MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6597d0a917f2def35809cfcffd7c9098bc7e97eb62d35fb74486344208faf61a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuasarRAT


Vendor detections: 16


Intelligence 16 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6597d0a917f2def35809cfcffd7c9098bc7e97eb62d35fb74486344208faf61a
SHA3-384 hash: 53d29ec892e8f9824895c9e3343cae55a37611ae8c48235649f553279ce3c832570a24b5e65f845dcaee6613fccbf1ea
SHA1 hash: bcfd45ee7d5831662601edbb8a5647d0a144f8b5
MD5 hash: 3e68962725104a4f2da2ed3ebed2ded8
humanhash: fifteen-table-uniform-oxygen
File name:Crypt.exe
Download: download sample
Signature QuasarRAT
Create hunting rule
File size:15'989'760 bytes
First seen:2025-06-02 00:00:02 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash a9c887a4f18a3fede2cc29ceea138ed3 (33 x CoinMiner, 17 x AsyncRAT, 15 x BlankGrabber)
ssdeep 393216:jcYNXY+4fGRXu/mNDea5z9TP0iKiwC6pTZ9j:gfGPf5z9TP0XwO9
TLSH T1AFF6C0E43F68DE5296E4A93A831E51DBD0A7CD20CCAE01C68536550F803F81766F9B7E
TrID 38.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
15.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
11.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
10.5% (.EXE) Win32 Executable (generic) (4504/4/1)
4.8% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Magika pebin
dhash icon 58c8d1d0cecbeeec (18 x AsyncRAT, 9 x XWorm, 6 x QuasarRAT)
Reporter malcoding
Tags:exe QuasarRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
494
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Crypt.exe
Verdict:
Malicious activity
Analysis date:
2025-06-02 00:00:25 UTC
Tags:
telegram evasion stealer auto-sch auto-reg auto-startup octalyn python discord susp-powershell arch-doc ims-api generic api-base64 crypto-regex arch-html
Link:
https://app.any.run/tasks/08bad818-abd9-41ed-874f-c559d96adb92

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/6779/
Detection(s):
SecuriteInfo.com.Win32.Evo-gen.21325.2238.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=683cea82acf88f5815eaf657
Tags:
autorun shell sage remo
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file in the %AppData% directory
Creating a window
DNS request
Connection attempt
Sending an HTTP GET request
Sending a custom TCP request
Creating a file in the %AppData% subdirectories
Using the Windows Management Instrumentation requests
Adding an access-denied ACE
Creating a file
Reading critical registry keys
Delayed writing of the file
Changing a file
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Stealing user critical data
Enabling autorun by creating a file
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/683ce995fd02ed5e05929ddd/reports/506d6799-879c-4823-b6ac-48691029ab39/overview
Verdict:
Malicious
Labled as:
FakeAlert.Generic
Link:
https://www.hybrid-analysis.com/sample/6597d0a917f2def35809cfcffd7c9098bc7e97eb62d35fb74486344208faf61a
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/fc3f6bc1-e445-44bf-aa0f-420d249e71c6
Result
Threat name:
Destiny Stealer, Discord Token Stealer,
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1703574
Signature
.NET source code contains very large strings
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to capture screen (.Net source)
Detected generic credential text file
Drops PE files to the startup folder
Encrypted powershell cmdline option found
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Powershell drops PE file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Rundll32 Execution Without CommandLine Parameters
Sigma detected: Schedule system process
