MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 97ac7f267466d0546e1655f199aadde77aa0bf94d63d3b9efb086ed6c3b7b7da. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuasarRAT


Vendor detections: 18


Intelligence 18 IOCs YARA 19 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 97ac7f267466d0546e1655f199aadde77aa0bf94d63d3b9efb086ed6c3b7b7da
SHA3-384 hash: e895d7a7fa1958bbec713986c90c48b5bdae1e869cb966bad281ee9223b45c7f6eba9929c67c2119ab37e2b32b1e669f
SHA1 hash: c221fbb1d56082678f3829efc2475ef0310c6025
MD5 hash: 753729bfaf19af638f714c133cc3e8f8
humanhash: white-stream-salami-gee
File name:Chronic.solutions.exe
Download: download sample
Signature QuasarRAT
Create hunting rule
File size:10'302'464 bytes
First seen:2025-08-15 14:44:14 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash a9c887a4f18a3fede2cc29ceea138ed3 (33 x CoinMiner, 17 x AsyncRAT, 15 x BlankGrabber)
ssdeep 196608:oCcFyth3V0uJhvlbgSRXWpaQZ+J6QR1o2x0JmO+6ZREC6CyzKW:owtNJptbXW1wJ6R2pO+6A+y
Threatray 17 similar samples on MalwareBazaar
TLSH T16AA633CFDEE1AEF1909BA9273C17B26FF7214A51640A6DFDC066B50032FDD661842B84
TrID 38.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
15.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
11.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
10.5% (.EXE) Win32 Executable (generic) (4504/4/1)
4.8% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Magika pebin
Reporter burger
Tags:BlankGrabber exe QuasarRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
51
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Chronic.solutions.exe
Verdict:
Malicious activity
Analysis date:
2025-08-15 14:34:44 UTC
Tags:
blankgrabber evasion auto-sch stealer auto-startup screenshot discord susp-powershell pyinstaller crypto-regex
Link:
https://app.any.run/tasks/f5449a46-9ecf-4f4a-90cc-c802df9ee730

