MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f334860b2313bd3f5f8c6940ae51f68711c8ce4f3af185e24610064018c36026. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuasarRAT


Vendor detections: 19


Intelligence 19 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f334860b2313bd3f5f8c6940ae51f68711c8ce4f3af185e24610064018c36026
SHA3-384 hash: 8fbced171b84c3bf2ae9aa53e4180e620b710e4d593b639ee93de076aa50812a9f1f49d80d11095571bc438015f0bc36
SHA1 hash: 119c537ee2d4e48b572e364582ee4cbe48cf361a
MD5 hash: 621f9335adc99dd26b6f9114443ebe75
humanhash: wisconsin-lactose-white-mississippi
File name:xf334860b2313bd3f5f8c6940ae51f68711c8ce4f3af185e24610064018c36026.exe
Download: download sample
Signature QuasarRAT
Create hunting rule
File size:9'902'956 bytes
First seen:2026-02-04 07:45:30 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 7e0a0e8f80bbd1a9c0078e57256f1c3d (5 x GCleaner, 4 x CoinMiner, 4 x LummaStealer)
ssdeep 196608:9TcHwY17E/YyNgPZbnwWFa7PKnceE2EzqHsJiterJ058OT8M:AQBePtwWY7KtEzqMJGerK58O9
Threatray 2'259 similar samples on MalwareBazaar
TLSH T148A63359E7E414FCF4B3A2B09A618A12EBB67C9A4772C74F13B4115A1F233909F39B11
TrID 92.4% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
3.6% (.EXE) Win64 Executable (generic) (10522/11/4)
1.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
0.7% (.EXE) OS/2 Executable (generic) (2029/13)
0.6% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter abuse_ch
Tags:exe QuasarRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
129
Origin country :
SE SE
Vendor Threat Intelligence
No detections
Malware family:
quasar
Create hunting rule
ID:
1
File name:
xf334860b2313bd3f5f8c6940ae51f68711c8ce4f3af185e24610064018c36026.exe
Verdict:
Malicious activity
Analysis date:
2026-02-03 21:24:45 UTC
Tags:
quasar auto-reg
Link:
https://app.any.run/tasks/c9f53529-5f82-43dd-bd09-94d6c05c5b4b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
QuasarRAT
Create hunting rule
Link:
https://www.capesandbox.com/analysis/51618/
Detection(s):
SecuriteInfo.com.Variant.Tedy.742456.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6982679e6b1af47db72c9093
Tags:
infosteal autorun quasar
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-vm fingerprint installer-heuristic microsoft_visual_cc overlay
Link:
https://www.filescan.io/uploads/6982f945930564ff3c88e545/reports/24c8ec2c-3860-49a6-ad6b-e2a3d781834c/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/f334860b2313bd3f5f8c6940ae51f68711c8ce4f3af185e24610064018c36026
Result
Gathering data
Verdict:
Malicious
File Type:
exe x64
First seen:
2026-02-01T10:16:00Z UTC
Last seen:
2026-02-01T23:24:00Z UTC
Hits:
~10
Detections:
HEUR:Trojan.MSIL.Quasar.gen PDM:Trojan.Win32.Tasker.cust PDM:Trojan.Win32.Generic HEUR:Trojan-Spy.MSIL.Agent.sb Trojan-PSW.Win32.Stealer.sb Trojan-PSW.MSIL.Agent.sb Trojan.Win32.Quasar.sb Trojan.MSIL.Quasar.a
Link:
https://opentip.kaspersky.com/f334860b2313bd3f5f8c6940ae51f68711c8ce4f3af185e24610064018c36026/results?tab=lookup
Malware family:
Quasar RAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6de6b3b0-ee5d-4cbd-95e3-d4e1e161a7b6
Result
Threat name:
Quasar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1863057
Signature
Antivirus detection for dropped file
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Installs a global keyboard hook
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Quasar RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1863057 Sample: V2EYHRM2e0.exe Startdate: 04/02/2026 Architecture: WINDOWS Score: 100 35 botnet.lokifisch.dev 2->35 49 Found malware configuration 2->49 51 Malicious sample detected (through community Yara rule) 2->51 53 Multi AV Scanner detection for submitted file 2->53 55 3 other signatures 2->55 10 V2EYHRM2e0.exe 11 2->10         started        13 Client.exe 3 2->13         started        signatures3 process4 file5 31 C:\Users\user\AppData\...\Client-built.exe, PE32 10->31 dropped 15 Client-built.exe 5 10->15         started        process6 file7 33 C:\Users\user\AppData\Roaming\...\Client.exe, PE32 15->33 dropped 41 Antivirus detection for dropped file 15->41 43 Multi AV Scanner detection for dropped file 15->43 45 Uses schtasks.exe or at.exe to add and modify task schedules 15->45 47 Hides that the sample has been downloaded from the Internet (zone.identifier) 15->47 19 Client.exe 2 15->19         started        23 schtasks.exe 1 15->23         started        signatures8 process9 dnsIp10 37 botnet.lokifisch.dev 185.196.84.120, 4782 LEU-ASCH Switzerland 19->37 39 127.0.0.1 unknown unknown 19->39 57 Antivirus detection for dropped file 19->57 59 Multi AV Scanner detection for dropped file 19->59 61 Hides that the sample has been downloaded from the Internet (zone.identifier) 19->61 63 Installs a global keyboard hook 19->63 25 schtasks.exe 1 19->25         started        27 conhost.exe 23->27         started        signatures11 process12 process13 29 conhost.exe 25->29         started       
Score:
94%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/f334860b2313bd3f5f8c6940ae51f68711c8ce4f3af185e24610064018c36026
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PDB Path PE (Portable Executable) PE File Layout Win 64 Exe x64
Link:
https://app.malva.re/file/621f9335adc99dd26b6f9114443ebe75
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f334860b2313bd3f5f8c6940ae51f68711c8ce4f3af185e24610064018c36026/
Verdict:
Malicious
Threat:
Family.QUASAR
Link:
https://tip.neiki.dev/file/f334860b2313bd3f5f8c6940ae51f68711c8ce4f3af185e24610064018c36026
Threat name:
ByteCode-MSIL.Backdoor.Quasar
Create hunting rule
Status:
Malicious
First seen:
2026-02-01 15:11:49 UTC
File Type:
PE+ (Exe)
Extracted files:
17
AV detection:
21 of 36 (58.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6m2imczdco6t6x4mnfak4upwq4i4rtsphlyylysgcadeaggdmata._file
Verdict:
malicious
Label(s):
quasarrat
Create hunting rule
Similar samples:
5e532dc348cea226907ee286cc623670b87c8f642262ea771b226b7b684fc7d9
QuasarRAT
7cf92236a23833476c9e91eabf6bf023de5572b65a62da1e6cb9be39247162a6
QuasarRAT
c1b011778271c50b58e7d1cc972434f98671118a3dd381dc4fd5f52b5f2c42a2
QuasarRAT
e78c16daddee864b284f81c9e66f2dacb340ae7670a3a1b1735bde8619246e29
QuasarRAT
error
QuasarRAT
+ 2'249 additional samples on MalwareBazaar
Result
Malware family:
quasar
Create hunting rule
Score:
  10/10
Tags:
family:quasar botnet:joey execution persistence spyware trojan
Link:
https://tria.ge/reports/260204-jl3weahy8f/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Checks computer location settings
Executes dropped EXE
Quasar RAT
Quasar family
Quasar payload
Malware Config
C2 Extraction:
botnet.lokifisch.dev:4782
localhost:4782
Unpacked files
SH256 hash:
f334860b2313bd3f5f8c6940ae51f68711c8ce4f3af185e24610064018c36026
MD5 hash:
621f9335adc99dd26b6f9114443ebe75
SHA1 hash:
119c537ee2d4e48b572e364582ee4cbe48cf361a
Link:
https://www.unpac.me/results/20c07cb0-6e0d-42e9-8135-2a2e84ac50bd/
SH256 hash:
c875814f2ad5b9e12c455df861fb41891fa95b97d240207c57a6c4221daa8d41
MD5 hash:
bea598fdbac67e24d681b4fb6c330abc
SHA1 hash:
8a94f02f4f0b187447140c8e336be67d28df1012
Detections:
QuasarRAT
Create hunting rule
cn_utf8_windows_terminal
Create hunting rule
malware_windows_xrat_quasarrat
Create hunting rule
MAL_QuasarRAT_May19_1
Create hunting rule
win_quasarrat_j2
Create hunting rule
win_quasar_rat_client
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_GENInfoStealer
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
MALWARE_Win_QuasarStealer
Create hunting rule
Link:
https://www.unpac.me/results/20c07cb0-6e0d-42e9-8135-2a2e84ac50bd/
Malware family:
QuasarRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f334860b2313/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f334860b2313bd3f5f8c6940ae51f68711c8ce4f3af185e24610064018c36026

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SelfExtractingRAR
Create hunting rule
Author:Xavier Mertens
Description:Detects an SFX archive with automatic script execution
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/51618/

Comments