MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 012ae3bac67ed8735dfcf14d833a5da1f0b549fe82ac6bbc679c086b5d6fcfa0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuasarRAT


Vendor detections: 16


Intelligence 16 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 012ae3bac67ed8735dfcf14d833a5da1f0b549fe82ac6bbc679c086b5d6fcfa0
SHA3-384 hash: 7a89a1b7f77f0aec757b8804926dd3c24d9513da5163e60911c593287b2b0a48d124c382c9790b29547c9e116e29f8e9
SHA1 hash: 80c3b8de59079110fec0099d7b179b32793ec625
MD5 hash: 9a0bbc1414de589016f32d899dd33049
humanhash: idaho-hamper-asparagus-sierra
File name:x012ae3bac67ed8735dfcf14d833a5da1f0b549fe82ac6bbc679c086b5d6fcfa0.exe
Download: download sample
Signature QuasarRAT
Create hunting rule
File size:3'971'584 bytes
First seen:2026-01-13 16:03:11 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f056b97dce60df29c85cf87cb90d075d (1 x QuasarRAT)
ssdeep 24576:5sOc47gPepzJCjE+DVTTg3r4dyFTr6bc3gw3IB1PFsYqXXUOFBwsL3XYPeO1MtSz:jAjUaGOuxuhX5
Threatray 2'308 similar samples on MalwareBazaar
TLSH T15906DFF33495B994CDEEE66F865F8728732A1182B703118D179F0E948B3394F7B8458A
TrID 44.4% (.EXE) Win64 Executable (generic) (10522/11/4)
21.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.ICL) Windows Icons Library (generic) (2059/9)
8.5% (.EXE) OS/2 Executable (generic) (2029/13)
8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter abuse_ch
Tags:exe QuasarRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
191
Origin country :
SE SE
Vendor Threat Intelligence
No detections
Malware family:
n/a
ID:
1
File name:
x012ae3bac67ed8735dfcf14d833a5da1f0b549fe82ac6bbc679c086b5d6fcfa0.exe
Verdict:
Malicious activity
Analysis date:
2026-01-13 07:36:44 UTC
Tags:
auto-reg api-base64 susp-powershell
Link:
https://app.any.run/tasks/a7997424-fe7e-491a-8d88-04a75eca68f9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/48783/
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6965f60def906a21abccdf3b
Tags:
ransomware dropper emotet sage
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-vm microsoft_visual_cc
Link:
https://www.filescan.io/uploads/69666ccd60d1ef876dedfad0/reports/92234b8f-ccf5-482f-9b5e-97046589c36a/overview
Verdict:
Malicious
Labled as:
BAT_TrojanDropper_Agent_NYC_trojan
Link:
https://www.hybrid-analysis.com/sample/012ae3bac67ed8735dfcf14d833a5da1f0b549fe82ac6bbc679c086b5d6fcfa0
Verdict:
Malicious
File Type:
exe x64
First seen:
2026-01-12T19:25:00Z UTC
Last seen:
2026-01-13T23:44:00Z UTC
Hits:
~10
Detections:
Trojan.Win32.Quasar.sb Trojan.Win32.Agent.sb Trojan.PowerShell.Cobalt.sb HEUR:Backdoor.MSIL.Agent.gen Backdoor.Win32.Androm Backdoor.MSIL.Cardinal.sb Backdoor.MSIL.Agent.sb Trojan.Win32.Scar.uogu PDM:Trojan.Win32.Generic Trojan.Win32.Shellcode.sb Trojan.MSIL.Quasar.a Trojan-Dropper.Win32.Injector.sb HEUR:Trojan.BAT.Cobalt.gen
Link:
https://opentip.kaspersky.com/012ae3bac67ed8735dfcf14d833a5da1f0b549fe82ac6bbc679c086b5d6fcfa0/results?tab=lookup
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f510f039-26c1-438d-ba3d-c5d626ad9e1a
Result
Threat name:
DonutLoader
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1849962
Signature
Bypasses PowerShell execution policy
Creates / moves files in alternative data streams (ADS)
Creates a thread in another existing process (thread injection)
Encrypted powershell cmdline option found
Found suspicious powershell code related to unpacking or dynamic code loading
