MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fb34e2da1047942aea3b62749799088718d5dafb0d5dd956f161b5bfc52f52b4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

QuasarRAT

Vendor detections: 17

Intelligence 17 IOCs YARA 30 File information Comments

SHA256 hash:	fb34e2da1047942aea3b62749799088718d5dafb0d5dd956f161b5bfc52f52b4
SHA3-384 hash:	b20b307c90d1f8ea2dc580755094e8719148e301dff38c3f776ced185034ba3b010e3a5fd93b89a3ad42cab40a613ca7
SHA1 hash:	56cd338bd3b6f6e41fbfd47fc35ebb7384089da0
MD5 hash:	1f0aa04275ac8ac6bef6ff3ef0633491
humanhash:	california-fish-diet-music
File name:	Client.exe
Download:	download sample
Signature	QuasarRAT Create hunting rule
File size:	12'818'075 bytes
First seen:	2025-11-23 00:11:30 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	2d36b7f7f6f122ecc6850b4840bc4dbf (2 x QuasarRAT)
ssdeep	98304:rv/22SsaNYfdPBldt6+dBcjHp00KatIh++/amzJNOWJFpmLtVt+Xw5k8iILd+ffg:Dw7j1KBQtXx5lAnfD59W2qEzIIftto
Threatray	1'713 similar samples on MalwareBazaar
TLSH	T1B6D6D0B07606E6DFC16B0AB4E4D2CA03D5B897B5C322E703D815743E5E53F5286C2B6A
TrID	33.5% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9) 25.1% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 13.3% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 8.4% (.EXE) Win64 Executable (generic) (10522/11/4) 5.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
Magika	pebin
Reporter	Hexastrike
Tags:	exe QuasarRAT

Intelligence

File Origin

# of uploads :

# of downloads :

115

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Client.exe

Verdict:

No threats detected

Analysis date:

2025-11-23 01:18:39 UTC

Tags:

themida

Link:

https://app.any.run/tasks/7cf48e7b-2495-44df-8d7a-c6e5a6702c18

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

QuasarStealer

Link:

https://www.capesandbox.com/analysis/40026/

Verdict:

Malicious

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=692260f3b6ee81118d2c6a4f

Tags:

n/a

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

anti-debug anti-vm base64 fingerprint infostealer obfuscated obfuscated packed packed quasar quasarrat reconnaissance stealer

Link:

https://www.filescan.io/uploads/69225fd1f96b58f0dc8068b5/reports/20865ff8-e76b-45bd-a21e-219112783b84/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/fb34e2da1047942aea3b62749799088718d5dafb0d5dd956f161b5bfc52f52b4

Verdict:

Malicious

File Type:

exe x32

First seen:

2025-11-10T06:12:00Z UTC

Last seen:

2025-11-15T23:57:00Z UTC

Hits:

~10

Detections:

Trojan-PSW.MSIL.Agent.sb Trojan.Win32.Quasar.sb Trojan.MSIL.Quasar.a HEUR:Trojan.MSIL.Quasar.gen

Link:

https://opentip.kaspersky.com/fb34e2da1047942aea3b62749799088718d5dafb0d5dd956f161b5bfc52f52b4/results?tab=lookup

Gathering data

Score:

99%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/fb34e2da1047942aea3b62749799088718d5dafb0d5dd956f161b5bfc52f52b4

Verdict:

inconclusive

YARA:

14 match(es)

Tags:

.Net Executable Managed .NET PE (Portable Executable) PE Memory-Mapped (Dump)

Link:

https://app.malva.re/file/1f0aa04275ac8ac6bef6ff3ef0633491

Detection:

quasar

Link:

https://mwdb.cert.pl/sample/fb34e2da1047942aea3b62749799088718d5dafb0d5dd956f161b5bfc52f52b4/

Verdict:

Malicious

Threat:

Family.QUASAR

Link:

https://tip.neiki.dev/file/fb34e2da1047942aea3b62749799088718d5dafb0d5dd956f161b5bfc52f52b4

Threat name:

ByteCode-MSIL.Backdoor.Quasar

Status:

Malicious

First seen:

2025-11-10 11:10:36 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

22 of 24 (91.67%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=7m2ofwqqi6kcv2r3mj2jpgiiq4mnlwx3bvo5svxrmg237rjpkk2a._file

Verdict:

malicious

Label(s):

quasarrat

QuasarRAT

5e532dc348cea226907ee286cc623670b87c8f642262ea771b226b7b684fc7d9

QuasarRAT

a417d44599283c4057142c7fef78fb97b2ebb20368328ce509c03b5779d07d02

QuasarRAT

bfeebb9bc0a5d9543ed907a650defe0ffe6d2b7e8db4a6fd710d16eadcbab276

QuasarRAT

c1b011778271c50b58e7d1cc972434f98671118a3dd381dc4fd5f52b5f2c42a2

QuasarRAT

error

QuasarRAT

+ 1'703 additional samples on MalwareBazaar

Result

Malware family:

quasar

Score:

10/10

Tags:

family:quasar botnet:office04 discovery themida

Link:

https://tria.ge/reports/251123-bml1aawngv/

Behaviour

Checks processor information in registry

Enumerates system info in registry

Modifies data under HKEY_USERS

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Browser Information Discovery

Enumerates physical storage devices

Drops file in Program Files directory

Drops file in Windows directory

Malware Config

C2 Extraction:

193.149.29.121:4782

Verdict:

Malicious

Tags:

rat quasar_rat stealer Win.Malware.Generic-9883083-0

YARA:

malware_windows_quasarrat MALWARE_Win_Quasarstealer

Link:

https://app.threat.zone/submission/08719df2-bde1-4f34-ad91-759a84930ede

Unpacked files

SH256 hash:

fb34e2da1047942aea3b62749799088718d5dafb0d5dd956f161b5bfc52f52b4

MD5 hash:

1f0aa04275ac8ac6bef6ff3ef0633491

SHA1 hash:

56cd338bd3b6f6e41fbfd47fc35ebb7384089da0

Detections:

QuasarRAT

Link:

https://www.unpac.me/results/7e4213c5-b0c7-43cf-a9ea-ef0035188a7d/

SH256 hash:

de0aa79373299d38e79f5895530c54d43970c18867212ee171580e5e28dca5eb

MD5 hash:

8c7fb0e684cd7873d2641f301c2d41dd

SHA1 hash:

0a65293bd4af0d865c4d7dabacd49ca978cc063b

Link:

https://www.unpac.me/results/7e4213c5-b0c7-43cf-a9ea-ef0035188a7d/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/fb34e2da1047942aea3b62749799088718d5dafb0d5dd956f161b5bfc52f52b4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BLOWFISH_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for Blowfish constants

Rule name:	Check_FindWindowA_iat Create hunting rule

Rule name:	Check_OutputDebugStringA_iat Create hunting rule

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

Rule name:	DebuggerHiding__Thread Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DetectEncryptedVariants Create hunting rule
Author:	Zinyth
Description:	Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded

Rule name:	Detect_PowerShell_Obfuscation Create hunting rule
Author:	daniyyell
Description:	Detects obfuscated PowerShell commands commonly used in malicious scripts.

Rule name:	FreddyBearDropper Create hunting rule
Author:	Dwarozh Hoshiar
Description:	Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.

Rule name:	HeavensGate Create hunting rule
Author:	kevoreilly
Description:	Heaven's Gate: Switch from 32-bit to 64-mode

Rule name:	INDICATOR_EXE_Packed_Themida Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with Themida

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA Create hunting rule
Author:	ditekSHen
Description:	Detects Windows executables referencing non-Windows User-Agents

Rule name:	INDICATOR_SUSPICIOUS_GENInfoStealer Create hunting rule
Author:	ditekSHen
Description:	Detects executables containing common artifacts observed in infostealers

Rule name:	Lumma_Stealer_Detection Create hunting rule
Author:	ashizZz
Description:	Detects a specific Lumma Stealer malware sample using unique strings and behaviors
Reference:	https://seanthegeek.net/posts/compromized-store-spread-lumma-stealer-using-fake-captcha/

Rule name:	maldoc_getEIP_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	MALWARE_Win_QuasarStealer Create hunting rule
Author:	ditekshen
Description:	Detects Quasar infostealer

Rule name:	MD5_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for MD5 constants

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	quasarrat Create hunting rule
Author:	jeFF0Falltrades

Rule name:	quasarrat_kingrat Create hunting rule
Author:	jeFF0Falltrades

Rule name:	RANSOMWARE Create hunting rule
Author:	ToroGuitar

Rule name:	RC6_Constants Create hunting rule
Author:	chort (@chort0)
Description:	Look for RC6 magic constants in binary
Reference:	https://twitter.com/mikko/status/417620511397400576

Rule name:	RIPEMD160_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for RIPEMD-160 constants

Rule name:	SHA1_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA1 constants

Rule name:	SHA512_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA384/SHA512 constants

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

Rule name:	vmdetect Create hunting rule
Author:	nex
Description:	Possibly employs anti-virtualization techniques

Rule name:	win32_dotnet_form_obfuscate Create hunting rule
Author:	Reedus0
Description:	Rule for detecting .NET form obfuscate malware

Rule name:	Windows_Generic_Threat_803feff4 Create hunting rule
Author:	Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/40026/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample