MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5df7a18c5674abbab89a53d3398c3398b800b14f8ff08488d89407402325f75a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuasarRAT


Vendor detections: 17


Intelligence 17 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5df7a18c5674abbab89a53d3398c3398b800b14f8ff08488d89407402325f75a
SHA3-384 hash: 0d184c8f56256a88c8e67e751646510677986a0a02f95eaef049f54045ac6f780af1bff6bd5331b02e9963db3c2f2aa7
SHA1 hash: 902f4f7da9a9fb50ed424915b912a24870a9b854
MD5 hash: 1440e142dcf7f00c6385de1ca910210f
humanhash: purple-romeo-double-nuts
File name:5df7a18c5674abbab89a53d3398c3398b800b14f8ff08488d89407402325f75a.exe
Download: download sample
Signature QuasarRAT
Create hunting rule
File size:3'085'312 bytes
First seen:2025-09-15 08:34:13 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f52a2ec780c5256967378af46472f651 (1 x QuasarRAT)
ssdeep 49152:kBFU0/R6CGaL/lgcdZeFajEOPeVuo6eDNvHYSm4fa5J1+UTSSTLzqIU:kB/LNdXAacOe+ca5J1dJTLzq
Threatray 134 similar samples on MalwareBazaar
TLSH T1EEE5BE5BEA6A51E1C4BED038C152662FFDB034AA8334A7D79B915B4717237E0E93E700
TrID 44.4% (.EXE) Win64 Executable (generic) (10522/11/4)
21.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.ICL) Windows Icons Library (generic) (2059/9)
8.5% (.EXE) OS/2 Executable (generic) (2029/13)
8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter abuse_ch
Tags:exe QuasarRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
96
Origin country :
SE SE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
5df7a18c5674abbab89a53d3398c3398b800b14f8ff08488d89407402325f75a.exe
Verdict:
Malicious activity
Analysis date:
2025-09-14 09:29:38 UTC
Tags:
spectrerat
Link:
https://app.any.run/tasks/a83a59a8-2c6a-4512-8653-68ba9f864c7e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/27492/
Verdict:
Malicious
Score:
91.7%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68c68b02d49ea3f1e4b58138
Tags:
small overt remo
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
DNS request
Searching for synchronization primitives
Connection attempt
Sending a custom TCP request
Sending an HTTP GET request
Connection attempt to an infection source
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-debug base64 explorer fingerprint installer lolbin microsoft_visual_cc packed
Link:
https://www.filescan.io/uploads/68c7cf9edbc6f5a29c453273/reports/9c1702e9-4969-4eac-b7be-a3190cf33545/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/5df7a18c5674abbab89a53d3398c3398b800b14f8ff08488d89407402325f75a
Verdict:
Malicious
File Type:
exe x64
First seen:
2025-09-13T04:23:00Z UTC
Last seen:
2025-09-13T04:23:00Z UTC
Hits:
~10
Detections:
Trojan.MSIL.Donut.sb PDM:Trojan.Win32.Generic Trojan.Win32.Shellcode.sb Trojan.MSIL.Quasar.ezf HackTool.Win64.FreshyCalls.sb Trojan-PSW.MSIL.Agent.sb Trojan.MSIL.Quasar.a HEUR:Trojan-Banker.MSIL.ClipBanker.gen HEUR:Trojan.MSIL.Quasar.gen Backdoor.MSIL.Agent.sb
Link:
https://opentip.kaspersky.com/5df7a18c5674abbab89a53d3398c3398b800b14f8ff08488d89407402325f75a/results?tab=lookup
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5ba83c96-f5bd-46ef-bc3a-e220e66a634b
Result
Threat name:
Quasar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1777593
Signature
Allocates memory in foreign processes
Changes memory attributes in foreign processes to executable or writable
Creates a thread in another existing process (thread injection)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects code into the Windows Explorer (explorer.exe)
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected Quasar RAT
Behaviour
Behavior Graph:
Download SVG
Score:
96%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/5df7a18c5674abbab89a53d3398c3398b800b14f8ff08488d89407402325f75a
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PDB Path PE (Portable Executable) PE File Layout Win 64 Exe x64
Link:
https://app.malva.re/file/1440e142dcf7f00c6385de1ca910210f
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5df7a18c5674abbab89a53d3398c3398b800b14f8ff08488d89407402325f75a/
Verdict:
Malicious
Threat:
Family.QUASAR
Link:
https://tip.neiki.dev/file/5df7a18c5674abbab89a53d3398c3398b800b14f8ff08488d89407402325f75a
Threat name:
Win64.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-09-13 09:45:31 UTC
File Type:
PE+ (Exe)
AV detection:
22 of 38 (57.89%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lx32ddcwosv3voe2kpjttdbttc4abmkpr7yijcgysqduaizf65na._file
Verdict:
malicious
Label(s):
donut_injector
Create hunting rule
quasarrat
Create hunting rule
Similar samples:
128b564d48862fe887ccebb64542c66a29b9943ed8bc7882bbb3992d4fe4792c
QuasarRAT
3662a8d4f950c9ebd0851e0b0713f2e48dfb7dd5ac3de02bae8acd1d6c4efd1d
QuasarRAT
5bf621e8d7c8590e3a2a5bb9779b5458b28f85b8887076b4a4885d1ee3e2c7f0
QuasarRAT
5df7a18c5674abbab89a53d3398c3398b800b14f8ff08488d89407402325f75a
QuasarRAT
6dbb22d7e0e30cbba3a888b9e736c9953c7edd4bb04a8855ff998f188e77e661
QuasarRAT
8768859060387f56a2243b3d68d1b88fc12def261668c945d67ba7772f569b24
QuasarRAT
907526c3c3900f327899c251e01e0bd5678774fc163f0c053eec4cbe1ea5e8b2
QuasarRAT
d017447f8ef2d707ce3a908e05bcac2206d8f5b8d63b72e494a81eb379b69853
QuasarRAT
error
QuasarRAT
f3e081a4b2e4302d3b14e5f16aca269ea93aa5cb816bb7ac2a8e4f51a80f0fde
QuasarRAT
+ 124 additional samples on MalwareBazaar
Result
Malware family:
quasar
Create hunting rule
Score:
  10/10
Tags:
family:quasar spyware stealer trojan
Link:
https://tria.ge/reports/250915-kgqwqagm9v/
Behaviour
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Reads user/profile data of web browsers
Quasar RAT
Quasar family
Quasar payload
Verdict:
Suspicious
Tags:
Cloudflare_Workers
YARA:
n/a
Link:
https://app.threat.zone/submission/86cdf846-2961-4ebc-b4b6-acfddee1c8b9
Unpacked files
SH256 hash:
5df7a18c5674abbab89a53d3398c3398b800b14f8ff08488d89407402325f75a
MD5 hash:
1440e142dcf7f00c6385de1ca910210f
SHA1 hash:
902f4f7da9a9fb50ed424915b912a24870a9b854
Link:
https://www.unpac.me/results/8cd947aa-7e3f-49d1-8952-9ea723b6b8c5/
Malware family:
QuasarRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/5df7a18c5674/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5df7a18c5674abbab89a53d3398c3398b800b14f8ff08488d89407402325f75a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Check_OutputDebugStringA_iat
Create hunting rule
Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/27492/

Comments