MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 07153220ad7f4acccdb8ddd3a64849cb263bbabb032c119ab71cc00fc49a9fde. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuasarRAT


Vendor detections: 9


Intelligence 9 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 07153220ad7f4acccdb8ddd3a64849cb263bbabb032c119ab71cc00fc49a9fde
SHA3-384 hash: 3b8546109d1e7017ab0ef2e0826b1aaee1fdee860e84da45112a0c17b3c994932691858ea6b0b87bf7892b986a66cd96
SHA1 hash: f61a4f1f36d540ec657a5048290f2794755ad96c
MD5 hash: 1f7a68b55d8d41278496a30ac8d7640a
humanhash: glucose-blossom-red-lithium
File name:Madium-Boostrapper.bat
Download: download sample
Signature QuasarRAT
Create hunting rule
File size:10'651'485 bytes
First seen:2026-05-26 20:21:06 UTC
Last seen:Never
File type:Batch (bat) bat
MIME type:text/x-msdos-batch
ssdeep 49152:SPrTO4LrI4LK/IzFCBpKXeJxoZIDfI6QFsxfSd49xRFso4JCwfdmkS93iG2kaVEc:6
TLSH T172B633268E79BEBF4AAC632C707F1F1D4FA40E948499E9D657D36DC34B0EB50011B868
Magika batch
Reporter burger
Tags:bat QuasarRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
66
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Malware family:
n/a
ID:
1
File name:
Madium-Boostrapper.bat
Verdict:
No threats detected
Analysis date:
2026-05-26 20:18:50 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/6fe13838-c623-4e4f-981c-62f2532a0ed2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/68058/
Verdict:
Clean
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6a1600af5d76862ef9480e8b
Tags:
n/a
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Using the Windows Management Instrumentation requests
Creating a file in the Windows directory
Creating a file
Creating a service
Launching a service
Creating a process from a recently created file
Creating a file in the Windows subdirectories
Searching for synchronization primitives
Creating a file in the system32 subdirectories
Creating a process with a hidden window
Creating a file in the %temp% directory
Setting a keyboard event handler
Connection attempt
DNS request
Sending a custom TCP request
Setting browser functions hooks
Enabling autorun for a service
Unauthorized injection to a recently created process
Using obfuscated Powershell scripts
Enabling autorun by creating a file
Unauthorized injection to a system process
Unauthorized injection to a browser process
Verdict:
Suspicious
Link:
https://www.hybrid-analysis.com/sample/07153220ad7f4acccdb8ddd3a64849cb263bbabb032c119ab71cc00fc49a9fde
Verdict:
Malicious
File Type:
unix shell
First seen:
2026-05-28T10:08:00Z UTC
Last seen:
2026-05-28T10:37:00Z UTC
Hits:
~10
Detections:
PDM:Trojan.Win32.Generic PDM:Exploit.Win32.Generic HEUR:Trojan.BAT.Alien.gen
Link:
https://opentip.kaspersky.com/07153220ad7f4acccdb8ddd3a64849cb263bbabb032c119ab71cc00fc49a9fde/results?tab=lookup
Result
Threat name:
Quasar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1918951
Signature
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Bypasses PowerShell execution policy
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Creates files in the system32 config directory
Deletes keys which are related to windows safe boot (disables safe mode boot)
Detected large data written to user environment variables, potentially indicating payload staging for fileless execution
Drops executables to the windows directory (C:\Windows) and starts them
Enables network access during safeboot for specific services
Found large BAT file
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Installs a global keyboard hook
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Obfuscated command line found
Powershell connects to network
Powershell drops PE file
Powershell is started from unusual location (likely to bypass HIPS)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Reads the Security eventlog
Reads the System eventlog
Registers a service to start in safe boot mode
Renames powershell.exe to bypass HIPS
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Powerup Write Hijack DLL
Sigma detected: Suspicious Environment Variable Has Been Registered
Sigma detected: Suspicious PowerShell Parameter Substring
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Unusual module load detection (module proxying)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Costura Assembly Loader
Yara detected Powershell decode and execute