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: System File Execution Location Anomaly
Suricata IDS alerts for network traffic
Suspicious powershell command line found
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Yara detected BrowsingHistoryView browser history reader tool
Yara detected Destiny Stealer
Yara detected Discord Token Stealer
Yara detected Octalyn Stealer
Yara detected Powershell download and execute
Yara detected Quasar RAT
Yara detected Telegram RAT
Yara detected Telegram Recon
Yara detected WebBrowserPassView password recovery tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1703574 Sample: Crypt.exe Startdate: 02/06/2025 Architecture: WINDOWS Score: 100 103 api.telegram.org 2->103 105 MatrixShell-63771.portmap.io 2->105 107 41 other IPs or domains 2->107 119 Suricata IDS alerts for network traffic 2->119 121 Found malware configuration 2->121 123 Malicious sample detected (through community Yara rule) 2->123 127 22 other signatures 2->127 10 Crypt.exe 8 2->10         started        14 rundll32.exe 2->14         started        16 winupd.exe 2->16         started        18 winupd.exe 2->18         started        signatures3 125 Uses the Telegram API (likely for C&C communication) 103->125 process4 file5 95 C:\Users\user\AppData\Local\Temp\win64.exe, PE32 10->95 dropped 97 C:\Users\user\AppData\Local\Temp\tg_64.exe, PE32+ 10->97 dropped 99 C:\Users\user\AppData\...\ps_suppressor.exe, PE32 10->99 dropped 101 4 other malicious files 10->101 dropped 165 Found many strings related to Crypto-Wallets (likely being stolen) 10->165 167 Encrypted powershell cmdline option found 10->167 169 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 10->169 20 netFrame.exe 1 10->20         started        23 blsd_win64.exe 10->23         started        26 Port.exe 5 10->26         started        28 5 other processes 10->28 signatures6 process7 dnsIp8 139 Encrypted powershell cmdline option found 20->139 31 powershell.exe 15 17 20->31         started        79 C:\Users\user\AppData\...\system_info.txt, Algol 23->79 dropped 81 C:\Users\user\AppData\...behaviorgraphetAllPasswords.txt, Unicode 23->81 dropped 83 C:\Users\user\...\ChromeV20Passwords.txt, Unicode 23->83 dropped 141 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 23->141 143 Writes to foreign memory regions 23->143 145 Allocates memory in foreign processes 23->145 161 2 other signatures 23->161 35 grpconv.exe 23->35         started        38 grpconv.exe 23->38         started        40 grpconv.exe 23->40         started        50 13 other processes 23->50 85 C:\Users\user\AppData\...\rundll32.exe, PE32 26->85 dropped 147 Antivirus detection for dropped file 26->147 149 Multi AV Scanner detection for dropped file 26->149 151 Uses schtasks.exe or at.exe to add and modify task schedules 26->151 153 Hides that the sample has been downloaded from the Internet (zone.identifier) 26->153 42 rundll32.exe 26->42         started        44 schtasks.exe 26->44         started        109 api.telegram.org 149.154.167.220, 443, 49688, 49701 TELEGRAMRU United Kingdom 28->109 111 ipinfo.io 34.117.59.81, 49687, 80 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 28->111 87 C:\Users\user\AppData\Roaming\winupd.exe, PE32 28->87 dropped 89 C:\Users\user\AppData\Roaming\...\winupd.exe, PE32 28->89 dropped 91 C:\Users\user\AppData\Local\...\Cookies.temp, SQLite 28->91 dropped 93 C:\Users\user\AppData\Local\...\Cookies.temp, SQLite 28->93 dropped 155 Suspicious powershell command line found 28->155 157 Found many strings related to Crypto-Wallets (likely being stolen) 28->157 159 Drops PE files to the startup folder 28->159 163 2 other signatures 28->163 46 powershell.exe 28->46         started        48 conhost.exe 28->48         started        file9 signatures10 process11 dnsIp12 113 github.com 140.82.113.4, 443, 49690 GITHUBUS United States 31->113 115 objects.githubusercontent.com 185.199.111.133, 443, 49692 FASTLYUS Netherlands 31->115 65 C:\Users\user\AppData\Local\Temp\uac.exe, PE32+ 31->65 dropped 52 uac.exe 31->52         started        55 conhost.exe 31->55         started        67 C:\Users\user\AppData\...\places.sqlite-shm, data 35->67 dropped 129 Tries to harvest and steal browser information (history, passwords, etc) 35->129 117 MatrixShell-63771.portmap.io 193.161.193.99, 49695, 49697, 49698 BITREE-ASRU Russian Federation 42->117 131 System process connects to network (likely due to code injection or exploit) 42->131 133 Hides that the sample has been downloaded from the Internet (zone.identifier) 42->133 135 Installs a global keyboard hook 42->135 57 schtasks.exe 42->57         started        59 conhost.exe 44->59         started        69 C:\Users\user\...\user_OctalynRetrieved.zip, Zip 46->69 dropped 137 Loading BitLocker PowerShell Module 46->137 61 conhost.exe 46->61         started        file13 signatures14 process15 file16 71 C:\Users\...\backend_c.cp313-win_amd64.pyd, PE32+ 52->71 dropped 73 C:\Users\user\...\_cffi.cp313-win_amd64.pyd, PE32+ 52->73 dropped 75 C:\Users\...\_quoting_c.cp313-win_amd64.pyd, PE32+ 52->75 dropped 77 161 other malicious files 52->77 dropped 63 conhost.exe 57->63         started        process17
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/6597d0a917f2def35809cfcffd7c9098bc7e97eb62d35fb74486344208faf61a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6597d0a917f2def35809cfcffd7c9098bc7e97eb62d35fb74486344208faf61a/
Threat name:
Win32.Dropper.Dapato
Create hunting rule
Status:
Malicious
First seen:
2025-06-01 23:57:59 UTC
File Type:
PE (Exe)
Extracted files:
11
AV detection:
21 of 24 (87.50%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mwl5bkix6lppgwajz7h727eqtc6h5f7lmljv7n2eqy2eech26yna._file
Result
Malware family:
quasar
Create hunting rule
Score:
  10/10
Tags:
family:gurcu family:quasar botnet:matrix credential_access defense_evasion discovery execution persistence pyinstaller spyware stealer trojan
Link:
https://tria.ge/reports/250602-aagz5atvgx/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies registry class
Scheduled Task/Job: Scheduled Task
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Browser Information Discovery
Detects Pyinstaller
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Windows directory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Obfuscated Files or Information: Command Obfuscation
Checks computer location settings
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
Drops file in Drivers directory
Uses browser remote debugging
Detected Nirsoft tools
NirSoft WebBrowserPassView
Gurcu family
Gurcu, WhiteSnake
Quasar RAT
Quasar family
Quasar payload
Malware Config
C2 Extraction:
MatrixShell-63771.portmap.io:63771
https://api.telegram.org/bot7823561557:AAEyFp0rFayq4ELpx1LK5bFkNu7nOnnrH6A/sendMessage?chat_id=-1002543167462
https://api.telegram.org/bot7707984358:AAEIukqaP3WJYxoS3Cr2caD890RFs_jFfII/sendDocumen
https://api.telegram.org/bot7994891396:AAFIUE-VePGwCtm6RpxA4SPsi99BwFtSzeA/sendDocumen
Verdict:
Malicious
Tags:
external_ip_lookup
YARA:
n/a
Link:
