MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ea858bd86372940a46828a781b76be0a382fff2bbce59b149cae3a332004cad6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuasarRAT


Vendor detections: 16


Intelligence 16 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ea858bd86372940a46828a781b76be0a382fff2bbce59b149cae3a332004cad6
SHA3-384 hash: 908914d760378b952462b943a2372b7dc9ef7867355eff512ed2ca15891e4b2af017a8309d80dbe1a4ccbf86db9d22ef
SHA1 hash: a4b6318a95c50744190379dcab45395e2826cfe6
MD5 hash: 62ca55d5228656f618c2e2c4f6ed983c
humanhash: princess-violet-beryllium-alaska
File name:62ca55d5228656f618c2e2c4f6ed983c.exe
Download: download sample
Signature QuasarRAT
Create hunting rule
File size:3'539'456 bytes
First seen:2025-06-07 13:01:42 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash a9c887a4f18a3fede2cc29ceea138ed3 (35 x CoinMiner, 18 x AsyncRAT, 17 x BlankGrabber)
ssdeep 49152:vKMcQCYrig32vgeTJX4RhdGSk4vgaqvb8+Li29lrKOG9ULbZTSs+bG6WH7gtnkuO:3Ig3zyKqIsN1+QMtVFZKJN8Zba
Threatray 63 similar samples on MalwareBazaar
TLSH T16CF518CBE978BB8613BB03AF5F48D504899526C8D635028BF3D5C1A70D82BDEC376952
TrID 38.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
15.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
11.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
10.5% (.EXE) Win32 Executable (generic) (4504/4/1)
4.8% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Magika pebin
Reporter abuse_ch
Tags:exe QuasarRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
463
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
62ca55d5228656f618c2e2c4f6ed983c.exe
Verdict:
Malicious activity
Analysis date:
2025-06-07 13:05:28 UTC
Tags:
auto-sch evasion delphi crypto-regex
Link:
https://app.any.run/tasks/728740f9-98b4-4306-ad94-6c383cb95cee

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/7883/
Detection(s):
SecuriteInfo.com.BackDoor.AsyncRATNET.2.580.27033.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=684438d98bd5d68a12e64576
Tags:
vmdetect autorun quasar
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %AppData% directory
Сreating synchronization primitives
Creating a process from a recently created file
Creating a process with a hidden window
Creating a window
Searching for synchronization primitives
Creating a file in the system32 subdirectories
Launching a process
Unauthorized injection to a recently created process
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
crypt packed packed packer_detected razy
Link:
https://www.filescan.io/uploads/6844385dfd02ed5e059d334b/reports/4bf56da8-2cf4-4d02-a5b8-2c36ab6b1be8/overview
Verdict:
Malicious
Labled as:
Razy.Generic
Link:
https://www.hybrid-analysis.com/sample/ea858bd86372940a46828a781b76be0a382fff2bbce59b149cae3a332004cad6
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8ba70e8b-2e3b-4239-8dcb-85744ef5652e
Result
Threat name:
Quasar
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1708871
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Drops executables to the windows directory (C:\Windows) and starts them
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Quasar RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1708871 Sample: ZUTd6DA1gW.exe Startdate: 07/06/2025 Architecture: WINDOWS Score: 100 49 Found malware configuration 2->49 51 Malicious sample detected (through community Yara rule) 2->51 53 Antivirus / Scanner detection for submitted sample 2->53 55 5 other signatures 2->55 9 ZUTd6DA1gW.exe 3 2->9         started        13 Client.exe 3 2->13         started        process3 file4 33 C:\Users\user\AppData\Roaming\steam.exe, PE32 9->33 dropped 35 C:\Users\user\...\install_requirements.exe, PE32 9->35 dropped 61 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 9->61 15 install_requirements.exe 5 9->15         started        19 steam.exe 9->19         started        signatures5 process6 file7 37 C:\Windows\System32\AudioSync\Client.exe, PE32 15->37 dropped 41 Multi AV Scanner detection for dropped file 15->41 43 Drops executables to the windows directory (C:\Windows) and starts them 15->43 45 Uses schtasks.exe or at.exe to add and modify task schedules 15->45 47 Hides that the sample has been downloaded from the Internet (zone.identifier) 15->47 21 Client.exe 2 15->21         started        25 schtasks.exe 1 15->25         started        signatures8 process9 dnsIp10 39 74.82.63.205, 4782 HURRICANEUS United States 21->39 57 Multi AV Scanner detection for dropped file 21->57 59 Hides that the sample has been downloaded from the Internet (zone.identifier) 21->59 27 schtasks.exe 1 21->27         started        29 conhost.exe 25->29         started        signatures11 process12 process13 31 conhost.exe 27->31         started       
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/ea858bd86372940a46828a781b76be0a382fff2bbce59b149cae3a332004cad6
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ea858bd86372940a46828a781b76be0a382fff2bbce59b149cae3a332004cad6/
Threat name:
Win32.Dropper.Dapato
Create hunting rule
Status:
Malicious
First seen:
2025-06-04 14:10:45 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
21 of 24 (87.50%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5kcyxwddokkaurucrj4bw5v6bi4c77zlxtszwfe4vy5dgiaezlla._file
Verdict:
malicious
Label(s):
quasarrat
Create hunting rule
Similar samples:
0e053045a5ab0d4e2a65052bd3aa795d70976b5afa8413b3198f6e30db11409a
QuasarRAT
3a336deb4df669600491e2d9736f05f2b04b4eb11a25e082f3409a2fbfc12cf4
QuasarRAT
6d5faa0cd51cbe5d6fb33a09453d1a9ccfcbffc3fb715369026db4103b1605db
QuasarRAT
7302c20bdbe9e72c39377e8e150ddbf5d615744caf1b6797824ecfda1df1033f
QuasarRAT
c5add8fc87f51a5cd7297f626bcffbe1d5a61dd3045d920dbf81ab35918d7835
QuasarRAT
da4fb7c03aaca6df5146ea391788bef99ababd891dbff4b446fa008d254472c2
QuasarRAT
error
QuasarRAT
+ 53 additional samples on MalwareBazaar
Result
Malware family:
quasar
Create hunting rule
Score:
  10/10
Tags:
family:quasar botnet:boss discovery spyware trojan
Link:
https://tria.ge/reports/250607-p9yt9aam7t/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: AddClipboardFormatListener
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in System32 directory
Checks computer location settings
Executes dropped EXE
Quasar RAT
Quasar family
Quasar payload
Malware Config
C2 Extraction:
74.82.63.205:4782
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/4c526463-4150-437e-91d9-83c9a907e914
Unpacked files
SH256 hash:
ea858bd86372940a46828a781b76be0a382fff2bbce59b149cae3a332004cad6
MD5 hash:
62ca55d5228656f618c2e2c4f6ed983c
SHA1 hash:
a4b6318a95c50744190379dcab45395e2826cfe6
Link:
https://www.unpac.me/results/a43861c6-4233-4ead-b2f0-8e1069fb7fe4/
SH256 hash:
0198b7c285a13c98123bbcf85d1b072bcc00f225f6d30867f4ab3be1ea927da8
MD5 hash:
c0e5b07cbf2d02c54f39ce6aad676dc7
SHA1 hash:
4100b839d867b252ffa991f91fb9e403b8e41256
Link:
https://www.unpac.me/results/a43861c6-4233-4ead-b2f0-8e1069fb7fe4/
SH256 hash:
95bc1ca7ddf5e50863ad3193df5473cbd3913cb8c96b5f3739d45d08004b20a9
MD5 hash:
0cd99b1f50083709baf7b3f25839fcf4
SHA1 hash:
fe3254b6a7a304c76ec64ce7104127d9fd3ee2be
Detections:
QuasarRAT
Create hunting rule
cn_utf8_windows_terminal
Create hunting rule
malware_windows_xrat_quasarrat
Create hunting rule
MAL_QuasarRAT_May19_1
Create hunting rule
MAL_BackNet_Nov18_1
Create hunting rule
INDICATOR_EXE_Packed_Fody
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
Link:
https://www.unpac.me/results/a43861c6-4233-4ead-b2f0-8e1069fb7fe4/
SH256 hash:
1e9278c0cdd219bf2c7238958fae239e79b378629de8366e373587dbb1e4f69b
MD5 hash:
1a570bd974ba14e66feb22c18b233a25
SHA1 hash:
ed936507946e775cbe36fb88e69762f771701de7
Detections:
SUSP_NET_Large_Static_Array_In_Small_File_Jan24
Create hunting rule
HKTL_NET_GUID_Quasar
Create hunting rule
Link:
https://www.unpac.me/results/a43861c6-4233-4ead-b2f0-8e1069fb7fe4/
Parent samples :
31e0765454785a12c86436331f67020b7390d16b9de42b954127799835eea36c
ea858bd86372940a46828a781b76be0a382fff2bbce59b149cae3a332004cad6
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ea858bd86372940a46828a781b76be0a382fff2bbce59b149cae3a332004cad6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/7883/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
CHECK_TRUST_INFORequires Elevated Execution (level:requireAdministrator)high
Reviews
IDCapabilitiesEvidence
SHELL_APIManipulates System Shellshell32.dll::ShellExecuteA

Comments