MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 e5cc4986e18b7b1d7fb722ad4a8ca349e7263305b490db3d65d38746607bd121. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
QuasarRAT
Vendor detections: 16
| SHA256 hash: | e5cc4986e18b7b1d7fb722ad4a8ca349e7263305b490db3d65d38746607bd121 |
|---|---|
| SHA3-384 hash: | c45f580590077118212b73a43e3e0b9c1d90bf12ec1ec899644183199b8dfdba1d85cc354335f841b9d5f631ba635165 |
| SHA1 hash: | 3d47c0683df6fe3a54e13b074e9e7b4fcdbaeef2 |
| MD5 hash: | 778bdd6287bf74a6f853b09580dce2c2 |
| humanhash: | vegan-johnny-double-nineteen |
| File name: | Client.exe |
| Download: | download sample |
| Signature | QuasarRAT |
| File size: | 300'887 bytes |
| First seen: | 2025-11-23 00:09:11 UTC |
| Last seen: | Never |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | f34d5f2d4577ed6d9ceec516c1f5a744 (48'854 x AgentTesla, 19'783 x Formbook, 12'304 x SnakeKeylogger) |
| ssdeep | 6144:D7zO0LSclT6FOwEP5Kq+SMv0VGb7bDc+lbkvnqB:DlJtTF9zVGk+lbk/a |
| TLSH | T1AC545A2527F8A93BD8BE17B4F53141094B76FC07B517F78E6A5818B82C1A38985837E3 |
| TrID | 58.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 13.2% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 8.4% (.EXE) Win64 Executable (generic) (10522/11/4) 5.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.0% (.EXE) Win16 NE executable (generic) (5038/12/1) |
| Magika | pebin |
| Reporter |  Hexastrike |
| Tags: | exe QuasarRAT |
Intelligence
File Origin
# of uploads :
1
# of downloads :
53
Origin country :
IEVendor Threat Intelligence
Detection:
QuasarRAT
Verdict:
Malicious
Score:
99.9%
Tags:
vmdetect quasar
Result
Verdict:
Malware
Maliciousness:
Verdict:
Malicious
Threat level:
10/10
Confidence:
100%
Tags:
anti-vm anti-vm barys base64 blackshades byteguard crypto fingerprint infostealer keylogger lolbin obfuscated overlay packed quasar quasarrat rat reconnaissance runonce stealer vbnet vermin xrat
Verdict:
Malicious
Labled as:
Ransom.Imps.Generic
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-10-28T02:12:00Z UTC
Last seen:
2025-10-29T18:39:00Z UTC
Hits:
~10
Gathering data
Score:
100%
Verdict:
Malware
File Type:
PE
Verdict:
QuasarRat
YARA:
17 match(es)
Tags:
.Net Executable Malicious Managed .NET PE (Portable Executable) PE File Layout QuasarRat RAT SOS: 0.26 Win 32 Exe x86
Malware Config
C2 Extraction:
PORT: 222
CNC: 51.15.17.193
CNC: 51.15.17.193
Detection:
quasar
Threat name:
ByteCode-MSIL.Backdoor.Quasar
Status:
Malicious
First seen:
2025-10-28 07:03:56 UTC
AV detection:
23 of 24 (95.83%)
Threat level:
5/5
Detection(s):
Suspicious file
Result
Malware family:
quasar
Score:
10/10
Tags:
family:quasar botnet:test2
Malware Config
C2 Extraction:
51.15.17.193:222
Verdict:
Malicious
Tags:
Win.Trojan.Barys-1
YARA:
n/a
Unpacked files
SH256 hash:
e5cc4986e18b7b1d7fb722ad4a8ca349e7263305b490db3d65d38746607bd121
MD5 hash:
778bdd6287bf74a6f853b09580dce2c2
SHA1 hash:
3d47c0683df6fe3a54e13b074e9e7b4fcdbaeef2
Detections:
win_blackshades_w0
QuasarRAT
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.58
YARA Signatures
MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.