https://app.threat.zone/submission/e6ef58ee-1bfe-4006-a03e-8dc2a366b789
Unpacked files
SH256 hash:
a0af255ea4b09a8cdb995b8c6fd1075e46f098e23c2351c974e6ded9b8b620cf
MD5 hash:
c52a44933d17d576d4c97b4cb0545841
SHA1 hash:
092696fdcc034910aa02c94a5c93f4e1e86e0c50
Detections:
SUSP_NET_Large_Static_Array_In_Small_File_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/9a0e6f7c-7ec6-4f00-922d-41686070f96d/
Parent samples :
78976f38ca4b4e62ead97e1222faa8ce79c0f9a517ef57bdeae4dc3f2c834d1b
818ef3d013069a7bacd3bf4d4a728ace9ea74ab518fb4adffcc0a23f57e4b585
50cb6b8d0f572cd355d682a3f3529854b98cc75e141e452c98bec0279ef1ace2
030c62f201281c0034102b3cab64490e51b0499a9b5fad498f1ded30b23dbf66
d65862ab1d8dfcba06ab6e1fc40d109d9c644cac4e02ef0c8fb30f96ec199b61
31e0765454785a12c86436331f67020b7390d16b9de42b954127799835eea36c
89a59fdc6d7e292adecc9602af1544e9d6c7fdb1f99f654a918d007422a93d14
78daa33cb739c0b1648f17599695cf0fc5ad0b1c7640d55d91e1d534a024c6f7
c8b2df4130ad422d0dab2be3798677609f0555f37d825cda228662d2112f3d6c
6597d0a917f2def35809cfcffd7c9098bc7e97eb62d35fb74486344208faf61a
a77fed3715f635883d0e54c30ab4d3ccad5afe0f845d27e5bff0f9410df4aaee
f879f50e21830b34b77fd94a33b6c395b9837bb701a7f5e4dad2e9d287af9e72
0a45180f1b3ef2e81e988e448cbf6eb1ddedcd864a7ecf46ac5a28aef8f2740b
6c2b4ca9e169f3d71f3fa2962b947c0f7b1e358e2e7ce6c9ee12778e0679f6b1
eb72d6dd2158ce9ad453f8ecfd5d6900cce588c196ae5806268cbaf3475848da
00b4241162e828f59e1a47467cdecd0c36f779e1e5b7c4930331c9104b6e1c55
SH256 hash:
034820ebeda45faf9bcfbf42096cfd5dd8b20a8693d6dd6ff202e00cfbe315e6
MD5 hash:
b13b81c447e046063adc7f4ba46d55ac
SHA1 hash:
206e64ad4b1b0245ca2bc2274f33545a126d4da6
Detections:
SUSP_NET_Large_Static_Array_In_Small_File_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/9a0e6f7c-7ec6-4f00-922d-41686070f96d/
SH256 hash:
4c9615496970ea84320e2a6e99f8fb828e3c7790384df5585d93fc368885d94e
MD5 hash:
50e6524b7ee9c2c93f5210b63cb1ca54
SHA1 hash:
3e296ec3bb24750833ea80515e6fb4c73874c91a
Link:
https://www.unpac.me/results/9a0e6f7c-7ec6-4f00-922d-41686070f96d/
SH256 hash:
c9736bed57d137a0bd4a454a70436020312db5a365bdd243037e766695c18ccd
MD5 hash:
41b34eab1585d5381c56730b93dd1310
SHA1 hash:
510b640517342dbcc40c81b63db23fa1444a71ed
Link:
https://www.unpac.me/results/9a0e6f7c-7ec6-4f00-922d-41686070f96d/
SH256 hash:
01d1bd238a5f34aebf0a2fd71f60b56ed12d10b2f768f5b7fa8da09b84a73f51
MD5 hash:
931853c766fb7be1d5dcb4475744bda4
SHA1 hash:
71e62f58d7ded90163f1a31c727229541da8f790
Link:
https://www.unpac.me/results/9a0e6f7c-7ec6-4f00-922d-41686070f96d/
SH256 hash:
25654bb37f1247374916b140301f61d665238bb723d0c072560635b1f329b7e9
MD5 hash:
2358adfd8c5f1ef45b1cb094d9ddbf50
SHA1 hash:
786fadb531ee90fcfa63ded6f7dd0837b0ed5a3f
Detections:
SUSP_NET_Large_Static_Array_In_Small_File_Jan24
Create hunting rule
HKTL_NET_GUID_Quasar
Create hunting rule
Link:
https://www.unpac.me/results/9a0e6f7c-7ec6-4f00-922d-41686070f96d/
Parent samples :
e3028ecd7637653dda1250fa2925e143796e385cda98191f04eec0681fd0c826
50cb6b8d0f572cd355d682a3f3529854b98cc75e141e452c98bec0279ef1ace2
030c62f201281c0034102b3cab64490e51b0499a9b5fad498f1ded30b23dbf66
903387d93c8c1a877a89e1c8cb95b56ae96762f8694b0f95ee05ec6676936aa1
54212c9959363a60f5f5899ba4611351064a0b7b88c54aba33274e6f9e3c8031
78daa33cb739c0b1648f17599695cf0fc5ad0b1c7640d55d91e1d534a024c6f7
6597d0a917f2def35809cfcffd7c9098bc7e97eb62d35fb74486344208faf61a
0b484408c0a7a0d36bd2a1eaebd3030c98c88d786e92eb16b918b3a8b5c8bc9d
295f2ce9cc94f31573bf7b37f7ad43bcb4579ef0fa435c8fec0873214c6a43d2
SH256 hash:
9429f05aa4ab1ef92a0237410ea103cffa406b071953d50f5e7a55496d517c02
MD5 hash:
