MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2b782927fc933eae5dcc58fe16cd941d2c29bf9dd3f89f0d69af73404abaef70. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuasarRAT


Vendor detections: 17


Intelligence 17 IOCs YARA 24 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2b782927fc933eae5dcc58fe16cd941d2c29bf9dd3f89f0d69af73404abaef70
SHA3-384 hash: 024f93cd7c17cbda2908b4a9a2d913986aa267d125c0fb3c3bd2ae85734b27ddc6cc98493cb1f4510bfa67f58fb7273b
SHA1 hash: 334de57ceca333979057407a5292e7682cac399c
MD5 hash: bae54ad92e6d464ce948c48e25961b5e
humanhash: ohio-ink-north-nevada
File name:PClient.exe
Download: download sample
Signature QuasarRAT
Create hunting rule
File size:972'800 bytes
First seen:2025-11-14 06:59:42 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 24576:5TncyAxJzck+uGW/yFoBkkA8D+izrxJq:5TnfATYjqqanD5vP
TLSH T1AE25D09177F44606E1FF1BB4E47209554B73FA06DA36DB9F0988A0AD0EA33858F513A3
TrID 62.2% (.RLL) Microsoft Resource Library (x86) (177572/6/26)
25.6% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
3.6% (.EXE) Win64 Executable (generic) (10522/11/4)
2.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
1.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
Magika pebin
Reporter juroots
Tags:exe QuasarRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
86
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PClient.exe
Verdict:
Malicious activity
Analysis date:
2025-11-13 18:23:25 UTC
Tags:
crypto-regex pulsar rat
Link:
https://app.any.run/tasks/39ef8c21-c75f-4551-b058-38036af067fe

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/38169/
Detection(s):
Win.Malware.Generic-9883083-0
Create hunting rule

Win.Malware.Bulz-9933026-0
Create hunting rule

Win.Malware.Generic-6623004-0
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6916221c434cd67b17c0ef1c
Tags:
vmdetect emotet
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
DNS request
Connection attempt
Sending a custom TCP request
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-vm anti-vm base64 hacktool obfuscated packed privilege reconnaissance stack_pickle
Link:
https://www.filescan.io/uploads/6916d3bc219b4496562baa16/reports/e8559179-c320-4ef6-b5c6-db8580608f49/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/2b782927fc933eae5dcc58fe16cd941d2c29bf9dd3f89f0d69af73404abaef70
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-11-13T15:28:00Z UTC
Last seen:
2025-11-14T10:19:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/2b782927fc933eae5dcc58fe16cd941d2c29bf9dd3f89f0d69af73404abaef70/results?tab=lookup
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/374365e6-eff3-4f15-81d8-89dc4ad74aca
Score:
98%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/2b782927fc933eae5dcc58fe16cd941d2c29bf9dd3f89f0d69af73404abaef70
Verdict:
inconclusive
YARA:
15 match(es)
Tags:
.Net Executable Fody/Costura Packer Html Managed .NET PDB Path PE (Portable Executable) PE File Layout SOS: 0.14 SOS: 0.15 SOS: 0.17 SOS: 0.18 SOS: 0.23 SOS: 0.24 SOS: 0.25 SOS: 0.26 SOS: 0.61 Win 32 Exe x86
Link:
https://app.malva.re/file/bae54ad92e6d464ce948c48e25961b5e
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2b782927fc933eae5dcc58fe16cd941d2c29bf9dd3f89f0d69af73404abaef70/
Verdict:
Malicious
Threat:
Family.QUASAR
Link:
https://tip.neiki.dev/file/2b782927fc933eae5dcc58fe16cd941d2c29bf9dd3f89f0d69af73404abaef70
Threat name:
ByteCode-MSIL.Hacktool.Aikaantivm
Create hunting rule
Status:
Malicious
First seen:
2025-11-13 18:23:26 UTC
File Type:
PE (.Net Exe)
Extracted files:
5
AV detection:
30 of 38 (78.95%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fn4csj74sm7k4xomld7bntmuduwctp452p4j6dljv5zuasv255ya._file
Verdict:
malicious
Label(s):
quasarrat
Create hunting rule
Similar samples:
error
QuasarRAT
Result
Malware family:
quasar
Create hunting rule
Score:
  10/10
Tags:
family:quasar spyware trojan
Link:
https://tria.ge/reports/251114-hs93mawpdw/
Behaviour
Suspicious behavior: AddClipboardFormatListener
Suspicious use of AdjustPrivilegeToken
Quasar RAT
Quasar family
Quasar payload
Verdict:
Malicious
Tags:
red_team_tool rat quasar_rat backdoor backnet Win.Malware.Generic-9883083-0
YARA:
HKTL_EXE_AlKhaser_Jul_01 malware_windows_quasarrat MAL_BackNet_Nov18_1
Link:
https://app.threat.zone/submission/c9de3f6d-aa3b-4fa0-a491-92b2c53c279d
Unpacked files
SH256 hash:
2b782927fc933eae5dcc58fe16cd941d2c29bf9dd3f89f0d69af73404abaef70
MD5 hash:
bae54ad92e6d464ce948c48e25961b5e
SHA1 hash:
334de57ceca333979057407a5292e7682cac399c
Detections:
QuasarRAT
Create hunting rule
Link:
https://www.unpac.me/results/cd29b3aa-b143-4341-95db-fc65103cebee/
Malware family:
QuasarRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/2b782927fc93/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Quasar
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/2b782927fc933eae5dcc58fe16cd941d2c29bf9dd3f89f0d69af73404abaef70

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Check_Dlls
Create hunting rule
Rule name:Check_VBox_Guest_Additions
Create hunting rule
Rule name:Check_VmTools
Create hunting rule
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Thread
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:Detect_PowerShell_Obfuscation
Create hunting rule
Author:daniyyell
Description:Detects obfuscated PowerShell commands commonly used in malicious scripts.
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:INDICATOR_EXE_Packed_Fody
Create hunting rule
Author:ditekSHen
Description:Detects executables manipulated with Fody
Rule name:Indicator_MiniDumpWriteDump
Create hunting rule
Author:Obscurity Labs LLC
Description:Detects PE files and PowerShell scripts that use MiniDumpWriteDump either through direct imports or string references
Rule name:INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
Author:ditekSHen
Description:Detects Windows executables referencing non-Windows User-Agents
Rule name:INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL
Create hunting rule
Author:ditekSHen
Description:Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion
Rule name:MAL_BackNet_Nov18_1
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects BackNet samples
Reference:https://github.com/valsov/BackNet
Rule name:MAL_BackNet_Nov18_1_RID2D6D
Create hunting rule
Author:Florian Roth
Description:Detects BackNet samples
Reference:https://github.com/valsov/BackNet
Rule name:Multifamily_RAT_Detection
Create hunting rule
Author:Lucas Acha (http://www.lukeacha.com)
Description:Generic Detection for multiple RAT families, PUPs, Packers and suspicious executables
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

QuasarRAT

Executable exe 2b782927fc933eae5dcc58fe16cd941d2c29bf9dd3f89f0d69af73404abaef70

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/38169/
  
URLhaus
https://urlhaus.abuse.ch/url/3707702/
  
Delivery method
Distributed via web download

Comments