Rule name:ClamAV_Emotet_String_Aggregate
Rule name:CN_disclosed_20180208_KeyLogger_1
Author:Florian Roth (Nextron Systems)
Description:Detects malware from disclosed CN malware set
Reference:https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details
Rule name:CN_disclosed_20180208_KeyLogger_1_RID3227
Author:Florian Roth
Description:Detects malware from disclosed CN malware set
Reference:https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details
Rule name:detect_powershell
Author:daniyyell
Description:Detects suspicious PowerShell activity related to malware execution
Rule name:Detect_PowerShell_Obfuscation
Author:daniyyell
Description:Detects obfuscated PowerShell commands commonly used in malicious scripts.
Rule name:Disable_Defender
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Author:ditekSHen
Description:Detects Windows executables referencing non-Windows User-Agents
Rule name:malware_Quasar_strings
Author:JPCERT/CC Incident Response Group
Description:detect QuasarRAT in memory
Rule name:MALWARE_Win_QuasarRAT
Author:ditekSHen
Description:QuasarRAT payload
Rule name:MAL_QuasarRAT_May19_1
Author:Florian Roth (Nextron Systems)
Description:Detects QuasarRAT malware
Reference:https://blog.ensilo.com/uncovering-new-activity-by-apt10
Rule name:MAL_QuasarRAT_May19_1_RID2E1E
Author:Florian Roth
Description:Detects QuasarRAT malware
Reference:https://blog.ensilo.com/uncovering-new-activity-by-apt10
Rule name:Multifamily_RAT_Detection
Author:Lucas Acha (http://www.lukeacha.com)
Description:Generic Detection for multiple RAT families, PUPs, Packers and suspicious executables
Rule name:NET
Author:malware-lu
Rule name:NETexecutableMicrosoft
Author:malware-lu
Rule name:pe_imphash
Rule name:Quasar
Author:JPCERT/CC Incident Response Group
Description:detect QuasarRAT in memory
Rule name:quasarrat
Author:jeFF0Falltrades
Rule name:quasarrat_kingrat
Author:jeFF0Falltrades
Rule name:Quasar_RAT_1
Author:@SOCRadar
Description:Detects Quasar RAT
Rule name:Quasar_RAT_1_RID2B54
Author:Florian Roth
Description:Detects Quasar RAT
Reference:https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
Rule name:Quasar_RAT_2
Author:Florian Roth (Nextron Systems)
Description:Detects Quasar RAT
Reference:https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
Rule name:Quasar_RAT_2_RID2B55
Author:Florian Roth
Description:Detects Quasar RAT
Reference:https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
Rule name:Skystars_Malware_Imphash
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_OBFUSC_PowerShell_True_Jun20_1
Author:Florian Roth (Nextron Systems)
Description:Detects indicators often found in obfuscated PowerShell scripts. Note: This detection is based on common characteristics typically associated with the mentioned threats, must be considered a clue and does not conclusively prove maliciousness.
Reference:https://github.com/corneacristian/mimikatz-bypass/
Rule name:SUSP_OBFUSC_PowerShell_True_Jun20_1_RID335E
Author:Florian Roth
Description:Detects indicators often found in obfuscated PowerShell scripts
Reference:https://github.com/corneacristian/mimikatz-bypass/
Rule name:Sus_CMD_Powershell_Usage
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:VECT_Ransomware
Author:Mustafa Bakhit
Description:Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.
Rule name:Vermin_Keylogger_Jan18_1
Author:Florian Roth (Nextron Systems)
Description:Detects Vermin Keylogger
Reference:https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/
Rule name:Windows_Trojan_Quasarrat_e52df647
Author:Elastic Security

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments