MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 77193b76e7142383c2fb8f4c92891fa8eb0dd0f50ed206532ebd0abb93da9bc9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuasarRAT


Vendor detections: 14


Intelligence 14 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 77193b76e7142383c2fb8f4c92891fa8eb0dd0f50ed206532ebd0abb93da9bc9
SHA3-384 hash: bcfcefb7eeaf91340649faff7265c9c7a9d9ca6ab39e0b5fe3f401ab7075a836e05e209d1d1759ddc3612201917c67c3
SHA1 hash: 964bc91b13adef482a70de22ad51fd0619668f1d
MD5 hash: e0d61fd634a9cf31fe341476f6bc41d0
humanhash: kentucky-green-florida-echo
File name:school-year-2025-26-calendar 2.exe
Download: download sample
Signature QuasarRAT
Create hunting rule
File size:11'295'232 bytes
First seen:2026-06-03 16:11:24 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 22d2097fddb55e4b610171b15e37eaf0 (2 x QuasarRAT)
ssdeep 196608:oXW3FxZm3Q85tJooibDcrTjz+P+wA6SMyOOgKdfwvhCaoSZg5m631A4G6vQV/l1d:qaxKQ8dzTjzdtN/4vh9or5N3jvCP
Threatray 6 similar samples on MalwareBazaar
TLSH T1CBB633063841E64DD9B3C67C8EF6ACDCA697D4FB6418C8151615909F20AC632CB8E9FF
TrID 64.7% (.EXE) UPX compressed Win64 Executable (70117/5/12)
25.0% (.EXE) UPX compressed Win32 Executable (27066/9/6)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.8% (.EXE) OS/2 Executable (generic) (2029/13)
1.8% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
dhash icon e8f0e8c8ccc0e8d8 (1 x QuasarRAT)
Reporter smica83
Tags:exe QuasarRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
159
Origin country :
HU HU
Vendor Threat Intelligence
Malware configuration found for:
PEPacker
Details
PEPacker
a UPX version number and an unpacked binary
Link:
https://research.acce.ciphertechsolutions.com/results/cb58d262-63aa-4253-a309-364066363356/
Malware family:
n/a
ID:
1
File name:
exe
Verdict:
No threats detected
Analysis date:
2026-06-03 16:14:01 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/8210c927-9777-4b65-910c-72b2675ed032

