MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e2c14df722dfbb0c3a8c4228034f37ba6395babc29ad2aa9f4a175f37a839831. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuasarRAT


Vendor detections: 16


Intelligence 16 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e2c14df722dfbb0c3a8c4228034f37ba6395babc29ad2aa9f4a175f37a839831
SHA3-384 hash: 6026502a3a06aba48891722a328002558484e39326c6b7d21eb26b4486ad20b7312002db64e5a24dbd9797793782c1da
SHA1 hash: 7811a0b5b684476408d616f235c376a9acbf0572
MD5 hash: ea329c8beeb64ebbc270e7583e562d02
humanhash: stairway-butter-winter-march
File name:Client-built.exe
Download: download sample
Signature QuasarRAT
Create hunting rule
File size:1'897'472 bytes
First seen:2025-09-15 08:28:47 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'653 x AgentTesla, 19'464 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 49152:B3VXVXpYsjxDlVR9kul2R2g19ESxOR5WR1/:BtdZjdzR91l2R2gQk65WRN
TLSH T10095333AFA6462EEC392FDB7A1BB4B6B371046434109E33CB1B8344D74536659DAD12C
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter abuse_ch
Tags:exe QuasarRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
93
Origin country :
SE SE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Client-built.exe
Verdict:
Malicious activity
Analysis date:
2025-09-13 11:58:04 UTC
Tags:
auto-reg
Link:
https://app.any.run/tasks/7f2ceee1-1681-435b-b879-66cb52fb8472