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/21545/
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=689f45838fd55a79c52736ed
Tags:
vmdetect autorun quasar
Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a process with a hidden window
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Creating a window
Сreating synchronization primitives
Creating a file in the system32 subdirectories
Running batch commands
DNS request
Sending a custom TCP request
Loading a suspicious library
Using the Windows Management Instrumentation requests
Searching for synchronization primitives
Connection attempt
Sending an HTTP GET request
Unauthorized injection to a recently created process
Enabling autorun by creating a file
Adding an exclusion to Microsoft Defender
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/689f47d6abfbaec318238c71/reports/c28e0bdd-0046-468e-a208-2832b18eea1d/overview
Verdict:
Malicious
Labled as:
Lazy.Generic
Link:
https://www.hybrid-analysis.com/sample/97ac7f267466d0546e1655f199aadde77aa0bf94d63d3b9efb086ed6c3b7b7da
Malware family:
Khalesi
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6243b823-fe1e-4205-a24f-03d157144ab2
Result
Threat name:
Blank Grabber, Quasar
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1757933
Signature
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Bypasses PowerShell execution policy
Check if machine is in data center or colocation facility
Drops executables to the windows directory (C:\Windows) and starts them
Encrypted powershell cmdline option found
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Modifies existing user documents (likely ransomware behavior)
Modifies Windows Defender protection settings
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Removes signatures from Windows Defender
Sample uses string decryption to hide its real strings
Sigma detected: Capture Wi-Fi password
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Powershell Defender Disable Scan Feature
Sigma detected: Rar Usage with Password and Compression Level
Sigma detected: Suspicious Encoded PowerShell Command Line
Sigma detected: Suspicious PowerShell Encoded Command Patterns
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: Suspicious Startup Folder Persistence
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal WLAN passwords
Tries to steal Crypto Currency Wallets
Uses cmd line tools excessively to alter registry or file data
Uses dynamic DNS services
Uses netsh to modify the Windows network and firewall settings
Uses schtasks.exe or at.exe to add and modify task schedules
Writes or reads registry keys via WMI
Yara detected Blank Grabber
Yara detected Quasar RAT
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1757933 Sample: Chronic.solutions.exe Startdate: 15/08/2025 Architecture: WINDOWS Score: 100 107 niggerlover.ddns.net 2->107 109 ip-api.com 2->109 111 2 other IPs or domains 2->111 129 Found malware configuration 2->129 131 Malicious sample detected (through community Yara rule) 2->131 133 Antivirus detection for dropped file 2->133 137 18 other signatures 2->137 12 Chronic.solutions.exe 4 2->12         started        16 svchost.exe 2->16         started        19 Client.exe 2->19         started        signatures3 135 Uses dynamic DNS services 107->135 process4 dnsIp5 93 C:\Users\user\AppData\...\Wehateniggers.exe, PE32 12->93 dropped 95 C:\Users\user\...\Fortnite External.exe, PE32+ 12->95 dropped 97 C:\Users\user\AppData\Local\Temp\Built.exe, PE32+ 12->97 dropped 181 Encrypted powershell cmdline option found 12->181 183 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 12->183 185 Modifies Windows Defender protection settings 12->185 187 Removes signatures from Windows Defender 12->187 21 Built.exe 62 12->21         started        25 Wehateniggers.exe 5 12->25         started        27 powershell.exe 23 12->27         started        29 4 other processes 12->29 105 127.0.0.1 unknown unknown 16->105 file6 signatures7 process8 file9 83 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 21->83 dropped 85 C:\Users\user\AppData\Local\...\ucrtbase.dll, PE32+ 21->85 dropped 87 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32+ 21->87 dropped 91 56 other malicious files 21->91 dropped 139 Modifies Windows Defender protection settings 21->139 141 Adds a directory exclusion to Windows Defender 21->141 143 Tries to harvest and steal WLAN passwords 21->143 145 Removes signatures from Windows Defender 21->145 31 Built.exe 1 88 21->31         started        89 C:\Windows\System32\SubDir\Client.exe, PE32 25->89 dropped 147 Antivirus detection for dropped file 25->147 149 Drops executables to the windows directory (C:\Windows) and starts them 25->149 151 Uses schtasks.exe or at.exe to add and modify task schedules 25->151 153 Hides that the sample has been downloaded from the Internet (zone.identifier) 25->153 35 Client.exe 25->35         started        37 schtasks.exe 25->37         started        155 Found many strings related to Crypto-Wallets (likely being stolen) 27->155 157 Loading BitLocker PowerShell Module 27->157 39 conhost.exe 27->39         started        41 conhost.exe 29->41         started        signatures10 process11 dnsIp12 113 ip-api.com 208.95.112.1, 49694, 49707, 80 TUT-ASUS United States 31->113 115 discordapp.com 162.159.134.233, 443, 49708 CLOUDFLARENETUS United States 31->115 119 Found many strings related to Crypto-Wallets (likely being stolen) 31->119 121 Uses cmd line tools excessively to alter registry or file data 31->121 123 Tries to harvest and steal browser information (history, passwords, etc) 31->123 127 6 other signatures 31->127 43 cmd.exe 31->43         started        46 cmd.exe 31->46         started        48 cmd.exe 31->48         started        54 27 other processes 31->54 117 niggerlover.ddns.net 62.199.104.186, 8888 TELIANET-DENMARKDK Denmark 35->117 125 Hides that the sample has been downloaded from the Internet (zone.identifier) 35->125 50 schtasks.exe 35->50         started        52 conhost.exe 37->52         started        signatures13 process14 signatures15 165 Suspicious powershell command line found 43->165 167 Uses cmd line tools excessively to alter registry or file data 43->167 169 Encrypted powershell cmdline option found 43->169 179 2 other signatures 43->179 56 powershell.exe 43->56         started        59 conhost.exe 43->59         started        61 powershell.exe 46->61         started        64 conhost.exe 46->64         started        171 Adds a directory exclusion to Windows Defender 48->171 66 powershell.exe 48->66         started        68 conhost.exe 48->68         started        70 conhost.exe 50->70         started        173 Modifies Windows Defender protection settings 54->173 175 Tries to harvest and steal WLAN passwords 54->175 177 Removes signatures from Windows Defender 54->177 72 getmac.exe 54->72         started        74 46 other processes 54->74 process16 file17 159 Loading BitLocker PowerShell Module 56->159 101 C:\Users\user\AppData\...\esafcww5.cmdline, Unicode 61->101 dropped 76 csc.exe 61->76         started        161 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 72->161 163 Writes or reads registry keys via WMI 72->163 103 C:\Users\user\AppData\Local\Temp\3MalS.zip, RAR 74->103 dropped 79 Conhost.exe 74->79         started        signatures18 process19 file20 99 C:\Users\user\AppData\Local\...\esafcww5.dll, PE32 76->99 dropped 81 cvtres.exe 76->81         started        process21
Score:
98%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/97ac7f267466d0546e1655f199aadde77aa0bf94d63d3b9efb086ed6c3b7b7da
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/753729bfaf19af638f714c133cc3e8f8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/97ac7f267466d0546e1655f199aadde77aa0bf94d63d3b9efb086ed6c3b7b7da/
Verdict:
Malicious
Threat:
Family.BLANKGRABBER
Link:
https://tip.neiki.dev/file/97ac7f267466d0546e1655f199aadde77aa0bf94d63d3b9efb086ed6c3b7b7da
Threat name:
Win32.Dropper.Dapato
Create hunting rule
Status:
Malicious
First seen:
2025-08-15 14:34:44 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
20 of 23 (86.96%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=s6wh6jtum3ifi3qwkxyztkw5455kbp4u2y6txhx3bbxnnq5xw7na._file
Verdict:
malicious
Label(s):
quasarrat
Create hunting rule
Similar samples:
0d67bbcf54636d81b4e23a93a717fd1825441c08be672c9b647a0c9ec2ddd94f
QuasarRAT
288d31c7d357a129cf21143a30062144d41c899f44c0515b815caf31c4be14b1
QuasarRAT
3e336ef75dbb6d7168fc2dcbce4a139e3c23ca2be7459b10c0050cad9267a383
QuasarRAT
97ac7f267466d0546e1655f199aadde77aa0bf94d63d3b9efb086ed6c3b7b7da
QuasarRAT
error
QuasarRAT
fc53884a4452b6f808e280dc3fc3a051d0129be2aabf61ea816dacf6c3ea9e80
QuasarRAT
+ 7 additional samples on MalwareBazaar
Result
Malware family:
quasar
Create hunting rule
Score:
  10/10
Tags:
family:blankgrabber family:quasar botnet:office04 defense_evasion discovery execution persistence spyware stealer trojan upx
Link:
https://tria.ge/reports/250815-r4dy1ayjv6/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Scheduled Task/Job: Scheduled Task
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in System32 directory
Enumerates processes with tasklist
UPX packed file
Looks up external IP address via web service
Obfuscated Files or Information: Command Obfuscation
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Command and Scripting Interpreter: PowerShell
Modifies trusted root certificate store through registry
A stealer written in Python and packaged with Pyinstaller
Blankgrabber family
Quasar RAT
Quasar family
Quasar payload
blankgrabber
Malware Config
C2 Extraction:
niggerlover.ddns.net:8888
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/3421079e-7d6b-42f4-88b1-87cd8116f022
Unpacked files
SH256 hash:
97ac7f267466d0546e1655f199aadde77aa0bf94d63d3b9efb086ed6c3b7b7da
MD5 hash:
753729bfaf19af638f714c133cc3e8f8
SHA1 hash:
c221fbb1d56082678f3829efc2475ef0310c6025
Link:
https://www.unpac.me/results/9ccf7f77-8b95-438c-9e4c-0f22eaac0bd5/
SH256 hash:
1c398e4931da3de6e91d3f7c11a85fdaa7f056a2695b29b37e1a30427c4ee10b
MD5 hash:
b2e1eedb8b4b4d60b72c16cada5685da
SHA1 hash:
5056450a7873c361bbef6491705d0f39ac7d3ac4
Detections:
QuasarRAT
Create hunting rule
cn_utf8_windows_terminal
Create hunting rule
malware_windows_xrat_quasarrat
Create hunting rule
MAL_QuasarRAT_May19_1
Create hunting rule
MAL_BackNet_Nov18_1
Create hunting rule
INDICATOR_EXE_Packed_Fody
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
Link:
https://www.unpac.me/results/9ccf7f77-8b95-438c-9e4c-0f22eaac0bd5/
SH256 hash:
d190f4b22dccbbdbaf62b36ce41338aaa11d64ebe69e9a5f1210fd52ca7b5c89
MD5 hash:
55a45c7ceee38a322b1bb2e51b5cc0ec
SHA1 hash:
b35cd3070b207bdf9d1b305d2632dca1103bcec1
Detections:
SUSP_NET_Large_Static_Array_In_Small_File_Jan24
Create hunting rule
HKTL_NET_GUID_Quasar
Create hunting rule
Link:
https://www.unpac.me/results/9ccf7f77-8b95-438c-9e4c-0f22eaac0bd5/
Parent samples :
97ac7f267466d0546e1655f199aadde77aa0bf94d63d3b9efb086ed6c3b7b7da
11054dce4fad0bb9f29a1597c35562e495b0dfba3613e665906b40342759f382
Malware family:
QuasarRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/97ac7f267466/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/97ac7f267466d0546e1655f199aadde77aa0bf94d63d3b9efb086ed6c3b7b7da

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BLOWFISH_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for Blowfish constants
Rule name:botnet_plaintext_c2
Create hunting rule
Author:cip
Description:Attempts to match at least some of the strings used in some botnet variants which use plaintext communication protocols.
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__ConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:ldpreload
Create hunting rule
Author:xorseed
Reference:https://stuff.rop.io/
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:upxHook
Create hunting rule
Author:@r3dbU7z
Description:Detect artifacts from 'upxHook' - modification of UPX packer
Reference:https://bazaar.abuse.ch/sample/6352be8aa5d8063673aa428c3807228c40505004320232a23d99ebd9ef48478a/
Rule name:upx_largefile
Create hunting rule
Author:k3nr9
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques
Rule name:WHIRLPOOL_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for WhirlPool constants

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/21545/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
CHECK_TRUST_INFORequires Elevated Execution (level:requireAdministrator)high
Reviews
IDCapabilitiesEvidence
SHELL_APIManipulates System Shellshell32.dll::ShellExecuteA

Comments