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/68898/
Detection(s):
SecuriteInfo.com.Trojan.Siggen32.47092.18417596.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6a205264f8676ad4d360ba11
Tags:
vmdetect keylog sage remo
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a file in the %AppData% subdirectories
Creating a file
Creating a process from a recently created file
Сreating synchronization primitives
Launching a process
Creating a window
Sending a custom TCP request
Searching for synchronization primitives
Connection attempt
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-debug crypto fingerprint microsoft_visual_cc packed packed packed reconnaissance upx
Link:
https://www.filescan.io/uploads/6a20525c46e44aecc0cd2a43/reports/2743e3fc-1791-4185-a59f-4711241a438c/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/77193b76e7142383c2fb8f4c92891fa8eb0dd0f50ed206532ebd0abb93da9bc9
Verdict:
Malicious
File Type:
exe x64
First seen:
2026-06-03T01:30:00Z UTC
Last seen:
2026-06-04T20:17:00Z UTC
Hits:
~1000
Detections:
Trojan.Win64.DllHijack.sb Trojan.MSIL.Quasar.hgy Trojan.Win32.Quasar.sb Trojan.Win32.Pdfer.sba Trojan.Win32.Dedok.sb Trojan.Win32.Agent.xcegiy Trojan.MSIL.Quasar.a Trojan-PSW.Win32.Stealer.sb Trojan-PSW.MSIL.Cyborg.sb Trojan-PSW.MSIL.Agent.sb
Link:
https://opentip.kaspersky.com/77193b76e7142383c2fb8f4c92891fa8eb0dd0f50ed206532ebd0abb93da9bc9/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/029a4282-ccb0-4170-aecc-b447d6110a23
Result
Threat name:
AsyncRAT, Quasar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1922403
Signature
Connects to many ports of the same IP (likely port scanning)
Creates files in the system32 config directory
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Installs a global keyboard hook
Malicious sample detected (through community Yara rule)
Modifies the windows firewall
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Queries sensitive sound device information (via WMI, Win32_SoundDevice, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample is not signed and drops a device driver
Sample uses string decryption to hide its real strings
Suricata IDS alerts for network traffic
Uses netsh to modify the Windows network and firewall settings
Yara detected AsyncRAT
Yara detected Quasar RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1922403 Sample: school-year-2025-26-calenda... Startdate: 03/06/2026 Architecture: WINDOWS Score: 100 63 ip.nc.gy 2->63 65 bg.microsoft.map.fastly.net 2->65 67 api.asklink.com 2->67 85 Suricata IDS alerts for network traffic 2->85 87 Found malware configuration 2->87 89 Malicious sample detected (through community Yara rule) 2->89 91 7 other signatures 2->91 9 school-year-2025-26-calendar 2.exe 3 86 2->9         started        13 AskLink.exe 2->13         started        signatures3 process4 file5 55 C:\Users\user\AppData\Roaming\...\devcon.exe, PE32+ 9->55 dropped 57 C:\Users\user\AppData\...\AskLinkHidKmdf.sys, PE32+ 9->57 dropped 59 C:\Users\user\AppData\...\AskLinkHid.sys, PE32+ 9->59 dropped 61 11 other files (10 malicious) 9->61 dropped 93 Sample is not signed and drops a device driver 9->93 15 AskLink.exe 14 31 9->15         started        19 Acrobat.exe 17 57 9->19         started        95 Hides that the sample has been downloaded from the Internet (zone.identifier) 13->95 97 Installs a global keyboard hook 13->97 21 cmd.exe 13->21         started        23 cmd.exe 13->23         started        25 cmd.exe 13->25         started        27 5 other processes 13->27 signatures6 process7 dnsIp8 71 121.127.253.248, 12345, 49689 CTGSERVERLIMITED-AS-APCTGServerLimitedHK Hong Kong SAR China 15->71 73 8.8.4.4 GOOGLE-GoogleLLCUS United States 15->73 75 4 other IPs or domains 15->75 77 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 15->77 79 Queries sensitive sound device information (via WMI, Win32_SoundDevice, often done to detect virtual machines) 15->79 81 Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) 15->81 83 6 other signatures 15->83 29 cmd.exe 15->29         started        32 AcroCEF.exe 95 19->32         started        34 netsh.exe 21->34         started        36 conhost.exe 21->36         started        38 conhost.exe 23->38         started        40 netsh.exe 23->40         started        42 conhost.exe 25->42         started        44 netsh.exe 25->44         started        46 8 other processes 27->46 signatures9 process10 signatures11 99 Uses netsh to modify the Windows network and firewall settings 29->99 48 conhost.exe 29->48         started        50 AcroCEF.exe 32->50         started        101 Creates files in the system32 config directory 34->101 53 conhost.exe 34->53         started        process12 dnsIp13 69 23.51.222.130 AKAMAI-AS-AkamaiTechnologiesIncUS United States 50->69
Score:
97%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/77193b76e7142383c2fb8f4c92891fa8eb0dd0f50ed206532ebd0abb93da9bc9
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/77193b76e7142383c2fb8f4c92891fa8eb0dd0f50ed206532ebd0abb93da9bc9/
Verdict:
Malicious
Threat:
Family.QUASAR
Link:
https://tip.neiki.dev/file/77193b76e7142383c2fb8f4c92891fa8eb0dd0f50ed206532ebd0abb93da9bc9
Threat name:
Win64.Trojan.Malgent
Create hunting rule
Status:
Malicious
First seen:
2026-06-03 06:12:52 UTC
File Type:
PE+ (Exe)
Extracted files:
69
AV detection:
13 of 24 (54.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=o4mtw5xhcqryhqx3r5gjfci7vdvq3uhvb3jamuzoxuflxe62tpeq._file
Verdict:
malicious
Label(s):
quasarrat
Create hunting rule
Similar samples:
437461c3abc56cf90c1d460bb18e8420e077d0a36d16e3fa9ab7d22c324183df
QuasarRAT
77193b76e7142383c2fb8f4c92891fa8eb0dd0f50ed206532ebd0abb93da9bc9
QuasarRAT
error
QuasarRAT
ffcee98683cf69d52232ceb890a778ec958b861509bdc55561ffe6b0a421afa8
QuasarRAT
Result
Malware family:
quasar
Create hunting rule
Score:
  10/10
Tags:
family:quasar botnet:office04 adware defense_evasion discovery persistence privilege_escalation spyware trojan upx
Link:
https://tria.ge/reports/260603-tnmbjscw2p/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Gathers network information
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System policy modification
Browser Information Discovery
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
System Location Discovery: System Language Discovery
System Time Discovery
Drops file in Windows directory
UPX packed file
Looks up external IP address via web service
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Modifies Windows Firewall
Family: Quasar RAT
Quasar payload
Malware Config
C2 Extraction:
121.127.253.248:4782
Unpacked files
SH256 hash:
77193b76e7142383c2fb8f4c92891fa8eb0dd0f50ed206532ebd0abb93da9bc9
MD5 hash:
e0d61fd634a9cf31fe341476f6bc41d0
SHA1 hash:
964bc91b13adef482a70de22ad51fd0619668f1d
Link:
https://www.unpac.me/results/c73ffed1-cbf1-46b0-b9a2-eafbe63df37a/
SH256 hash:
a8add74e7acf2abb7b1f5d8230242c54e6fbdff55098b3a14e96eb5bd4947c6c
MD5 hash:
beb0ae9cc0a1d4d8da36b606f60ede60
SHA1 hash:
c2060e6f3ca969b63461507521795e4d744b8fa9
Link:
https://www.unpac.me/results/c73ffed1-cbf1-46b0-b9a2-eafbe63df37a/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/77193b76e714/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.70
Link:
https://yomi.yoroi.company/submissions/77193b76e7142383c2fb8f4c92891fa8eb0dd0f50ed206532ebd0abb93da9bc9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:upx_largefile
Create hunting rule
Author:k3nr9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/68898/

Comments