MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 437461c3abc56cf90c1d460bb18e8420e077d0a36d16e3fa9ab7d22c324183df. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuasarRAT


Vendor detections: 14


Intelligence 14 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 437461c3abc56cf90c1d460bb18e8420e077d0a36d16e3fa9ab7d22c324183df
SHA3-384 hash: 7953f57581e5919f1e33f728cc30b66ccee7271d2b174e61f9c4bc5e7587260c62dbe0b2ca8ba6e1f815e17f65c2c951
SHA1 hash: a68b9b41b1713336dfc4b11725294b09c77fcab5
MD5 hash: 75111360af76ae8145b71f91c1370a94
humanhash: jupiter-sink-massachusetts-yankee
File name:7_Day_Healthy_Meal_Plan.scr
Download: download sample
Signature QuasarRAT
Create hunting rule
File size:11'129'856 bytes
First seen:2026-05-20 11:12:04 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 22d2097fddb55e4b610171b15e37eaf0 (2 x QuasarRAT)
ssdeep 196608:RDoOsUKwbsXfK0y4z4ncjSq1KMFJMD/FdUfYasCYpEqPJQ3PHZl9Nn0teCXjga40:2OnsXfrzFJMD/QfYasYOJK5Gnjp9
TLSH T16CB633D5FA0BE865D82744F78A8807230412BE5F0ED4B16D4B29BF7733723E9365285A
TrID 64.7% (.EXE) UPX compressed Win64 Executable (70117/5/12)
25.0% (.EXE) UPX compressed Win32 Executable (27066/9/6)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.8% (.EXE) OS/2 Executable (generic) (2029/13)
1.8% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
dhash icon 68d8d8c8d9a9c1d9 (96 x SnakeKeylogger, 75 x RemcosRAT, 69 x Formbook)
Reporter smica83
Tags:exe QuasarRAT UPX
File size (compressed) :11'129'856 bytes
File size (de-compressed) :32'096'768 bytes
Format:win64/pe
Unpacked file: ffcee98683cf69d52232ceb890a778ec958b861509bdc55561ffe6b0a421afa8

