MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e04c0a63203c01287f3caeb0713dbdaf55cf31a3fbaf5fdefd9e1047beb9436b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuasarRAT


Vendor detections: 16


Intelligence 16 IOCs YARA 42 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e04c0a63203c01287f3caeb0713dbdaf55cf31a3fbaf5fdefd9e1047beb9436b
SHA3-384 hash: b83d36261511b54333c55f5f4dd2679fb9042fd05f6ce13bb3e50d09a5e8c19b90530b1bac7f4c91b57ecaa9cbbc9b21
SHA1 hash: 7cf01912e56864c38756a0c16a68ea0213653a0e
MD5 hash: 02ce1d871c8834b9653f841fdcd8658a
humanhash: virginia-alaska-texas-bulldog
File name:Cross-platform_25.49.22_INSTALL.exe
Download: download sample
Signature QuasarRAT
Create hunting rule
File size:5'171'448 bytes
First seen:2025-12-23 17:43:19 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash ac4ded70f85ef621e5f8917b250855be (25 x OffLoader, 2 x Tofsee, 2 x CHStealer)
ssdeep 98304:DN66JbK5muJg6l2+lAMplu87b27IX7tffcQWhza1mVQi96GK1pbxc5:zJW55JBRAM/uuhrdF0xhI8
Threatray 539 similar samples on MalwareBazaar
TLSH T100361233B28A673EE06E5A3759B6D2205D3B6621A44F8C56D6F44C4CCF2E1A01E3E747
TrID 49.8% (.EXE) Inno Setup installer (107240/4/30)
20.0% (.EXE) InstallShield setup (43053/19/16)
19.3% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
4.8% (.EXE) Win64 Executable (generic) (10522/11/4)
2.0% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter aachum
Tags:178-22-24-175 exe QuasarRAT


Avatar
iamaachum
Quasar C2: 178.22.24.175:4782
Quasar Build ID: QA1

Intelligence

File Origin
# of uploads :
1
# of downloads :
87
Origin country :
FR FR
Vendor Threat Intelligence
Details
Link:
https://research.acce.ciphertechsolutions.com/results/057d4106-32b1-4bd9-a8cb-6e7840540d5e/
Malware family:
n/a
ID:
1
File name:
_e04c0a63203c01287f3caeb0713dbdaf55cf31a3fbaf5fdefd9e1047beb9436b.exe
Verdict:
Suspicious activity
Analysis date:
2025-12-23 17:45:18 UTC
Tags:
pastebin upx
Link:
https://app.any.run/tasks/bc3d7403-a24e-4fc5-b819-8545790328c6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
QuasarRAT
Create hunting rule
Link:
https://www.capesandbox.com/analysis/45914/
Verdict:
Clean
Score:
70%
Link:
https://cyber-fortress.com/docs/result/index.php?id=694ad4f3038f10550b55244f
Tags:
n/a
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
adaptive-context embarcadero_delphi fingerprint inno installer installer installer-heuristic overlay packed
Link:
https://www.filescan.io/uploads/694ad4f384afa5547b5cf3cf/reports/5f545402-c521-42a1-93dc-5809719be000/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/e04c0a63203c01287f3caeb0713dbdaf55cf31a3fbaf5fdefd9e1047beb9436b
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-12-23T14:51:00Z UTC
Last seen:
2025-12-23T17:15:00Z UTC
Hits:
~100
Detections:
Trojan.Win32.Quasar.sb Trojan.Win32.AntiAV.sb Trojan.MSIL.Quasar.a Backdoor.MSIL.Agent.sb Trojan-PSW.Win32.Stealer.sb Backdoor.SharPi.HTTP.C&C Trojan.Win32.Agent.sb Trojan.Win32.Mansabo.sb Trojan.Win32.Gatak.sb Trojan.MSIL.Crypt.sb Trojan.Win32.Foxhiex.sb Trojan.MSIL.Quasar.gbf Trojan.Win32.RokRat.sb Trojan.MSIL.Quasar.gbe Trojan-Dropper.Win32.DLLhijack.sb Trojan.Win32.DLLhijack.sb Trojan-PSW.MSIL.Agent.sb Trojan.Win32.Shellcode.sb
Link:
https://opentip.kaspersky.com/e04c0a63203c01287f3caeb0713dbdaf55cf31a3fbaf5fdefd9e1047beb9436b/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/8a7b203d-5e79-491a-b671-25c9e2ae91cd
Result
Threat name:
Quasar, Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1838363
Signature
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Connects to a pastebin service (likely for C&C)
Found direct / indirect Syscall (likely to bypass EDR)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Installs a global keyboard hook
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Suricata IDS alerts for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Unusual module load detection (module proxying)
Yara detected Quasar RAT
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1838363 Sample: Cross-platform_25.49.22_INS... Startdate: 23/12/2025 Architecture: WINDOWS Score: 100 89 pastebin.com 2->89 91 telegram.me 2->91 93 7 other IPs or domains 2->93 109 Suricata IDS alerts for network traffic 2->109 111 Found malware configuration 2->111 113 Malicious sample detected (through community Yara rule) 2->113 117 6 other signatures 2->117 15 Cross-platform_25.49.22_INSTALL.exe 2 2->15         started        18 eServiceHost.exe 2->18         started        21 unsecapp.exe 2->21         started        23 3 other processes 2->23 signatures3 115 Connects to a pastebin service (likely for C&C) 89->115 process4 file5 79 C:\...\Cross-platform_25.49.22_INSTALL.tmp, PE32 15->79 dropped 25 Cross-platform_25.49.22_INSTALL.tmp 3 5 15->25         started        107 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 18->107 signatures6 process7 file8 67 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 25->67 dropped 69 C:\Users\user\AppData\Local\...\_isdecmp.dll, PE32 25->69 dropped 28 Cross-platform_25.49.22_INSTALL.exe 2 25->28         started        process9 file10 75 C:\...\Cross-platform_25.49.22_INSTALL.tmp, PE32 28->75 dropped 31 Cross-platform_25.49.22_INSTALL.tmp 5 15 28->31         started        process11 file12 81 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 31->81 dropped 83 C:\Users\user\AppData\Local\...\_isdecmp.dll, PE32 31->83 dropped 85 C:\ProgramData\...\vcruntime140.dll (copy), PE32 31->85 dropped 87 9 other malicious files 31->87 dropped 34 eServiceHost.exe 15 4 31->34         started        process13 dnsIp14 95 178.22.24.175, 4782, 49697 CLEVERNETWORK-ASNFR Switzerland 34->95 97 ipwho.is 15.204.213.5, 443, 49699 HP-INTERNET-ASUS United States 34->97 99 3 other IPs or domains 34->99 63 C:\Users\user\...\Adaptive_96.3.0_INSTALL.exe, PE32 34->63 dropped 119 Hides that the sample has been downloaded from the Internet (zone.identifier) 34->119 121 Installs a global keyboard hook 34->121 123 Unusual module load detection (module proxying) 34->123 39 Adaptive_96.3.0_INSTALL.exe 2 34->39         started        file15 signatures16 process17 file18 65 C:\Users\user\...\Adaptive_96.3.0_INSTALL.tmp, PE32 39->65 dropped 42 Adaptive_96.3.0_INSTALL.tmp 3 5 39->42         started        process19 file20 71 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 42->71 dropped 73 C:\Users\user\AppData\Local\...\_isdecmp.dll, PE32 42->73 dropped 45 Adaptive_96.3.0_INSTALL.exe 2 42->45         started        process21 file22 77 C:\Users\user\...\Adaptive_96.3.0_INSTALL.tmp, PE32 45->77 dropped 48 Adaptive_96.3.0_INSTALL.tmp 45->48         started        process23 file24 55 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 48->55 dropped 57 C:\Users\user\AppData\Local\...\_isdecmp.dll, PE32 48->57 dropped 59 C:\ProgramData\...\vcruntime140_1.dll (copy), PE32+ 48->59 dropped 61 11 other malicious files 48->61 dropped 51 FnHotkeyUtility.exe 48->51         started        process25 dnsIp26 101 telegram.me 149.154.167.99 TELEGRAMRU United Kingdom 51->101 103 192.124.249.31 SUCURI-SECUS United States 51->103 105 4 other IPs or domains 51->105 125 Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines) 51->125 127 Tries to detect virtualization through RDTSC time measurements 51->127 129 Found direct / indirect Syscall (likely to bypass EDR) 51->129 signatures27