| Rule name: | BlackShades_4 |
|---|---|
| Author: | Jean-Philippe Teissier / @Jipe_ |
| Description: | BlackShades |
| Rule name: | CN_disclosed_20180208_KeyLogger_1 |
|---|---|
| Author: | Florian Roth (Nextron Systems) |
| Description: | Detects malware from disclosed CN malware set |
| Reference: | https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details |
| Rule name: | CN_disclosed_20180208_KeyLogger_1_RID3227 |
|---|---|
| Author: | Florian Roth |
| Description: | Detects malware from disclosed CN malware set |
| Reference: | https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details |
| Rule name: | DebuggerCheck__API |
|---|---|
| Reference: | https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara |
| Rule name: | DetectEncryptedVariants |
|---|---|
| Author: | Zinyth |
| Description: | Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded |
| Rule name: | Detect_PowerShell_Obfuscation |
|---|---|
| Author: | daniyyell |
| Description: | Detects obfuscated PowerShell commands commonly used in malicious scripts. |
| Rule name: | INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA |
|---|---|
| Author: | ditekSHen |
| Description: | Detects Windows executables referencing non-Windows User-Agents |
| Rule name: | INDICATOR_SUSPICIOUS_GENInfoStealer |
|---|---|
| Author: | ditekSHen |
| Description: | Detects executables containing common artifacts observed in infostealers |
| Rule name: | INDICATOR_SUSPICIOUS_GENRansomware |
|---|---|
| Author: | ditekSHen |
| Description: | Detects command variations typically used by ransomware |
| Rule name: | Lumma_Stealer_Detection |
|---|---|
| Author: | ashizZz |
| Description: | Detects a specific Lumma Stealer malware sample using unique strings and behaviors |
| Reference: | https://seanthegeek.net/posts/compromized-store-spread-lumma-stealer-using-fake-captcha/ |
| Rule name: | malware_Quasar_strings |
|---|---|
| Author: | JPCERT/CC Incident Response Group |
| Description: | detect QuasarRAT in memory |
| Rule name: | MALWARE_Win_QuasarRAT |
|---|---|
| Author: | ditekSHen |
| Description: | QuasarRAT payload |
| Rule name: | MAL_QuasarRAT_May19_1 |
|---|---|
| Author: | Florian Roth (Nextron Systems) |
| Description: | Detects QuasarRAT malware |
| Reference: | https://blog.ensilo.com/uncovering-new-activity-by-apt10 |
| Rule name: | MAL_QuasarRAT_May19_1 |
|---|---|
| Description: | Detects QuasarRAT malware |
| Rule name: | MAL_QuasarRAT_May19_1_RID2E1E |
|---|---|
| Author: | Florian Roth |
| Description: | Detects QuasarRAT malware |
| Reference: | https://blog.ensilo.com/uncovering-new-activity-by-apt10 |
| Rule name: | Multifamily_RAT_Detection |
|---|---|
| Author: | Lucas Acha (http://www.lukeacha.com) |
| Description: | Generic Detection for multiple RAT families, PUPs, Packers and suspicious executables |
| Rule name: | NET |
|---|---|
| Author: | malware-lu |
| Rule name: | pe_imphash |
|---|
| Rule name: | Quasar |
|---|---|
| Author: | JPCERT/CC Incident Response Group |
| Description: | detect QuasarRAT in memory |
| Rule name: | QuasarRAT |
|---|---|
| Author: | ditekshen |
| Description: | QuasarRAT payload |
| Rule name: | quasarrat |
|---|---|
| Author: | jeFF0Falltrades |
| Rule name: | quasarrat_kingrat |
|---|---|
| Author: | jeFF0Falltrades |
| Rule name: | Quasar_RAT_1 |
|---|---|
| Author: | Florian Roth (Nextron Systems) |
| Description: | Detects Quasar RAT |
| Reference: | https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf |
| Rule name: | Quasar_RAT_1 |
|---|---|
| Author: | @SOCRadar |
| Description: | Detects Quasar RAT |
| Rule name: | Quasar_RAT_1_RID2B54 |
|---|---|
| Author: | Florian Roth |
| Description: | Detects Quasar RAT |
| Reference: | https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf |
| Rule name: | Quasar_RAT_2 |
|---|---|
| Author: | Florian Roth (Nextron Systems) |
| Description: | Detects Quasar RAT |
| Reference: | https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf |
| Rule name: | Quasar_RAT_2 |
|---|---|
| Description: | Detects Quasar RAT |
| Rule name: | Quasar_RAT_2_RID2B55 |
|---|---|
| Author: | Florian Roth |
| Description: | Detects Quasar RAT |
| Reference: | https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf |
| Rule name: | RANSOMWARE |
|---|---|
| Author: | ToroGuitar |
| Rule name: | Skystars_Malware_Imphash |
|---|---|
| Author: | Skystars LightDefender |
| Description: | imphash |
| Rule name: | Sus_CMD_Powershell_Usage |
|---|---|
| Author: | XiAnzheng |
| Description: | May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP) |
| Rule name: | Vermin_Keylogger_Jan18_1 |
|---|---|
| Author: | Florian Roth (Nextron Systems) |
| Description: | Detects Vermin Keylogger |
| Reference: | https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/ |
| Rule name: | Windows_Trojan_Quasarrat_e52df647 |
|---|---|
| Author: | Elastic Security |
| Rule name: | win_blackshades_w0 |
|---|---|
| Author: | Jean-Philippe Teissier / @Jipe_ |
| Rule name: | win_quasar_rat_client |
|---|---|
| Author: | Matthew @ Embee_Research |
| Description: | Detects strings present in Quasar Rat Samples. |
| Rule name: | xRAT_1 |
|---|---|
| Author: | Florian Roth (Nextron Systems) |
| Description: | Detects Patchwork malware |
| Reference: | https://goo.gl/Pg3P4W |
| Rule name: | xRAT_1_RID2900 |
|---|---|
| Author: | Florian Roth |
| Description: | Detects Patchwork malware |
| Reference: | https://goo.gl/Pg3P4W |
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.