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects code into the Windows Explorer (explorer.exe)
Malicious sample detected (through community Yara rule)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Suspicious powershell command line found
System process connects to network (likely due to code injection or exploit)
Unusual module load detection (module proxying)
Uses cmd line tools excessively to alter registry or file data
Writes to foreign memory regions
Yara detected DonutLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1849962 Sample: CmSAOCV7bh.exe Startdate: 13/01/2026 Architecture: WINDOWS Score: 100 85 ipwho.is 2->85 93 Malicious sample detected (through community Yara rule) 2->93 95 Multi AV Scanner detection for submitted file 2->95 97 Yara detected DonutLoader 2->97 99 6 other signatures 2->99 12 CmSAOCV7bh.exe 2 2->12         started        16 cmd.exe 1 2->16         started        18 cmd.exe 2->18         started        signatures3 process4 file5 79 C:\Users\user\AppData\...\temp_exec_7580.bat, DOS 12->79 dropped 123 Suspicious powershell command line found 12->123 125 Bypasses PowerShell execution policy 12->125 20 powershell.exe 12 12->20         started        23 cmd.exe 1 16->23         started        25 conhost.exe 16->25         started        27 cmd.exe 18->27         started        29 conhost.exe 18->29         started        signatures6 process7 signatures8 107 Found suspicious powershell code related to unpacking or dynamic code loading 20->107 31 cmd.exe 1 20->31         started        34 conhost.exe 20->34         started        109 Suspicious powershell command line found 23->109 111 Uses cmd line tools excessively to alter registry or file data 23->111 113 Encrypted powershell cmdline option found 23->113 36 conhost.exe 23->36         started        38 reg.exe 23->38         started        40 powershell.exe 23->40         started        42 powershell.exe 23->42         started        44 conhost.exe 27->44         started        46 reg.exe 27->46         started        48 2 other processes 27->48 process9 signatures10 127 Suspicious powershell command line found 31->127 129 Uses cmd line tools excessively to alter registry or file data 31->129 131 Encrypted powershell cmdline option found 31->131 50 cmd.exe 3 31->50         started        process11 file12 73 C:\Users\user\...\38vNCBzKzQ2u9PNf.bat, DOS 50->73 dropped 101 Suspicious powershell command line found 50->101 103 Uses cmd line tools excessively to alter registry or file data 50->103 105 Encrypted powershell cmdline option found 50->105 54 powershell.exe 20 50->54         started        57 powershell.exe 12 50->57         started        59 powershell.exe 16 50->59         started        62 3 other processes 50->62 signatures13 process14 file15 115 Injects code into the Windows Explorer (explorer.exe) 54->115 117 Writes to foreign memory regions 54->117 119 Creates a thread in another existing process (thread injection) 54->119 64 explorer.exe 54->64 injected 68 csc.exe 54->68         started        121 Creates / moves files in alternative data streams (ADS) 57->121 77 C:\Users\user\AppData\...\ps_s56UP9uL.ps1, Unicode 59->77 dropped signatures16 process17 dnsIp18 81 92.119.164.107, 4782, 49696 MYVIRTUALSERVERmyVirtualserverDE Germany 64->81 83 ipwho.is 15.204.213.5, 443, 49698 HP-INTERNET-ASUS United States 64->83 87 System process connects to network (likely due to code injection or exploit) 64->87 89 Hides that the sample has been downloaded from the Internet (zone.identifier) 64->89 91 Unusual module load detection (module proxying) 64->91 75 C:\Users\user\AppData\Local\...\kjqfrehy.dll, PE32 68->75 dropped 71 cvtres.exe 68->71         started        file19 signatures20 process21