1c2c6b341535661b7501f5c4a434a78e
SHA1 hash:
f45aefa816f86830bee41c0e5426e641d5af3c06
Link:
https://www.unpac.me/results/9a0e6f7c-7ec6-4f00-922d-41686070f96d/
SH256 hash:
b495d130b930fc7c7ed5c54996ecd1589de51df36bc1cf8d3c87a5f99d37e587
MD5 hash:
18029ce6fb5eceab48ec1721c1c3d5a0
SHA1 hash:
0fee95620a85b06015ca785a399cac7d1b841a08
Link:
https://www.unpac.me/results/9a0e6f7c-7ec6-4f00-922d-41686070f96d/
SH256 hash:
9791baff96966181e181bd77c6b58d5653664c4c69f0423730c8fb769a6ee5d1
MD5 hash:
d9ece5ef4b7980f4a2d7755b9688e73a
SHA1 hash:
12b3ae733fff968c17e506eb5960c9ba6b9b9b16
Detections:
QuasarRAT
Create hunting rule
cn_utf8_windows_terminal
Create hunting rule
malware_windows_xrat_quasarrat
Create hunting rule
MAL_QuasarRAT_May19_1
Create hunting rule
MAL_BackNet_Nov18_1
Create hunting rule
INDICATOR_EXE_Packed_Fody
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
Link:
https://www.unpac.me/results/9a0e6f7c-7ec6-4f00-922d-41686070f96d/
SH256 hash:
c12eccbd8d4b479f89b00ad992839f4f9f85760f6f1a713bf54b90ddff4fe2cd
MD5 hash:
06039b426c6dc56c0ae5b42d1c57e7fc
SHA1 hash:
97e6f480aeaa8ee154c86415b675d4ecc3d30965
Link:
https://www.unpac.me/results/9a0e6f7c-7ec6-4f00-922d-41686070f96d/
SH256 hash:
adc58d15de63fe27e987d4dc3aa17522f67e7a0ec646c92d70e99e45f76ea2e0
MD5 hash:
9dec3698a167142391ef339b3d8404cf
SHA1 hash:
dc0f8ce4eb7b0ea2a552997295b06002df1b9ee9
Detections:
MAL_NET_LimeCrypter_RunPE_Jan24
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_Embedded_MFA_Browser_Extension_IDs
Create hunting rule
Link:
https://www.unpac.me/results/9a0e6f7c-7ec6-4f00-922d-41686070f96d/
SH256 hash:
3685bc9f3014a7de5d8ad87ecf464d33ee2fb583c657c665e8d753fdd53bcbe1
MD5 hash:
84f94c90716bb797872affbab6670d4f
SHA1 hash:
5555c2c1577c323b91473911f89655d9d436d461
Detections:
INDICATOR_TOOL_EdgeCookiesView
Create hunting rule
INDICATOR_TOOL_ChromeCookiesView
Create hunting rule
Link:
https://www.unpac.me/results/9a0e6f7c-7ec6-4f00-922d-41686070f96d/
Parent samples :
c1b33d9ce977f2a7c8577c0b88a45b5bd309f7cc73d5f68151d5d4e5aa10a523
7697bddee02bf680693692309514c70a8bb30c70131ba9decaeb9d14cae6e1c5
8c8b9aee1ff113dc4de14fd7e45d8d250c483ba9bfc558cc24bdf777bbaa176f
0f67f24f04c5b2b70ea17aff9311547cd51a7951c5701989ef821e41b47b0ea3
6597d0a917f2def35809cfcffd7c9098bc7e97eb62d35fb74486344208faf61a
660fbba89f4b2c211f4d6f2a83b270f7f72fed23a6fa59889e3bb40c3b157568
715bb47c2a60942db2cebe81a02e8a8e86b2e6cfc42bde9ed2f19e20b9dd4498
9ea62e79472c5ed05b81d2d98db61b28af2d8f1076b9055b853cd8a4c08f0415
3208513da212e3a87c66a370ff805cd8378bd981c2966e9aba5453d4763f2fa9
b3a49ed46957bea9b6fa46b6f67445bc6e8885ae200c811a4b038d939b369aac
b42e97c12a39ea8ce7d889b1487f497de27a49549467fa8dbf9d8ac9cca9e8cc
53ab4a93b93223968cf2e71ea8070ba2d7e1a9010d21d41e25100e2b6ab516d9
f76953c27b5c17dd1f1e7d1ee6d856d0060e6e37e16bcd7d32779c0790dd70ac
SH256 hash:
6597d0a917f2def35809cfcffd7c9098bc7e97eb62d35fb74486344208faf61a
MD5 hash:
3e68962725104a4f2da2ed3ebed2ded8
SHA1 hash:
bcfd45ee7d5831662601edbb8a5647d0a144f8b5
Link:
https://www.unpac.me/results/9a0e6f7c-7ec6-4f00-922d-41686070f96d/
Malware family:
QuasarRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/6597d0a917f2/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6597d0a917f2def35809cfcffd7c9098bc7e97eb62d35fb74486344208faf61a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/6779/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
CHECK_TRUST_INFORequires Elevated Execution (level:requireAdministrator)high
Reviews
IDCapabilitiesEvidence
SHELL_APIManipulates System Shellshell32.dll::ShellExecuteA

Comments