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/27491/
Verdict:
Malicious
Score:
81.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68c55c4bd49ea3f1e4b50b8d
Tags:
autorun spawn sage remo
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Launching a process
Setting a keyboard event handler
DNS request
Connection attempt
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
base64 bladabindi packed
Link:
https://www.filescan.io/uploads/68c7ce70dbc6f5a29c452f96/reports/fc5c6415-8a02-4542-baa6-f67a136d85ed/overview
Verdict:
Malicious
Labled as:
IL:Trojan.MSILZilla
Link:
https://www.hybrid-analysis.com/sample/e2c14df722dfbb0c3a8c4228034f37ba6395babc29ad2aa9f4a175f37a839831
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-09-13T09:00:00Z UTC
Last seen:
2025-09-13T09:00:00Z UTC
Hits:
~10
Detections:
PDM:Trojan.Win32.Generic HEUR:Trojan.MSIL.Quasar.gen Trojan-PSW.MSIL.Agent.sb Trojan.MSIL.Quasar.a HEUR:Trojan.Win32.Generic HEUR:Trojan.MSIL.Cryptos.gen
Link:
https://opentip.kaspersky.com/e2c14df722dfbb0c3a8c4228034f37ba6395babc29ad2aa9f4a175f37a839831/results?tab=lookup
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b80d80d0-9f67-4b0e-9ea8-3319057251aa
Result
Threat name:
Quasar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1777591
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Connects to many ports of the same IP (likely port scanning)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Installs a global keyboard hook
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Quasar RAT
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/e2c14df722dfbb0c3a8c4228034f37ba6395babc29ad2aa9f4a175f37a839831
Verdict:
inconclusive
YARA:
10 match(es)
Tags:
.Net Executable Managed .NET PE (Portable Executable) PE File Layout SOS: 0.62 Win 32 Exe x86
Link:
https://app.malva.re/file/ea329c8beeb64ebbc270e7583e562d02
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e2c14df722dfbb0c3a8c4228034f37ba6395babc29ad2aa9f4a175f37a839831/
Verdict:
Malicious
Threat:
Trojan.MSIL.Cryptos
Link:
https://tip.neiki.dev/file/e2c14df722dfbb0c3a8c4228034f37ba6395babc29ad2aa9f4a175f37a839831
Threat name:
ByteCode-MSIL.Trojan.Zilla
Create hunting rule
Status:
Malicious
First seen:
2025-09-13 06:19:42 UTC
File Type:
PE (.Net Exe)
Extracted files:
2
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4lau35zc365qyoumiiuagtzxxjrzlov4fgwsvkpuuf27g6udtayq._file
Verdict:
malicious
Label(s):
quasarrat
Create hunting rule
Similar samples:
error
QuasarRAT
Result
Malware family:
n/a
Score:
  3/10
Tags:
execution persistence
Link:
https://tria.ge/reports/250915-kdxj4agm5x/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/72c3807e-3ae3-4687-9ea5-f8d71570dc3f
Unpacked files
SH256 hash:
e2c14df722dfbb0c3a8c4228034f37ba6395babc29ad2aa9f4a175f37a839831
MD5 hash:
ea329c8beeb64ebbc270e7583e562d02
SHA1 hash:
7811a0b5b684476408d616f235c376a9acbf0572
Link:
https://www.unpac.me/results/9cbee704-6ab3-4898-8983-cb407a24782c/
SH256 hash:
d5235265564f0bfd23b7279d7bdccc9ea6383ed07c5d0bfdf6c99029af9a2c0c
MD5 hash:
1d3dd9fcc077e6b4f88c05b9aef53ee6
SHA1 hash:
12b33858bc84f54b8aa8dbcb5a0ec2da043a6f66
Link:
https://www.unpac.me/results/9cbee704-6ab3-4898-8983-cb407a24782c/
SH256 hash:
6d5eaf074a5d4c6ff1d2bb14984c35e4b8952b9f0cb42f88eceefa22cb847375
MD5 hash:
6a3db650ee8fb24bcceb9e743b81be48
SHA1 hash:
39d79514eede24ad04ada96a20eef40846c27a86
Detections:
INDICATOR_EXE_Packed_Fody
Create hunting rule
Link:
https://www.unpac.me/results/9cbee704-6ab3-4898-8983-cb407a24782c/
SH256 hash:
4c9615496970ea84320e2a6e99f8fb828e3c7790384df5585d93fc368885d94e
MD5 hash:
50e6524b7ee9c2c93f5210b63cb1ca54
SHA1 hash:
3e296ec3bb24750833ea80515e6fb4c73874c91a
Link:
https://www.unpac.me/results/9cbee704-6ab3-4898-8983-cb407a24782c/
SH256 hash:
ea9f0b30bb53a4db5ab95e98da3c41d21deb6223f0515aba7036bcccf3d599f0
MD5 hash:
944a012370696e7e84716d3ebbe4ce2e
SHA1 hash:
4e6d7c231bd8dfd1f66d63178ea3b3d1b2b48572
Link:
https://www.unpac.me/results/9cbee704-6ab3-4898-8983-cb407a24782c/
SH256 hash:
c1046a94e4042f0a622670cd6a01ca235609732d8ef68889e87fc947d754c5f5
MD5 hash:
8f786e161e0925e8a7c5602f64fff988
SHA1 hash:
4f90a7c051bb4a8e95a43916a4e979b1daadfffa
Detections:
SUSP_NET_Large_Static_Array_In_Small_File_Jan24
Create hunting rule
HKTL_NET_GUID_Quasar
Create hunting rule
Link:
https://www.unpac.me/results/9cbee704-6ab3-4898-8983-cb407a24782c/
Parent samples :
0065d42e62b532221d6ec96913cdedd45d3e84b1d50076b478a5d0a22608b536
c7cfa4eb2cce54eae7d5af7025931c424e48c3dd28dcdb76399e4ab23a4c1f6e
9b7be09c491e55dc424bbf7f3281b467d7e26d918263d925bb4b624fc25ff616
8ca07bac80251aac5bae7418c53144e723c1750d400faaac1678c55457f0f64a
565ba37db962f10ea77fab2be20b5d65672a72c7bbda35cf5538a236a3f63337
7645e0b22c7ea622d164b55b3449831e99bcf4de66c31ac0afaa877cef03248e
ddfffb912ac59f774d452516e5834d9e0175db9608e91eba45379a78b3c53fa9
71d675e36d237be76f9141742350f8b2d94d8cefa2b9b3b62622703193c15414
544f187d0b620cb18a494ea3ec51472e504eac944ef59dc4b5de1c60a9d5800e
e2c14df722dfbb0c3a8c4228034f37ba6395babc29ad2aa9f4a175f37a839831
SH256 hash:
c9736bed57d137a0bd4a454a70436020312db5a365bdd243037e766695c18ccd
MD5 hash:
41b34eab1585d5381c56730b93dd1310
SHA1 hash:
510b640517342dbcc40c81b63db23fa1444a71ed
Link:
https://www.unpac.me/results/9cbee704-6ab3-4898-8983-cb407a24782c/
SH256 hash:
7a61993fa4bb4f782b0a1685d563b9aae55185eefdd0abb75f52297d5a1008fa
MD5 hash:
4bdf06d4557ed8dae17f6b4ad6905f56
SHA1 hash:
56db24b74c0ab2b69880795b5689f0d26c3e5feb
Link:
https://www.unpac.me/results/9cbee704-6ab3-4898-8983-cb407a24782c/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e2c14df722df/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e2c14df722dfbb0c3a8c4228034f37ba6395babc29ad2aa9f4a175f37a839831

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/27491/

Comments