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/012ae3bac67ed8735dfcf14d833a5da1f0b549fe82ac6bbc679c086b5d6fcfa0
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/012ae3bac67ed8735dfcf14d833a5da1f0b549fe82ac6bbc679c086b5d6fcfa0/
Verdict:
Malicious
Threat:
Family.DONUTLOADER
Link:
https://tip.neiki.dev/file/012ae3bac67ed8735dfcf14d833a5da1f0b549fe82ac6bbc679c086b5d6fcfa0
Threat name:
Win64.Backdoor.Quasar
Create hunting rule
Status:
Malicious
First seen:
2026-01-13 01:34:59 UTC
File Type:
PE+ (Exe)
AV detection:
13 of 24 (54.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=aevohowgp3mhgxp46fgygos5uhylksp6qkwgxpdhtqegwxlpz6qa._file
Verdict:
malicious
Label(s):
donutloader
Create hunting rule
quasarrat
Create hunting rule
Similar samples:
012ae3bac67ed8735dfcf14d833a5da1f0b549fe82ac6bbc679c086b5d6fcfa0
QuasarRAT
3e081805b7db9aa700d3e96fe2212493e1d4704a43ec7b57459f7dd0eb33bbd3
QuasarRAT
5249882063c9eefc16d3dcf0f00ecc6a52a4e47e4c01cd044d8678b7c32bb61d
QuasarRAT
5dd9cbc64e7414cc479191cbef353c9456d75579d6453157b5f696edeba2d8b5
QuasarRAT
658d3acfc7e71d6b3451973ab8c207dca57264f9b17fc9e37c8b7a1e46561489
QuasarRAT
776e3442aaaf2c3e01cb2b9030be776ec31aac9305e5795c5002230820f2b4c4
QuasarRAT
c6e92bc1395d1865f41e0d10256f7de0fd6913a07c414b2489a191227b3730f6
QuasarRAT
d797019b2ff011ae71e9e700e8f9a16cb463af646aae4815654ae79e09f59ceb
QuasarRAT
ebadac7a2fcf13d135c59215056896a5ebe91b442edd6acf12110c357956a143
QuasarRAT
error
QuasarRAT
fc791cea301af15a8c46dfd5ddf048fbc52cb694d5e9118c41363675823a328b
QuasarRAT
+ 2'298 additional samples on MalwareBazaar
Result
Malware family:
quasar
Create hunting rule
Score:
  10/10
Tags:
family:donutloader family:quasar defense_evasion execution loader persistence spyware trojan
Link:
https://tria.ge/reports/260113-thj91ab14b/
Behaviour
Modifies registry class
NTFS ADS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Adds Run key to start application
Command and Scripting Interpreter: PowerShell
Detects DonutLoader
DonutLoader
Donutloader family
Quasar RAT
Quasar family
Quasar payload
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/b4d8fd01-1c30-47de-ad50-226cf54f21f9
Unpacked files
SH256 hash:
012ae3bac67ed8735dfcf14d833a5da1f0b549fe82ac6bbc679c086b5d6fcfa0
MD5 hash:
9a0bbc1414de589016f32d899dd33049
SHA1 hash:
80c3b8de59079110fec0099d7b179b32793ec625
Link:
https://www.unpac.me/results/cde9945f-0cd8-4a01-a9e7-276c766fcd41/
Malware family:
DonutLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/012ae3bac67e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/012ae3bac67ed8735dfcf14d833a5da1f0b549fe82ac6bbc679c086b5d6fcfa0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Base64_Encoded_Powershell_Directives
Create hunting rule
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:detect_powershell
Create hunting rule
Author:daniyyell
Description:Detects suspicious PowerShell activity related to malware execution
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:SUSP_Base64
Create hunting rule
Author:Eslam Hassan
Description:Detects hex encoded code that has been base64 encoded
Reference:Internal Research
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/48783/

Comments