MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7ff5220a37320efc97d011a95e28bd0c016a5ddee388d469bade1fec7a87d325. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuasarRAT


Vendor detections: 12


Intelligence 12 IOCs YARA 34 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7ff5220a37320efc97d011a95e28bd0c016a5ddee388d469bade1fec7a87d325
SHA3-384 hash: d60e342a2d7111ebf93c1f878f36ce229f44b34681dba61c61df33c7c22d303785e6e9bcb58a52e95e0842539a775ab4
SHA1 hash: 267afc889064d11d4f1abdd579c26242c79ebd7c
MD5 hash: 6bc90ee35a53fc5ff4e8574e6ea7a10f
humanhash: golf-east-emma-nineteen
File name:file
Download: download sample
Signature QuasarRAT
Create hunting rule
File size:5'935'104 bytes
First seen:2026-03-27 04:16:47 UTC
Last seen:2026-03-27 23:47:58 UTC
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 24576:smVVUahJXf6wf+YoP+FXnJ+pwhvd7pQLfypbpYroJoJIxqrjR29tqgW71HQaaqVq:VP648Wh
TLSH T18B564C6FAF659841CA4B41316FF97D483EBA373240C5608DD26B91807696BF2E64FC2C
TrID 88.4% (.MST) Windows SDK Setup Transform script (61000/1/5)
11.5% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika msi
Reporter Bitsight
Tags:dropped-by-amadey fbf543 msi QuasarRAT


Avatar
Bitsight
url: http://192.177.26.196/files/8525074840/yxPIfd2.msi

Intelligence

File Origin
# of uploads :
51
# of downloads :
83
Origin country :
US US
Vendor Threat Intelligence
Malware configuration found for:
MSI
Details
MSI
an embedded setup program or component
Link:
https://research.acce.ciphertechsolutions.com/results/34b7162e-6991-4edc-8c1a-8c2f02cb22b6/
Gathering data
Verdict:
Clean
Score:
89.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69c604d0aacb4c376b147fda
Tags:
n/a
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-debug anti-vm installer overlay packed wix
Link:
https://www.filescan.io/uploads/69c604ca972c219c8d6f8019/reports/3d3f5373-4fc6-497b-8599-8fcbe8443998/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/7ff5220a37320efc97d011a95e28bd0c016a5ddee388d469bade1fec7a87d325
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/7ff5220a37320efc97d011a95e28bd0c016a5ddee388d469bade1fec7a87d325
Details
OLE Stream with Embedded PE
Detected data within an OLE stream that looks like an encoded executable file.
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
File Type:
msi
Link:
https://opentip.kaspersky.com/7ff5220a37320efc97d011a95e28bd0c016a5ddee388d469bade1fec7a87d325/results?tab=lookup
Score:
82%
Verdict:
Malware
File Type:
ARCHIVE
Link:
https://malprob.io/report/7ff5220a37320efc97d011a95e28bd0c016a5ddee388d469bade1fec7a87d325
Verdict:
inconclusive
YARA:
3 match(es)
Tags:
Executable Office Document PE (Portable Executable) PE File Layout
Link:
https://app.malva.re/file/6bc90ee35a53fc5ff4e8574e6ea7a10f
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7ff5220a37320efc97d011a95e28bd0c016a5ddee388d469bade1fec7a87d325/
Verdict:
Malicious
Threat:
Family.DONUTLOADER
Link:
https://tip.neiki.dev/file/7ff5220a37320efc97d011a95e28bd0c016a5ddee388d469bade1fec7a87d325
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=p72secrxgihpzf6qcguv4kf5bqawuxo64oeni2n23yp6y6uh2msq._file
Verdict:
malicious
Label(s):
quasarrat
Create hunting rule
Similar samples:
error
QuasarRAT
Result
Malware family:
quasar
Create hunting rule
Score:
  10/10
Tags:
family:donutloader family:quasar loader persistence privilege_escalation spyware trojan
Link:
https://tria.ge/reports/260327-ewgnpsat7m/
Behaviour
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Event Triggered Execution: Installer Packages
Drops file in Windows directory
Contacts third-party web service commonly abused for C2
Enumerates connected drives
Looks up external IP address via web service
Loads dropped DLL
Detects DonutLoader
DonutLoader
Donutloader family
Quasar RAT
Quasar family
Quasar payload
Malware family:
QuasarRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/7ff5220a3732/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7ff5220a37320efc97d011a95e28bd0c016a5ddee388d469bade1fec7a87d325

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Check_Dlls
Create hunting rule
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Thread
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:Detect_PowerShell_Obfuscation
Create hunting rule
Author:daniyyell
Description:Detects obfuscated PowerShell commands commonly used in malicious scripts.
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:INDICATOR_EXE_Packed_Fody
Create hunting rule
Author:ditekSHen
Description:Detects executables manipulated with Fody
Rule name:Indicator_MiniDumpWriteDump
Create hunting rule
Author:Obscurity Labs LLC
Description:Detects PE files and PowerShell scripts that use MiniDumpWriteDump either through direct imports or string references
Rule name:INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
Author:ditekSHen
Description:Detects Windows executables referencing non-Windows User-Agents
Rule name:INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL
Create hunting rule
Author:ditekSHen
Description:Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion
Rule name:MAL_BackNet_Nov18_1
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects BackNet samples
Reference:https://github.com/valsov/BackNet
Rule name:MAL_BackNet_Nov18_1_RID2D6D
Create hunting rule
Author:Florian Roth
Description:Detects BackNet samples
Reference:https://github.com/valsov/BackNet
Rule name:MAL_QuasarRAT_May19_1
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects QuasarRAT malware
Reference:https://blog.ensilo.com/uncovering-new-activity-by-apt10
Rule name:MAL_QuasarRAT_May19_1_RID2E1E
Create hunting rule
Author:Florian Roth
Description:Detects QuasarRAT malware
Reference:https://blog.ensilo.com/uncovering-new-activity-by-apt10
Rule name:Multifamily_RAT_Detection
Create hunting rule
Author:Lucas Acha (http://www.lukeacha.com)
Description:Generic Detection for multiple RAT families, PUPs, Packers and suspicious executables
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Pulsar_RAT
Create hunting rule
Author:@bartblaze
Description:Identifies Pulsar RAT, based on Quasar RAT.
Reference:https://malpedia.caad.fkie.fraunhofer.de/details/win.pulsar_rat
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:VECT_Ransomware
Create hunting rule
Author:Mustafa Bakhit
Description:Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques
Rule name:Windows_Trojan_Donutloader_f40e3759
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

QuasarRAT

Microsoft Software Installer (MSI) msi 7ff5220a37320efc97d011a95e28bd0c016a5ddee388d469bade1fec7a87d325

(this sample)

  
Dropped by
Amadey
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3805984/
Cape
Cape
https://www.capesandbox.com/analysis/59480/
  
URLhaus
https://urlhaus.abuse.ch/url/3805956/

Comments