Intelligence

File Origin
# of uploads :
1
# of downloads :
140
Origin country :
HU HU
Vendor Threat Intelligence
Malware configuration found for:
PEPacker
Details
PEPacker
a UPX version number and an unpacked binary
Link:
https://research.acce.ciphertechsolutions.com/results/1f34741b-33f7-4893-b552-e3ca6b15d268/
Malware family:
n/a
ID:
1
File name:
exe
Verdict:
No threats detected
Analysis date:
2026-05-20 11:15:33 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/b4bed7a0-58b7-4a73-a704-292386e51e6d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/66589/
Detection(s):
SecuriteInfo.com.Trojan.Siggen32.41989.15222.30481.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6a0d97344f2b29ce0401b3af
Tags:
shellcode vmdetect virus
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %AppData% subdirectories
Creating a file
Creating a process from a recently created file
Launching a process
Сreating synchronization primitives
Creating a window
Searching for synchronization primitives
Sending a custom TCP request
Connection attempt
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-debug crypto fingerprint masquerade microsoft_visual_cc packed packed packed reconnaissance upx
Link:
https://www.filescan.io/uploads/6a0d972578f38c56ac73afdb/reports/4ae9698f-d023-4456-8465-af7bfda3d4d1/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/437461c3abc56cf90c1d460bb18e8420e077d0a36d16e3fa9ab7d22c324183df
Verdict:
Malicious
File Type:
exe x64
First seen:
2026-05-14T00:02:00Z UTC
Last seen:
2026-05-14T02:14:00Z UTC
Hits:
~1000
Detections:
Trojan.Win64.DllHijack.sb Trojan.Win32.Pdfer.sba Trojan.Win32.Dedok.sb Trojan.Win64.DLLhijack.eej Trojan.Win32.Agent.xcdwof
Link:
https://opentip.kaspersky.com/437461c3abc56cf90c1d460bb18e8420e077d0a36d16e3fa9ab7d22c324183df/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/7a77138d-6862-418c-ae33-84e87961b9fd
Result
Threat name:
Quasar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1916283
Signature
Connects to many ports of the same IP (likely port scanning)
Creates files in the system32 config directory
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Installs a global keyboard hook
Malicious sample detected (through community Yara rule)
Modifies the windows firewall
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Queries sensitive sound device information (via WMI, Win32_SoundDevice, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample is not signed and drops a device driver
Sample uses string decryption to hide its real strings
Suricata IDS alerts for network traffic
Uses ipconfig to lookup or modify the Windows network settings
Uses netsh to modify the Windows network and firewall settings
Yara detected Quasar RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1916283 Sample: 7_Day_Healthy_Meal_Plan.scr.exe Startdate: 20/05/2026 Architecture: WINDOWS Score: 100 67 ws.asklink.com 2->67 69 shed.dual-low.part-0012.t-0009.t-msedge.net 2->69 71 6 other IPs or domains 2->71 89 Suricata IDS alerts for network traffic 2->89 91 Found malware configuration 2->91 93 Malicious sample detected (through community Yara rule) 2->93 95 6 other signatures 2->95 9 7_Day_Healthy_Meal_Plan.scr.exe 3 85 2->9         started        13 AskLink.exe 2->13         started        signatures3 process4 file5 59 C:\Users\user\AppData\Roaming\...\devcon.exe, PE32+ 9->59 dropped 61 C:\Users\user\AppData\...\AskLinkHidKmdf.sys, PE32+ 9->61 dropped 63 C:\Users\user\AppData\...\AskLinkHid.sys, PE32+ 9->63 dropped 65 11 other files (10 malicious) 9->65 dropped 97 Sample is not signed and drops a device driver 9->97 15 AskLink.exe 15 32 9->15         started        19 Acrobat.exe 20 63 9->19         started        99 Hides that the sample has been downloaded from the Internet (zone.identifier) 13->99 101 Installs a global keyboard hook 13->101 21 cmd.exe 13->21         started        23 cmd.exe 13->23         started        25 cmd.exe 13->25         started        27 5 other processes 13->27 signatures6 process7 dnsIp8 75 103.45.66.52, 1082, 49732 CTGSERVERLIMITED-AS-APCTGServerLimitedHK Hong Kong SAR China 15->75 77 8.8.4.4 GOOGLE-GoogleLLCUS United States 15->77 79 4 other IPs or domains 15->79 81 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 15->81 83 Queries sensitive sound device information (via WMI, Win32_SoundDevice, often done to detect virtual machines) 15->83 85 Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) 15->85 87 6 other signatures 15->87 29 cmd.exe 15->29         started        32 AcroCEF.exe 102 19->32         started        34 netsh.exe 21->34         started        36 conhost.exe 21->36         started        38 conhost.exe 23->38         started        40 netsh.exe 23->40         started        42 conhost.exe 25->42         started        44 netsh.exe 25->44         started        46 8 other processes 27->46 signatures9 process10 signatures11 103 Uses netsh to modify the Windows network and firewall settings 29->103 105 Uses ipconfig to lookup or modify the Windows network settings 29->105 48 conhost.exe 29->48         started        50 chcp.com 29->50         started        52 ipconfig.exe 29->52         started        57 2 other processes 29->57 54 AcroCEF.exe 32->54         started        107 Creates files in the system32 config directory 34->107 process12 dnsIp13 73 23.62.10.182, 443, 49729 AKAMAI-AS-AkamaiTechnologiesIncUS United States 54->73
Score:
96%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/437461c3abc56cf90c1d460bb18e8420e077d0a36d16e3fa9ab7d22c324183df
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/437461c3abc56cf90c1d460bb18e8420e077d0a36d16e3fa9ab7d22c324183df/
Verdict:
Malicious
Threat:
Trojan.Win32.Dedok
Link:
https://tip.neiki.dev/file/437461c3abc56cf90c1d460bb18e8420e077d0a36d16e3fa9ab7d22c324183df
Threat name:
Win64.Backdoor.AsyncRAT
Create hunting rule
Status:
Suspicious
First seen:
2026-05-14 03:36:33 UTC
File Type:
PE+ (Exe)
Extracted files:
61
AV detection:
15 of 24 (62.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=in2gdq5lyvwpsda5iyf3ddueedqhpufdnuloh6u2w7jcymsbqppq._file
Result
Malware family:
quasar
Create hunting rule
Score:
  10/10
Tags:
family:quasar defense_evasion discovery persistence privilege_escalation spyware trojan upx
Link:
https://tria.ge/reports/260520-na6kdaby3t/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Gathers network information
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System policy modification
Browser Information Discovery
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
System Time Discovery
Drops file in Program Files directory
Drops file in Windows directory
UPX packed file
Looks up external IP address via web service
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Modifies Windows Firewall
Family: Quasar RAT
Quasar payload
Unpacked files
SH256 hash:
437461c3abc56cf90c1d460bb18e8420e077d0a36d16e3fa9ab7d22c324183df
MD5 hash:
75111360af76ae8145b71f91c1370a94
SHA1 hash:
a68b9b41b1713336dfc4b11725294b09c77fcab5
Link:
https://www.unpac.me/results/0272fbc3-ad69-4dec-bfeb-d5c15b68b518/
SH256 hash:
ffcee98683cf69d52232ceb890a778ec958b861509bdc55561ffe6b0a421afa8
MD5 hash:
cc20cd1d42b382cc1642be185509416b
SHA1 hash:
0287ea8f7d92ba0d90b99a54063377f6c6fbdd0b
Link:
https://www.unpac.me/results/0272fbc3-ad69-4dec-bfeb-d5c15b68b518/
Malware family:
QuasarRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/437461c3abc5/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:upx_largefile
Create hunting rule
Author:k3nr9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

QuasarRAT

Executable exe 437461c3abc56cf90c1d460bb18e8420e077d0a36d16e3fa9ab7d22c324183df

(this sample)

QuasarRAT

Executable exe ffcee98683cf69d52232ceb890a778ec958b861509bdc55561ffe6b0a421afa8

Cape
Cape
https://www.capesandbox.com/analysis/66589/
  
Dropping
SHA256 ffcee98683cf69d52232ceb890a778ec958b861509bdc55561ffe6b0a421afa8
  
Dropping
MD5 cc20cd1d42b382cc1642be185509416b

Comments