MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bca01021e4c5f68d94c67a71e305e9230c3a69e5fb5da9854ae606881dd8bd76. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuasarRAT


Vendor detections: 14


Intelligence 14 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bca01021e4c5f68d94c67a71e305e9230c3a69e5fb5da9854ae606881dd8bd76
SHA3-384 hash: 52a0a3142f6172005bc4e7714d169ed1e0067b7b63aba7fb10bd978b189d9ea77367202f581c513840b961fa665ae9de
SHA1 hash: e242b9e7023b0836974ee1e11d6eac5f5229d1fa
MD5 hash: 642ee887c3ee2c6feff28cbc1586a51c
humanhash: lemon-lake-december-connecticut
File name:bca01021e4c5f68d94c67a71e305e9230c3a69e5fb5da9854ae606881dd8bd76.exe
Download: download sample
Signature QuasarRAT
Create hunting rule
File size:295'624 bytes
First seen:2026-02-27 16:37:35 UTC
Last seen:2026-02-27 17:42:24 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash c96ef060f93a8d636cabb300b6ba0c42 (1 x QuasarRAT)
ssdeep 6144:jatKwLSGEsDQe0R1Rd2VJ6Nj6seXzSwFGlrgqTBs7EF0:ja5/Qe0R1zO6GXzergyBs7D
TLSH T1F1544920B591CC32F666357198A6FF65592DEC201F68ABC773802EEACD306C2673571B
TrID 50.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
10.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
10.5% (.EXE) Win64 Executable (generic) (6522/11/2)
8.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.2% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter abuse_ch
Tags:exe QuasarRAT RAT signed

Code Signing Certificate

Organisation:Capcom Co. Ltd.
Issuer:Capcom Co. Ltd.
Algorithm:sha256WithRSAEncryption
Valid from:2026-02-27T00:47:37Z
Valid to:2036-02-27T00:57:37Z
Serial number: 1525a6221e009a8b4138c27cab9bccea
Thumbprint Algorithm:SHA256
Thumbprint: ff857f75f4d939abb00184f1b586ad85934673a44795b940c85b75f255b1eeb5
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
94
Origin country :
SE SE
Vendor Threat Intelligence
No detections
Malware family:
quasar
Create hunting rule
ID:
1
File name:
bca01021e4c5f68d94c67a71e305e9230c3a69e5fb5da9854ae606881dd8bd76.exe
Verdict:
Malicious activity
Analysis date:
2026-02-27 15:22:27 UTC
Tags:
quasar rat
Link:
https://app.any.run/tasks/ac8909f6-cf7f-463d-9349-81c0f8912feb

