MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 d6794a5fe565bdb5451694d27c34b535409274e508b1400b7a7ccd823970d3d6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
QatarRAT
Vendor detections: 15
| SHA256 hash: | d6794a5fe565bdb5451694d27c34b535409274e508b1400b7a7ccd823970d3d6 |
|---|---|
| SHA3-384 hash: | 45657ee37ecf4d3320f57d147a70235bcb5cb88c6f0bee0dbe071bb1552e175edb8dc88e3908cdffcafd23c6f108b8b9 |
| SHA1 hash: | dca14ed1498b3079bb847d895265dedc10ab6af8 |
| MD5 hash: | b4df297be76e264e5c31291815b43d3e |
| humanhash: | delta-texas-pluto-angel |
| File name: | 1.exe |
| Download: | download sample |
| Signature | QatarRAT |
| File size: | 7'863'296 bytes |
| First seen: | 2026-01-29 19:04:01 UTC |
| Last seen: | Never |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | f34d5f2d4577ed6d9ceec516c1f5a744 (48'752 x AgentTesla, 19'657 x Formbook, 12'248 x SnakeKeylogger) |
| ssdeep | 98304:58GabLf+Igk/27Nn4wxEJ/2C2RYeOVgypS7J3paSmAMDHb4uH:iLbD+lk+7S6k2C2jnypS1/u |
| Threatray | 33 similar samples on MalwareBazaar |
| TLSH | T1AF86011DBE64C970CAAE8E7758710438AF3035CFB69CAF0E397C90A53A923357949356 |
| TrID | 43.6% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 25.7% (.EXE) InstallShield setup (43053/19/16) 9.8% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 6.2% (.EXE) Win64 Executable (generic) (10522/11/4) 3.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) |
| Magika | pebin |
| Reporter |  BlinkzSec |
| Tags: | 45-150-34-23 exe QatarRAT |
Intelligence
File Origin
# of uploads :
1
# of downloads :
99
Origin country :
CZVendor Threat Intelligence
No detections
Malware family:
n/a
ID:
1
File name:
_d6794a5fe565bdb5451694d27c34b535409274e508b1400b7a7ccd823970d3d6.exe
Verdict:
Malicious activity
Analysis date:
2026-01-29 19:05:03 UTC
Tags:
evasion celestialrat rat generic stealer ims-api
Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Gathering data
Verdict:
Malicious
Score:
99.9%
Tags:
ransomware dropper micro
Result
Verdict:
Malware
Maliciousness:
Behaviour
Сreating synchronization primitives
DNS request
Connection attempt
Sending a custom TCP request
Sending an HTTP GET request
Creating a file in the %temp% directory
Creating a file
Creating a window
Using the Windows Management Instrumentation requests
Blocking the Windows Defender launch
Verdict:
Likely Malicious
Threat level:
7.5/10
Confidence:
100%
Tags:
anti-vm base64 cmd cmstp evasive explorer fingerprint fingerprint lolbin obfuscated packed reconnaissance redcap rundll32 runonce schtasks stealer telegram vbnet wscript zusy
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Verdict:
Malicious
File Type:
exe x32
First seen:
2026-01-13T01:49:00Z UTC
Last seen:
2026-01-30T12:53:00Z UTC
Hits:
~100
Detections:
Trojan-Spy.TeleBot.HTTP.C&C Trojan.Chapak.HTTP.ServerRequest Trojan.Win32.Agent.sb HEUR:HackTool.Win64.ChromElevator.gen Trojan-Spy.Stealer.TCP.C&C HEUR:Trojan-Spy.MSIL.Agent.sb Worm.MSIL.Agent.sb Trojan-PSW.Win64.Rabbit.sb Trojan-PSW.MSIL.Stealer.sb BSS:Trojan.Win32.Generic Trojan-PSW.Win32.Stealer.sb Trojan-PSW.Win32.Disco.sb HEUR:Trojan-Dropper.MSIL.Agent.gen Trojan-PSW.MSIL.DiscoStealer.sb HEUR:Exploit.MSIL.BypassUAC.gen HackTool.Win64.ChromElevator.a NetTool.TelegramSendMessage.HTTP.C&C
Verdict:
Unknown
Score:
100%
Verdict:
Malware
File Type:
PE
Gathering data
Verdict:
Malicious
Threat:
Family.CELESTIALRAT
Threat name:
ByteCode-MSIL.Trojan.CelestialCStealer
Status:
Malicious
First seen:
2026-01-11 01:05:37 UTC
File Type:
PE (.Net Exe)
Extracted files:
35
AV detection:
27 of 36 (75.00%)
Threat level:
5/5
Detection(s):
Suspicious file
Verdict:
malicious
Label(s):
arkanixstealer
qatarrat
Similar samples:
+ 23 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
10/10
Tags:
discovery evasion trojan
Behaviour
Suspicious use of AdjustPrivilegeToken
System Location Discovery: System Language Discovery
Looks up external IP address via web service
Modifies Windows Defender DisableAntiSpyware settings
Unpacked files
SH256 hash:
d6794a5fe565bdb5451694d27c34b535409274e508b1400b7a7ccd823970d3d6
MD5 hash:
b4df297be76e264e5c31291815b43d3e
SHA1 hash:
dca14ed1498b3079bb847d895265dedc10ab6af8
Detections:
win_lumma_a0
SH256 hash:
83f1a0723e3a529fa964eedba0558e539c3364c88f2042482da9e90eed392d4c
MD5 hash:
7e906f3907b1314db89f8bfb50e76f69
SHA1 hash:
20747c55cd119963a32fa84e4f7edc1c95280669
Detections:
ReflectiveLoader
SH256 hash:
650f757e133cd6fc030977c4f847aeaa36eb554ba1848a291f30e4ff0ff63b8d
MD5 hash:
6bdd50f6716d0519413d840a55cd6a43
SHA1 hash:
05456650b761058aa10200e2ec6b3e97297c136d
SH256 hash:
72ab3a5f637c219d939cddf2f3bf21d16bbab5f85e9507389cf560ed5fbe25a7
MD5 hash:
e4a9e075df779457b108d150ca321c8a
SHA1 hash:
5ffbf5550f71448f7727f2e0da46e11466abdc89
Detections:
INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
SH256 hash:
5d911a1e435599df86dc0b9cf440cd37eae1c2ca9a3ec05fad678da57b492825
MD5 hash:
0770db6d8f392ac6589530663816ec59
SHA1 hash:
6cdf6ba2bc48463f161a41ed79216406343f633d
Malware family:
QatarRAT
Verdict:
Malicious
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
YARA Signatures
MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.