Score:
82%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/e04c0a63203c01287f3caeb0713dbdaf55cf31a3fbaf5fdefd9e1047beb9436b
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/02ce1d871c8834b9653f841fdcd8658a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e04c0a63203c01287f3caeb0713dbdaf55cf31a3fbaf5fdefd9e1047beb9436b/
Verdict:
Susipicious
Link:
https://tip.neiki.dev/file/e04c0a63203c01287f3caeb0713dbdaf55cf31a3fbaf5fdefd9e1047beb9436b
Threat name:
Win32.Malware.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2025-12-23 17:44:20 UTC
File Type:
PE (Exe)
AV detection:
9 of 24 (37.50%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4bgauyzahqasq7z4v2yhcpn5v5k46mnd7oxv7xx5tyieppvzinvq._file
Verdict:
malicious
Label(s):
quasarrat
Create hunting rule
Similar samples:
0b7a2e642b75da6700daafe701f887522e92a4da4d9c6841bf5cb1c182246512
QuasarRAT
229aa8d7f88dce937a06c3d10e7ee1a719921c7d56a2d51788bf76520897ae70
QuasarRAT
2cbf6f453f271cf0665934cdfb7595d2e2c5d21b68142b92c0a8aff4e24631fc
QuasarRAT
3fe1d9393cccefd8f83a40fc4522bc3e99831eb175c5bd2618a11ea28511b3a9
QuasarRAT
4dc52e577447f9128cbdb08210420fe8c49844f04cdbcd0f10ac3f55f561637d
QuasarRAT
a2a433d2a7bffe6f739ceda79931cc6fb1e8913a136b6f3e0610ad5c533e8d81
QuasarRAT
ac91e59453a37795cd8257acccd227d21f68f21a0019fc7765e0a3daa3caf4e0
QuasarRAT
e04c0a63203c01287f3caeb0713dbdaf55cf31a3fbaf5fdefd9e1047beb9436b
QuasarRAT
error
QuasarRAT
+ 529 additional samples on MalwareBazaar
Gathering data
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/4a613946-9696-4411-bbbc-9fd5271fd5b4
Unpacked files
SH256 hash:
e04c0a63203c01287f3caeb0713dbdaf55cf31a3fbaf5fdefd9e1047beb9436b
MD5 hash:
02ce1d871c8834b9653f841fdcd8658a
SHA1 hash:
7cf01912e56864c38756a0c16a68ea0213653a0e
Link:
https://www.unpac.me/results/a1a9cb2c-9799-4a01-b98d-3c9f15cde8f9/
SH256 hash:
f3cdcb1ef1116ac35ee51a5fad0fa373e39deeb5bd634a01e8d66c02c2e63e21
MD5 hash:
00108ff09162a23c28f3de1814420d16
SHA1 hash:
cf32a3d9d4eecd72d4c8354bf3c4d8be20b5288d
Link:
https://www.unpac.me/results/a1a9cb2c-9799-4a01-b98d-3c9f15cde8f9/
SH256 hash:
388a796580234efc95f3b1c70ad4cb44bfddc7ba0f9203bf4902b9929b136f95
MD5 hash:
e4211d6d009757c078a9fac7ff4f03d4
SHA1 hash:
019cd56ba687d39d12d4b13991c9a42ea6ba03da
Link:
https://www.unpac.me/results/a1a9cb2c-9799-4a01-b98d-3c9f15cde8f9/
Malware family:
QuasarRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e04c0a63203c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e04c0a63203c01287f3caeb0713dbdaf55cf31a3fbaf5fdefd9e1047beb9436b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:asyncrat
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect AsyncRat in memory
Reference:internal research
Rule name:BLOWFISH_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for Blowfish constants
Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:Detect_PowerShell_Obfuscation
Create hunting rule
Author:daniyyell
Description:Detects obfuscated PowerShell commands commonly used in malicious scripts.
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
Author:ditekSHen
Description:Detects Windows executables referencing non-Windows User-Agents
Rule name:INDICATOR_SUSPICIOUS_GENInfoStealer
Create hunting rule
Author:ditekSHen
Description:Detects executables containing common artifacts observed in infostealers
Rule name:Lumma_Stealer_Detection
Create hunting rule
Author:ashizZz
Description:Detects a specific Lumma Stealer malware sample using unique strings and behaviors
Reference:https://seanthegeek.net/posts/compromized-store-spread-lumma-stealer-using-fake-captcha/
Rule name:malware_asyncrat
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect AsyncRat in memory
Reference:internal research
Rule name:MALWARE_Win_QuasarStealer
Create hunting rule
Author:ditekshen
Description:Detects Quasar infostealer
Rule name:MAL_packer_lb_was_detected
Create hunting rule
Author:0x0d4y
Description:Detect the packer used by Lockbit4.0
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:Multifamily_RAT_Detection
Create hunting rule
Author:Lucas Acha (http://www.lukeacha.com)
Description:Generic Detection for multiple RAT families, PUPs, Packers and suspicious executables
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:ProgramLanguage_Rust
Create hunting rule
Author:albertzsigovits
Description:Application written in Rust programming language
Rule name:quasarrat
Create hunting rule
Author:jeFF0Falltrades
Rule name:quasarrat_kingrat
Create hunting rule
Author:jeFF0Falltrades
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:RC6_Constants
Create hunting rule
Author:chort (@chort0)
Description:Look for RC6 magic constants in binary
Reference:https://twitter.com/mikko/status/417620511397400576
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Windows_Generic_Threat_c9003b7b
Create hunting rule
Author:Elastic Security
Rule name:win_asyncrat_w0
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect AsyncRat in memory
Reference:internal research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

QuasarRAT

Executable exe e04c0a63203c01287f3caeb0713dbdaf55cf31a3fbaf5fdefd9e1047beb9436b

(this sample)

  
Link
https://tria.ge/251223-vt7ecaxpfy/behavioral2
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/45914/

Comments