MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f3acfbbd1ff87fb33ce62665085d9423b62f68fa54c00d70d3fdc53cb5912207. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QatarRAT


Vendor detections: 11


Intelligence 11 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f3acfbbd1ff87fb33ce62665085d9423b62f68fa54c00d70d3fdc53cb5912207
SHA3-384 hash: 4d06e6288f68d4f11f8891b264c360928475e6f3c21d6ed80364b8b461f6827917e594d864ebd3466fe3f7755fffdeeb
SHA1 hash: 4466ae094e99e045d08cc2c0b1f1fa80f137c8ed
MD5 hash: 5ed6f53e05535da82da34e600b0e5541
humanhash: delta-lithium-twelve-summer
File name:file
Download: download sample
Signature QatarRAT
Create hunting rule
File size:1'068'544 bytes
First seen:2026-02-27 00:52:12 UTC
Last seen:2026-02-27 02:17:24 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 012b52c5b409e9f22dd209d7bfb843c2 (1 x QatarRAT)
ssdeep 24576:H0I9BhzPmYuPl2k0qVaqZiME0uUyHt5gzj:H0I9BhmPlzZT7wHg
TLSH T19635CF5A9BB221FAE177C03D8AA65A76FDB278590320D7C703E456A91F27BD04B3D301
TrID 37.0% (.EXE) Win64 Executable (generic) (6522/11/2)
28.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
11.5% (.EXE) OS/2 Executable (generic) (2029/13)
11.3% (.EXE) Generic Win/DOS Executable (2002/3)
11.3% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter Bitsight
Tags:dropped-by-amadey exe fbf543 QatarRAT


Avatar
Bitsight
url: http://130.12.180.43/files/8484046844/CErzHEi.exe

Intelligence

File Origin
# of uploads :
13
# of downloads :
179
Origin country :
US US
Vendor Threat Intelligence
No detections
Malware family:
n/a
ID:
1
File name:
_f3acfbbd1ff87fb33ce62665085d9423b62f68fa54c00d70d3fdc53cb5912207.exe
Verdict:
No threats detected
Analysis date:
2026-02-27 00:54:33 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/d1ca8411-be23-4019-8375-e4224897a90b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/54790/
Verdict:
Malicious
Score:
70%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69a0eafcc950ab5d9ab1f554
Tags:
malware
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug base64 fingerprint microsoft_visual_cc packed
Link:
https://www.filescan.io/uploads/69a0eafa10e80629d4f48048/reports/3945ff18-3299-4ad0-a2eb-782bc738eff3/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/f3acfbbd1ff87fb33ce62665085d9423b62f68fa54c00d70d3fdc53cb5912207
Result
Gathering data
Verdict:
Malicious
File Type:
exe x64
Detections:
HEUR:Trojan.Win64.Generic HEUR:Trojan.Win32.Agentb.gen HEUR:HackTool.Multi.AmsiETWPatch.gen HEUR:Exploit.MSIL.BypassUAC.gen Trojan-PSW.Win32.Stealer.sb Trojan-PSW.Win32.Disco.sb Trojan-PSW.MSIL.Stealer.sb Trojan.Win32.Agent.sb HEUR:Trojan-Dropper.MSIL.Agent.gen HackTool.Win64.BroHack.sb
Link:
https://opentip.kaspersky.com/f3acfbbd1ff87fb33ce62665085d9423b62f68fa54c00d70d3fdc53cb5912207/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/e76a28f4-7a6b-4197-acb8-1bf0d65bdba0
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/f3acfbbd1ff87fb33ce62665085d9423b62f68fa54c00d70d3fdc53cb5912207
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f3acfbbd1ff87fb33ce62665085d9423b62f68fa54c00d70d3fdc53cb5912207/
Verdict:
Malicious
Threat:
Trojan-PSW.Win32.Stealer
Link:
https://tip.neiki.dev/file/f3acfbbd1ff87fb33ce62665085d9423b62f68fa54c00d70d3fdc53cb5912207
Threat name:
Win64.Dropper.Generic
Create hunting rule
Status:
Suspicious
First seen:
2026-02-27 00:53:20 UTC
File Type:
PE+ (Exe)
Extracted files:
1
AV detection:
8 of 36 (22.22%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6owpxpi77b73gphgezsqqxmueo3c62h2ktaa24gt7xctznmreidq._file
Result
Malware family:
n/a
Score:
  9/10
Tags:
defense_evasion discovery execution persistence ransomware
Link:
https://tria.ge/reports/260227-a8qd6ae15h/
Behaviour
Enumerates system info in registry
Modifies registry class
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Looks up external IP address via web service
Checks computer location settings
Executes dropped EXE
Downloads MZ/PE file
Clears Windows event logs
Unpacked files
SH256 hash:
f3acfbbd1ff87fb33ce62665085d9423b62f68fa54c00d70d3fdc53cb5912207
MD5 hash:
5ed6f53e05535da82da34e600b0e5541
SHA1 hash:
4466ae094e99e045d08cc2c0b1f1fa80f137c8ed
Link:
https://www.unpac.me/results/8ce84bc6-60a0-49ec-bd7d-465e6a644df9/
Malware family:
QatarRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f3acfbbd1ff8/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f3acfbbd1ff87fb33ce62665085d9423b62f68fa54c00d70d3fdc53cb5912207

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:pe_detect_tls_callbacks
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

QatarRAT

Executable exe f3acfbbd1ff87fb33ce62665085d9423b62f68fa54c00d70d3fdc53cb5912207

(this sample)

  
Dropped by
Amadey
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3786566/
Cape
Cape
https://www.capesandbox.com/analysis/54790/

Comments