MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 71d675e36d237be76f9141742350f8b2d94d8cefa2b9b3b62622703193c15414. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuasarRAT


Vendor detections: 20


Intelligence 20 IOCs YARA 27 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 71d675e36d237be76f9141742350f8b2d94d8cefa2b9b3b62622703193c15414
SHA3-384 hash: d830f380ded46c9266f947033be681959eff17aa07d833a91b56ce2aacc100a92d37c7aae26076444d50c7c0796932f0
SHA1 hash: c844ceaea798ddfd222b7e3dca9f8ea0e40f2f41
MD5 hash: b64cd44b3cee306d29f86db593e1fea0
humanhash: twenty-west-utah-grey
File name:ExoRATdusUI.exe
Download: download sample
Signature QuasarRAT
Create hunting rule
File size:5'149'184 bytes
First seen:2025-08-27 07:09:33 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash a9c887a4f18a3fede2cc29ceea138ed3 (33 x CoinMiner, 17 x AsyncRAT, 15 x BlankGrabber)
ssdeep 98304:EaaOf+vX/XW8tMUhwDod9zogK7HubZMzbpS07JpUF3Q8vUlHGvfGuFvK2aG:EaarvfW87hCWz7UTc0NpUF3jOHG1Qb
Threatray 71 similar samples on MalwareBazaar
TLSH T1D93623390F56847DC1AB76FC00585361CC022A387BE634E37AAECE77904ADA2517779B
TrID 38.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
15.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
11.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
10.5% (.EXE) Win32 Executable (generic) (4504/4/1)
4.8% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Magika pebin
Reporter abuse_ch
Tags:exe QuasarRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
62
Origin country :
SE SE
Vendor Threat Intelligence
Malware family:
xmrig
Create hunting rule
ID:
1
File name:
ExoRATdusUI.exe
Verdict:
Malicious activity
Analysis date:
2025-08-26 22:38:48 UTC
Tags:
auto-sch evasion miner winring0-sys vuln-driver upx xmrig
Link:
https://app.any.run/tasks/1a992c7e-5204-4308-8b5d-d48748ff0bbc

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
R77
Create hunting rule
Link:
https://www.capesandbox.com/analysis/23781/
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68aeaf41eb163e0ec182d3c6
Tags:
autorun emotet cobalt mint
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %AppData% directory
Creating a process from a recently created file
Creating a process with a hidden window
Сreating synchronization primitives
Creating a window
Launching a process
Connection attempt
Sending a custom TCP request
DNS request
Using the Windows Management Instrumentation requests
Running batch commands
Creating a service
Creating a file
Launching a service
Creating a file in the Windows subdirectories
Searching for synchronization primitives
Setting browser functions hooks
Unauthorized injection to a recently created process
Enabling autorun for a service
Enabling autorun by creating a file
Adding an exclusion to Microsoft Defender
Unauthorized injection to a system process
Unauthorized injection to a browser process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
crypt dcrat nitol packed quasar razy stealer tiny unsafe
Link:
https://www.filescan.io/uploads/68aeaf677137d684583f8113/reports/ca90407e-53f7-444a-b363-dc0417261071/overview
Verdict:
Malicious
Labled as:
Razy.Generic
Link:
https://www.hybrid-analysis.com/sample/71d675e36d237be76f9141742350f8b2d94d8cefa2b9b3b62622703193c15414
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-08-26T20:06:00Z UTC
Last seen:
2025-08-26T20:06:00Z UTC
Hits:
~10
Detections:
PDM:Trojan.Win32.Generic Trojan-PSW.Win32.Stealer.sb Trojan-PSW.MSIL.Agent.sb HEUR:Trojan.Win64.Reflo.gen HEUR:Trojan.Win32.Miner.pef HEUR:Trojan.Win32.Generic BSS:Trojan.Win32.Generic Trojan.Win64.Reflo.sb Trojan.Win32.Agent.rnd Trojan.MSIL.Quasar.a HEUR:Trojan.Win32.Agent.pef HEUR:Rootkit.Win64.Agent.gen HEUR:Trojan.MSIL.Quasar.gen RiskTool.Miner.UDP.C&C RiskTool.BitCoinMiner.TCP.C&C
Link:
https://opentip.kaspersky.com/71d675e36d237be76f9141742350f8b2d94d8cefa2b9b3b62622703193c15414/results?tab=lookup