| Rule name: | CP_Script_Inject_Detector |
|---|---|
| Author: | DiegoAnalytics |
| Description: | Detects attempts to inject code into another process across PE, ELF, Mach-O binaries |
| Rule name: | DebuggerCheck__API |
|---|---|
| Reference: | https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara |
| Rule name: | DebuggerCheck__QueryInfo |
|---|---|
| Reference: | https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara |
| Rule name: | DebuggerCheck__RemoteAPI |
|---|---|
| Reference: | https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara |
| Rule name: | DetectEncryptedVariants |
|---|---|
| Author: | Zinyth |
| Description: | Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded |
| Rule name: | Detect_PowerShell_Obfuscation |
|---|---|
| Author: | daniyyell |
| Description: | Detects obfuscated PowerShell commands commonly used in malicious scripts. |
| Rule name: | FreddyBearDropper |
|---|---|
| Author: | Dwarozh Hoshiar |
| Description: | Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip. |
| Rule name: | Glasses |
|---|---|
| Author: | Seth Hardy |
| Description: | Glasses family |
| Rule name: | GlassesCode |
|---|---|
| Author: | Seth Hardy |
| Description: | Glasses code features |
| Rule name: | golang_bin_JCorn_CSC846 |
|---|---|
| Author: | Justin Cornwell |
| Description: | CSC-846 Golang detection ruleset |
| Rule name: | grakate_stealer_nov_2021 |
|---|
| Rule name: | INDICATOR_EXE_Packed_Fody |
|---|---|
| Author: | ditekSHen |
| Description: | Detects executables manipulated with Fody |
| Rule name: | INDICATOR_SUSPICIOUS_Binary_References_Browsers |
|---|---|
| Author: | ditekSHen |
| Description: | Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. |
| Rule name: | INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender |
|---|---|
| Author: | ditekSHen |
| Description: | Detects executables embedding registry key / value combination indicative of disabling Windows Defender features |
| Rule name: | INDICATOR_SUSPICIOUS_EXE_TelegramChatBot |
|---|---|
| Author: | ditekSHen |
| Description: | Detects executables using Telegram Chat Bot |
| Rule name: | INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCMD |
|---|---|
| Author: | ditekSHen |
| Description: | Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF |
| Rule name: | Multifamily_RAT_Detection |
|---|---|
| Author: | Lucas Acha (http://www.lukeacha.com) |
| Description: | Generic Detection for multiple RAT families, PUPs, Packers and suspicious executables |
| Rule name: | NET |
|---|---|
| Author: | malware-lu |
| Rule name: | NETexecutableMicrosoft |
|---|---|
| Author: | malware-lu |
| Rule name: | pe_imphash |
|---|
| Rule name: | RANSOMWARE |
|---|---|
| Author: | ToroGuitar |
| Rule name: | ReflectiveLoader |
|---|---|
| Author: | Florian Roth (Nextron Systems) |
| Description: | Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended |
| Reference: | Internal Research |
| Rule name: | reverse_http |
|---|---|
| Author: | CD_R0M_ |
| Description: | Identify strings with http reversed (ptth) |
| Rule name: | Skystars_Malware_Imphash |
|---|---|
| Author: | Skystars LightDefender |
| Description: | imphash |
| Rule name: | Sus_CMD_Powershell_Usage |
|---|---|
| Author: | XiAnzheng |
| Description: | May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP) |
| Rule name: | telebot_framework |
|---|---|
| Author: | vietdx.mb |
| Rule name: | TelegramAPIMalware_PowerShell_EXE |
|---|---|
| Author: | @polygonben |
| Description: | Hunting for pwsh malware using Telegram for C2 |
| Rule name: | telegram_bot_api |
|---|---|
| Author: | rectifyq |
| Description: | Detects file containing Telegram Bot API |
| Rule name: | Warp |
|---|---|
| Author: | Seth Hardy |
| Description: | Warp |
| Rule name: | WarpStrings |
|---|---|
| Author: | Seth Hardy |
| Description: | Warp Identifying Strings |
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Web download
Delivery method
Distributed via web download
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.