MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f77b3185ad4e077ae287db26431fd4e6ed04b484fd9432c2b5fefe482ee09259. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuasarRAT


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f77b3185ad4e077ae287db26431fd4e6ed04b484fd9432c2b5fefe482ee09259
SHA3-384 hash: 8abb6d86ee2b39bdebfb17c61c565ba8c06245cbf7707031c7d5e1d39be205497528b27a3ace3ca32fe3a08e56636416
SHA1 hash: 2bf0f5bf887d10803780e530254f63dcdb72e7f9
MD5 hash: 4f1378f236106909cb4ad73bcccff405
humanhash: oranges-winner-equal-wisconsin
File name:SecuriteInfo.com.W32.PossibleThreat.16126.19653
Download: download sample
Signature QuasarRAT
Create hunting rule
File size:2'001'920 bytes
First seen:2025-07-07 13:17:02 UTC
Last seen:2025-07-07 14:18:14 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 538fe118b03fba972f5f932e08ed0963 (3 x QuasarRAT, 1 x DonutLoader)
ssdeep 49152:yl79v8WvakvPqDri2VC1/ACb7j3opcwGIGym5q0xtV9TCccLNT/v1t146BtTY8/:yJ9EWvakXari2A5Aa7j3ljh/9TANt4uD
Threatray 264 similar samples on MalwareBazaar
TLSH T18795334EF6B36498D7D2D43CF9C6E41094C5AD840C6CBA1F5FCE21327ADB8928CC9999
TrID 44.4% (.EXE) Win64 Executable (generic) (10522/11/4)
21.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.ICL) Windows Icons Library (generic) (2059/9)
8.5% (.EXE) OS/2 Executable (generic) (2029/13)
8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter SecuriteInfoCom
Tags:exe QuasarRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
21
Origin country :
FR FR
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/12676/
Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=686bc8e2900df8e7f8683713
Tags:
keylog remo word
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a custom TCP request
Creating a window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-debug packed packed packer_detected
Link:
https://www.filescan.io/uploads/686bc8e00737c4165a92409c/reports/945116dc-22ed-4774-b08c-275ffc317070/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/f77b3185ad4e077ae287db26431fd4e6ed04b484fd9432c2b5fefe482ee09259
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/42b273e8-1db7-45e5-89a8-6ac10fc27654
Score:
93%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/f77b3185ad4e077ae287db26431fd4e6ed04b484fd9432c2b5fefe482ee09259
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) Win 64 Exe x64
Link:
https://app.malva.re/file/4f1378f236106909cb4ad73bcccff405
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f77b3185ad4e077ae287db26431fd4e6ed04b484fd9432c2b5fefe482ee09259/
Threat name:
Win64.Hacktool.Aikaantivm
Create hunting rule
Status:
Malicious
First seen:
2025-07-07 07:32:00 UTC
File Type:
PE+ (Exe)
AV detection:
26 of 38 (68.42%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=655tdbnnjydxvyuh3mtegh6u43wqjnee7wkdfqvv737eqlxasjmq._file
Verdict:
malicious
Label(s):
quasarrat
Create hunting rule
donut_injector
Create hunting rule
Similar samples:
2c9a9dad74ed9892e2d73dc8a1bbfcdd46d6d9d54a4625a803842d734a5a8ec2
QuasarRAT
460aee4c6279b5f331b977efbe7484cfb7333dc4a028e9843fca3ab12195f2fd
QuasarRAT
4a5598e056a1f35b8638a606f9870ad2f05f00bd38076e5cf66fc99cb6309b19
QuasarRAT
5f6d769cabe8e26a8a724fc7f014daa606682b8c6745e83d4639b410be068571
QuasarRAT
896dd6fb0a61655177ecd82a93a507c5d127b7e81e41568ecdf59b1f523b1cbc
QuasarRAT
e7078c1080db9dafe06ac8258d4d685cbdef80ab0363ac7438dcef8c3bf554b1
QuasarRAT
error
QuasarRAT
f77b3185ad4e077ae287db26431fd4e6ed04b484fd9432c2b5fefe482ee09259
QuasarRAT
+ 254 additional samples on MalwareBazaar
Result
Malware family:
quasar
Create hunting rule
Score:
  10/10
Tags:
family:donutloader family:quasar loader spyware trojan
Link:
https://tria.ge/reports/250707-qjg99aaq8t/
Behaviour
Suspicious behavior: AddClipboardFormatListener
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Detects DonutLoader
DonutLoader
Donutloader family
Quasar RAT
Quasar family
Quasar payload
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/604d5c86-a469-44a9-bbee-9c9178b8f2a2
Unpacked files
SH256 hash:
f77b3185ad4e077ae287db26431fd4e6ed04b484fd9432c2b5fefe482ee09259
MD5 hash:
4f1378f236106909cb4ad73bcccff405
SHA1 hash:
2bf0f5bf887d10803780e530254f63dcdb72e7f9
Link:
https://www.unpac.me/results/c1da5996-5d83-48cb-b190-deff36ef54c7/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f77b3185ad4e077ae287db26431fd4e6ed04b484fd9432c2b5fefe482ee09259

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

QuasarRAT

Executable exe f77b3185ad4e077ae287db26431fd4e6ed04b484fd9432c2b5fefe482ee09259

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3578227/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/12676/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::LoadLibraryA
KERNEL32.dll::GetStartupInfoA

Comments