Malware family:
XMRig Miner
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c8d4c11f-8956-4d38-8c11-745cff5e17c3
Result
Threat name:
Quasar, Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1765964
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Found direct / indirect Syscall (likely to bypass EDR)
Found malware configuration
Found strings related to Crypto-Mining
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hooks files or directories query functions (used to hide files and directories)
Hooks processes query functions (used to hide processes)
Hooks registry keys query functions (used to hide registry keys)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Modifies power options to not sleep / hibernate
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Sample uses string decryption to hide its real strings
Sigma detected: Disable power options
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Stop EventLog
Uses powercfg.exe to modify the power settings
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Quasar RAT
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1765964 Sample: ExoRATdusUI.exe Startdate: 27/08/2025 Architecture: WINDOWS Score: 100 80 pool.hashvault.pro 2->80 82 ipwho.is 2->82 126 Found malware configuration 2->126 128 Malicious sample detected (through community Yara rule) 2->128 130 Antivirus / Scanner detection for submitted sample 2->130 132 13 other signatures 2->132 9 ExoRATdusUI.exe 3 2->9         started        12 tmsvgrssavbw.exe 2->12         started        15 AudioService.exe 3 2->15         started        signatures3 process4 file5 74 C:\Users\user\AppData\Roaming\audiosrv.exe, PE32+ 9->74 dropped 76 C:\Users\user\AppData\...\AudioService.exe, PE32 9->76 dropped 17 audiosrv.exe 1 2 9->17         started        21 AudioService.exe 14 10 9->21         started        24 conhost.exe 9->24         started        78 C:\Windows\Temp\pkiuegfpwjbv.sys, PE32+ 12->78 dropped 136 Antivirus detection for dropped file 12->136 138 Multi AV Scanner detection for dropped file 12->138 140 Modifies the context of a thread in another process (thread injection) 12->140 142 3 other signatures 12->142 26 dialer.exe 12->26         started        28 powershell.exe 12->28         started        30 dialer.exe 12->30         started        32 6 other processes 12->32 signatures6 process7 dnsIp8 72 C:\ProgramData\...\tmsvgrssavbw.exe, PE32+ 17->72 dropped 90 Antivirus detection for dropped file 17->90 92 Multi AV Scanner detection for dropped file 17->92 94 Uses powercfg.exe to modify the power settings 17->94 112 3 other signatures 17->112 34 dialer.exe 17->34         started        37 powershell.exe 23 17->37         started        39 cmd.exe 1 17->39         started        47 8 other processes 17->47 84 91.200.220.71, 49683, 80 VICATVUA Ukraine 21->84 86 ipwho.is 15.204.213.5, 443, 49685 HP-INTERNET-ASUS United States 21->86 96 Uses schtasks.exe or at.exe to add and modify task schedules 21->96 98 Hides that the sample has been downloaded from the Internet (zone.identifier) 21->98 100 Found direct / indirect Syscall (likely to bypass EDR) 21->100 41 schtasks.exe 1 21->41         started        102 Injects code into the Windows Explorer (explorer.exe) 26->102 104 Writes to foreign memory regions 26->104 106 Allocates memory in foreign processes 26->106 114 2 other signatures 26->114 49 10 other processes 26->49 108 Loading BitLocker PowerShell Module 28->108 43 conhost.exe 28->43         started        88 pool.hashvault.pro 216.219.85.122, 443, 49687 IS-AS-1US United States 30->88 110 Query firmware table information (likely to detect VMs) 30->110 45 conhost.exe 32->45         started        51 5 other processes 32->51 file9 signatures10 process11 signatures12 116 Contains functionality to inject code into remote processes 34->116 118 Writes to foreign memory regions 34->118 120 Allocates memory in foreign processes 34->120 124 3 other signatures 34->124 53 lsass.exe 34->53 injected 68 3 other processes 34->68 122 Loading BitLocker PowerShell Module 37->122 56 conhost.exe 37->56         started        58 conhost.exe 39->58         started        60 wusa.exe 39->60         started        62 WmiPrvSE.exe 41->62         started        64 conhost.exe 41->64         started        66 conhost.exe 47->66         started        70 6 other processes 47->70 process13 signatures14 134 Writes to foreign memory regions 53->134
Score:
98%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/71d675e36d237be76f9141742350f8b2d94d8cefa2b9b3b62622703193c15414
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/71d675e36d237be76f9141742350f8b2d94d8cefa2b9b3b62622703193c15414/
Verdict:
Malicious
Threat:
Family.XMRIG
Link:
https://tip.neiki.dev/file/71d675e36d237be76f9141742350f8b2d94d8cefa2b9b3b62622703193c15414
Threat name:
Win32.Dropper.Dapato
Create hunting rule
Status:
Malicious
First seen:
2025-08-26 22:38:49 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
21 of 24 (87.50%)
Threat level:
  3/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ohlhly3nen56o34rif2cguhywlmu3dhpuk43hnrgejydde6bkqka._file
Verdict:
malicious
Label(s):
unc_loader_055
Create hunting rule
quasarrat
Create hunting rule
r77rootkit
Create hunting rule
Similar samples:
0065d42e62b532221d6ec96913cdedd45d3e84b1d50076b478a5d0a22608b536
QuasarRAT
4d99b92df452a113bafe2af82d237225ff93afe39fae138305b8201b179357c1
QuasarRAT
5d6b6bcd74ed29295040fe1622bd3c681fe2b729eaa9f24b4538d1db6eb2e3e3
QuasarRAT
6ce2462286dc687b1ccab7592a3a68c0504b2639e28cfb8a849e0cd12763fea0
QuasarRAT
7645e0b22c7ea622d164b55b3449831e99bcf4de66c31ac0afaa877cef03248e
QuasarRAT
9019276cf50b5e8397a04c81e75faf35308f2dd7b480db9a060e1c50e66678f2
QuasarRAT
c7cfa4eb2cce54eae7d5af7025931c424e48c3dd28dcdb76399e4ab23a4c1f6e
QuasarRAT
ddfffb912ac59f774d452516e5834d9e0175db9608e91eba45379a78b3c53fa9
QuasarRAT
+ 61 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
defense_evasion discovery execution persistence
Link:
https://tria.ge/reports/250827-hzkfjswzh1/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Enumerates system info in registry
Modifies data under HKEY_USERS
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Windows directory
Launches sc.exe
Drops file in System32 directory
Suspicious use of SetThreadContext
Power Settings
Checks BIOS information in registry
Checks computer location settings
Executes dropped EXE
Indicator Removal: Clear Windows Event Logs
Command and Scripting Interpreter: PowerShell
Creates new service(s)
Modifies trusted root certificate store through registry
Stops running service(s)
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/f026a6a6-35cb-4b14-b996-b24369b0345b
Unpacked files
SH256 hash:
71d675e36d237be76f9141742350f8b2d94d8cefa2b9b3b62622703193c15414
MD5 hash:
b64cd44b3cee306d29f86db593e1fea0
SHA1 hash:
c844ceaea798ddfd222b7e3dca9f8ea0e40f2f41
Link:
https://www.unpac.me/results/ed39ef1d-5cf3-4eb2-996e-ed40abe35321/
SH256 hash:
f2fed59a5e1b462b20de41e3c1d2cef439f50334a03b793e4f6a57dca931e77a
MD5 hash:
9c90e2062a4bfb94b73aefe769ebebd8
SHA1 hash:
a4c27641c980ca21fa493804bcc1594d52337b9b
Detections:
INDICATOR_EXE_Packed_Fody
Create hunting rule
Link:
https://www.unpac.me/results/ed39ef1d-5cf3-4eb2-996e-ed40abe35321/
SH256 hash:
6c03d8c57a6b1ac30298493f7e08c4d4962332666804790c7e34dc32ff091f46
MD5 hash:
443fcf513a4b426453d4fdbc5157610a
SHA1 hash:
01845411acc58869d8add0c2473132bbb8ee49d7
Link:
https://www.unpac.me/results/ed39ef1d-5cf3-4eb2-996e-ed40abe35321/
SH256 hash:
d5235265564f0bfd23b7279d7bdccc9ea6383ed07c5d0bfdf6c99029af9a2c0c
MD5 hash:
1d3dd9fcc077e6b4f88c05b9aef53ee6
SHA1 hash:
12b33858bc84f54b8aa8dbcb5a0ec2da043a6f66
Link:
https://www.unpac.me/results/ed39ef1d-5cf3-4eb2-996e-ed40abe35321/
SH256 hash:
a6b4075d1a8a54ea8266bea5d448e710a975314e3efeaa8fd1a2d76335d753c4
MD5 hash:
7b72daf66cc42cdb3ae05c0072ea0310
SHA1 hash:
249933044fb1d60348cf1438a30cecfd3d6f41fc
Link:
https://www.unpac.me/results/ed39ef1d-5cf3-4eb2-996e-ed40abe35321/
SH256 hash:
c1046a94e4042f0a622670cd6a01ca235609732d8ef68889e87fc947d754c5f5
MD5 hash:
8f786e161e0925e8a7c5602f64fff988
SHA1 hash:
4f90a7c051bb4a8e95a43916a4e979b1daadfffa
Detections:
SUSP_NET_Large_Static_Array_In_Small_File_Jan24
Create hunting rule
HKTL_NET_GUID_Quasar
Create hunting rule
Link:
https://www.unpac.me/results/ed39ef1d-5cf3-4eb2-996e-ed40abe35321/
Parent samples :
0065d42e62b532221d6ec96913cdedd45d3e84b1d50076b478a5d0a22608b536
c7cfa4eb2cce54eae7d5af7025931c424e48c3dd28dcdb76399e4ab23a4c1f6e
9b7be09c491e55dc424bbf7f3281b467d7e26d918263d925bb4b624fc25ff616
8ca07bac80251aac5bae7418c53144e723c1750d400faaac1678c55457f0f64a
565ba37db962f10ea77fab2be20b5d65672a72c7bbda35cf5538a236a3f63337
7645e0b22c7ea622d164b55b3449831e99bcf4de66c31ac0afaa877cef03248e
ddfffb912ac59f774d452516e5834d9e0175db9608e91eba45379a78b3c53fa9
71d675e36d237be76f9141742350f8b2d94d8cefa2b9b3b62622703193c15414
544f187d0b620cb18a494ea3ec51472e504eac944ef59dc4b5de1c60a9d5800e
e2c14df722dfbb0c3a8c4228034f37ba6395babc29ad2aa9f4a175f37a839831
SH256 hash:
ee78cac7a84b7de57685d1e6f8e7812f64d8f13055c23c90cde634b1e107a66b
MD5 hash:
40ee194fe5349b2c76572c6e35d12fc7
SHA1 hash:
61d72b47d1c62cab65f3cacb6fac72b77523cb08
Link:
https://www.unpac.me/results/ed39ef1d-5cf3-4eb2-996e-ed40abe35321/
Malware family:
XMRig
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/71d675e36d23/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/71d675e36d237be76f9141742350f8b2d94d8cefa2b9b3b62622703193c15414

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:botnet_plaintext_c2
Create hunting rule
Author:cip
Description:Attempts to match at least some of the strings used in some botnet variants which use plaintext communication protocols.
Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:Costura_Protobuf
Create hunting rule
Author:@bartblaze
Description:Identifies Costura and Protobuf in .NET assemblies, respectively for storing resources and (de)serialization. Seen together might indicate a suspect binary.
Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__MemoryWorkingSet
Create hunting rule
Author:Fernando Mercês
Description:Anti-debug process memory working set size check
Reference:http://www.gironsec.com/blog/2015/06/anti-debugger-trick-quicky/
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Thread
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:Detect_PowerShell_Obfuscation
Create hunting rule
Author:daniyyell
Description:Detects obfuscated PowerShell commands commonly used in malicious scripts.
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:INDICATOR_EXE_Packed_Fody
Create hunting rule
Author:ditekSHen
Description:Detects executables manipulated with Fody
Rule name:Indicator_MiniDumpWriteDump
Create hunting rule
Author:Obscurity Labs LLC
Description:Detects PE files and PowerShell scripts that use MiniDumpWriteDump either through direct imports or string references
Rule name:MALWARE_Win_R77
Create hunting rule
Author:ditekSHen
Description:Detects r77 rootkit
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Suspicious_PssCaptureSnapshot_Usage
Create hunting rule
Author:Dana Behling - Just me not for personal curiosity, no company.
Description:Detects binaries abusing PssCaptureSnapshot in combination with typical combination that indicates malicious activity.
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Windows_Rootkit_R77_d0367e28
Create hunting rule
Author:Elastic Security
Reference:https://www.elastic.co/security-labs/elastic-security-labs-steps-through-the-r77-rootkit

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/23781/

Comments