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/54885/
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69a1b6b0c950ab5d9ab220f5
Tags:
quasar virus sage remo
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
adaptive-context evasive fingerprint lolbin microsoft_visual_cc signed wuauclt xor-url
Link:
https://www.filescan.io/uploads/69a1c87597feb4afd65fb9b3/reports/6de634fc-1329-48c9-b1b5-83d9cf98bee5/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/bca01021e4c5f68d94c67a71e305e9230c3a69e5fb5da9854ae606881dd8bd76
Result
Gathering data
Verdict:
Malicious
File Type:
exe x32
Detections:
Trojan-Spy.Quasar.HTTP.ServerRequest Trojan-Spy.MSIL.Downeks.sb Trojan-PSW.Win32.Stealer.sb Trojan-PSW.MSIL.Virinom.sb Trojan.Win32.Quasar.sb Trojan.MSIL.Quasar.sb Trojan.MSIL.Quasar.gmp Trojan.MSIL.Quasar.a
Link:
https://opentip.kaspersky.com/bca01021e4c5f68d94c67a71e305e9230c3a69e5fb5da9854ae606881dd8bd76/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/aa16698d-8164-439f-b8e3-a68656ad14dd
Result
Threat name:
Quasar, XRat
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1876080
Signature
AI detected suspicious PE digital signature
Antivirus detection for dropped file
Detected Quasar RAT
Found evasive API chain (may stop execution after checking mutex)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Installs a global keyboard hook
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Suricata IDS alerts for network traffic
Yara detected Quasar RAT
Yara detected XRat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1876080 Sample: 0ocYbh4fJS.exe Startdate: 27/02/2026 Architecture: WINDOWS Score: 100 29 release-assets.githubusercontent.com 2->29 31 ip-api.com 2->31 33 2 other IPs or domains 2->33 45 Suricata IDS alerts for network traffic 2->45 47 Found malware configuration 2->47 49 Malicious sample detected (through community Yara rule) 2->49 51 6 other signatures 2->51 8 0ocYbh4fJS.exe 4 2->8         started        signatures3 process4 dnsIp5 37 github.com 140.82.112.4, 443, 49692 GITHUBUS United States 8->37 39 release-assets.githubusercontent.com 185.199.111.133, 443, 49693 FASTLYUS Netherlands 8->39 41 drukvculgar.live 104.21.32.208, 443, 49691 CLOUDFLARENETUS United States 8->41 61 Found evasive API chain (may stop execution after checking mutex) 8->61 12 Client-built.exe 15 4 8->12         started        17 7z.exe 2 8->17         started        signatures6 process7 dnsIp8 43 ip-api.com 208.95.112.1, 49694, 49695, 80 TUT-ASUS United States 12->43 25 C:\Users\user\AppData\Roaming\...\Client.exe, PE32 12->25 dropped 63 Antivirus detection for dropped file 12->63 65 Detected Quasar RAT 12->65 67 Hides that the sample has been downloaded from the Internet (zone.identifier) 12->67 19 Client.exe 14 4 12->19         started        27 C:\Users\user\AppData\...\Client-built.exe, PE32 17->27 dropped 23 conhost.exe 17->23         started        file9 signatures10 process11 dnsIp12 35 46.31.77.130, 1604, 49696 COMNET-ASNTR Turkey 19->35 53 Antivirus detection for dropped file 19->53 55 Detected Quasar RAT 19->55 57 Hides that the sample has been downloaded from the Internet (zone.identifier) 19->57 59 Installs a global keyboard hook 19->59 signatures13
Score:
84%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/bca01021e4c5f68d94c67a71e305e9230c3a69e5fb5da9854ae606881dd8bd76
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bca01021e4c5f68d94c67a71e305e9230c3a69e5fb5da9854ae606881dd8bd76/
Verdict:
Malicious
Threat:
Family.QUASAR
Link:
https://tip.neiki.dev/file/bca01021e4c5f68d94c67a71e305e9230c3a69e5fb5da9854ae606881dd8bd76
Threat name:
Win32.Trojan.IcedID
Create hunting rule
Status:
Suspicious
First seen:
2026-02-27 15:22:29 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
3 of 36 (8.33%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=xsqbaipeyx3i3fggpjy6gbpjemgdu2pf7no2tbkk4ydiqhoyxv3a._file
Result
Malware family:
quasar
Create hunting rule
Score:
  10/10
Tags:
family:quasar botnet:office04 discovery spyware trojan
Link:
https://tria.ge/reports/260227-t5ggmags3d/
Behaviour
Checks processor information in registry
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Looks up external IP address via web service
Checks computer location settings
Executes dropped EXE
Quasar RAT
Quasar family
Quasar payload
Malware Config
C2 Extraction:
46.31.77.130:1604
Unpacked files
SH256 hash:
bca01021e4c5f68d94c67a71e305e9230c3a69e5fb5da9854ae606881dd8bd76
MD5 hash:
642ee887c3ee2c6feff28cbc1586a51c
SHA1 hash:
e242b9e7023b0836974ee1e11d6eac5f5229d1fa
Link:
https://www.unpac.me/results/a8e819eb-ad1d-4c79-aaa0-b3e5727e7336/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bca01021e4c5f68d94c67a71e305e9230c3a69e5fb5da9854ae606881dd8bd76

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/54885/

Comments