Yara detected Quasar RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1918951 Sample: Madium-Boostrapper.bat Startdate: 26/05/2026 Architecture: WINDOWS Score: 100 61 mr-b01.tm-azurefd.net 2->61 63 ipwho.is 2->63 65 casoneroutegold-prod-bggfgca0dkaag8a8.b01.azurefd.net 2->65 93 Malicious sample detected (through community Yara rule) 2->93 95 Yara detected Powershell decode and execute 2->95 97 Yara detected AntiVM3 2->97 99 13 other signatures 2->99 9 $mxe-cmd.exe 2->9         started        12 cmd.exe 1 2->12         started        14 $mxe-cmd.exe 1 2->14         started        16 3 other processes 2->16 signatures3 process4 signatures5 105 Suspicious powershell command line found 9->105 107 Obfuscated command line found 9->107 18 $mxe-powershell.exe 2 8 9->18         started        109 Bypasses PowerShell execution policy 12->109 21 powershell.exe 24 32 12->21         started        24 conhost.exe 12->24         started        111 Drops executables to the windows directory (C:\Windows) and starts them 14->111 26 $mxe-powershell.exe 27 14->26         started        28 cmd.exe 1 14->28         started        113 Changes security center settings (notifications, updates, antivirus, firewall) 16->113 115 Unusual module load detection (module proxying) 16->115 process6 file7 71 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 18->71 73 Creates files in the system32 config directory 18->73 75 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 18->75 89 4 other signatures 18->89 30 winlogon.exe 18->30 injected 33 conhost.exe 18->33         started        51 C:\Windows\$mxe-powershell.exe, PE32+ 21->51 dropped 53 C:\Windows\$mxe-cmd.exe, PE32+ 21->53 dropped 55 C:\Recovery\...\$mxe-gnSVyMXTIiBgynzDeAem.bat, DOS 21->55 dropped 77 Suspicious powershell command line found 21->77 79 Obfuscated command line found 21->79 81 Enables network access during safeboot for specific services 21->81 91 4 other signatures 21->91 35 $mxe-powershell.exe 21->35         started        83 Powershell is started from unusual location (likely to bypass HIPS) 26->83 85 Reads the Security eventlog 26->85 87 Reads the System eventlog 26->87 signatures8 process9 dnsIp10 117 Injects code into the Windows Explorer (explorer.exe) 30->117 119 Contains functionality to inject code into remote processes 30->119 121 Writes to foreign memory regions 30->121 129 4 other signatures 30->129 38 lsass.exe 30->38 injected 41 dwm.exe 30->41 injected 43 dllhost.exe 30->43         started        47 25 other processes 30->47 67 87.121.79.203, 3241, 49722 ALVARONAVASES Netherlands 35->67 69 ipwho.is 172.66.175.107, 443, 49723 CLOUDFLARENET-CloudflareIncUS Canada 35->69 123 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 35->123 125 Powershell is started from unusual location (likely to bypass HIPS) 35->125 127 Installs a global keyboard hook 35->127 131 4 other signatures 35->131 45 conhost.exe 35->45         started        signatures11 process12 dnsIp13 101 Writes to foreign memory regions 38->101 103 Unusual module load detection (module proxying) 38->103 59 192.168.2.5 unknown unknown 47->59 57 C:\Windows\...\Windows PowerShell.evtx, data 47->57 dropped file14 signatures15
Score:
85%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/07153220ad7f4acccdb8ddd3a64849cb263bbabb032c119ab71cc00fc49a9fde
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/07153220ad7f4acccdb8ddd3a64849cb263bbabb032c119ab71cc00fc49a9fde/
Verdict:
Clean
Link:
https://tip.neiki.dev/file/07153220ad7f4acccdb8ddd3a64849cb263bbabb032c119ab71cc00fc49a9fde
Threat name:
Win32.Trojan.Malgent
Create hunting rule
Status:
Malicious
First seen:
2026-05-26 20:21:10 UTC
File Type:
Text
AV detection:
8 of 24 (33.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=a4kteifnp5fmztny3xj2mscjzmtdxov3amwbdgvxdtaa7re2t7pa._file
Verdict:
malicious
Label(s):
quasarrat
Create hunting rule
Similar samples:
error
QuasarRAT
Result
Malware family:
n/a
Score:
  8/10
Tags:
defense_evasion execution persistence ransomware
Link:
https://tria.ge/reports/260526-y456tahz7n/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Delays execution with timeout.exe
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy service COM API
Checks for VirtualBox DLLs, possible anti-VM trick
Drops file in Windows directory
Drops file in System32 directory
Hide Artifacts: Hidden Window
Looks up external IP address via web service
Checks BIOS information in registry
Deletes itself
Executes dropped EXE
Impair Defenses: Safe Mode Boot
Indicator Removal: Clear Windows Event Logs
Command and Scripting Interpreter: PowerShell
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/07153220ad7f4acccdb8ddd3a64849cb263bbabb032c119ab71cc00fc49a9fde

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:telebot_framework
Create hunting rule
Author:vietdx.mb
Rule name:Warp
Create hunting rule
Author:Seth Hardy
Description:Warp
Rule name:WarpStrings
Create hunting rule
Author:Seth Hardy
Description:Warp Identifying Strings

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/68058/

Comments