MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7e076c82e891f6cc0bff69929c87259a24380b2cfbd893330d68174140aab3a1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

QuasarRAT

Vendor detections: 18

Intelligence 18 IOCs YARA 1 File information Comments

SHA256 hash:	7e076c82e891f6cc0bff69929c87259a24380b2cfbd893330d68174140aab3a1
SHA3-384 hash:	57940c667d25523acfa5334004769759e7da772807296312e208bbf561c780f7d958ffb1bfcf8ac511ccb4c6fb07b881
SHA1 hash:	fce018cc7779ee24e45a835de553c455d729cc6c
MD5 hash:	52dcc6391bc14b475d61125a9c767821
humanhash:	steak-papa-red-snake
File name:	PulsarModified.exe
Download:	download sample
Signature	QuasarRAT Create hunting rule
File size:	9'643'008 bytes
First seen:	2026-04-07 16:10:05 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	a9c887a4f18a3fede2cc29ceea138ed3 (36 x CoinMiner, 19 x AsyncRAT, 18 x QuasarRAT)
ssdeep	196608:8EWhlLiHMqE9aBDHsvXRQ+s+Bb8Rrx0XY54dJ+vy:RSLTouXhF8L0X1YK
Threatray	25 similar samples on MalwareBazaar
TLSH	T1B3A6CF70A81CE20BFEF588E7EC0585F0643F36026A294977167E6C7A378B5AF0C6556C
TrID	33.4% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 13.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 13.2% (.EXE) Win64 Executable (generic) (6522/11/2) 10.2% (.EXE) Win16 NE executable (generic) (5038/12/1) 9.1% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika	pebin
dhash icon	e84455717070d4c8 (1 x QuasarRAT)
Reporter	burger
Tags:	exe QuasarRAT

Intelligence

File Origin

# of uploads :

# of downloads :

151

Origin country :

Vendor Threat Intelligence

Gathering data

Malware family:

n/a

ID:

File name:

PulsarModified.exe

Verdict:

Malicious activity

Analysis date:

2026-04-06 17:58:06 UTC

Tags:

crypto-regex api-base64 pulsar rat

Link:

https://app.any.run/tasks/37381f26-1955-4068-8276-70967bfcebfb

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/60740/

Verdict:

Malicious

Score:

92.5%

Link:

https://cyber-fortress.com/docs/result/index.php?id=69d3f42a66ab6d001dcf879d

Tags:

extens sage remo

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% directory

Creating a process from a recently created file

Creating a process with a hidden window

Creating a window

Sending a custom TCP request

Сreating synchronization primitives

Connection attempt to an infection source

Creating a file

Using the Windows Management Instrumentation requests

Unauthorized injection to a recently created process

Query of malicious DNS domain

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/69d52c7100ad3636940dfd51/reports/0a2880a4-5740-402f-ae6f-57dd61237691/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/7e076c82e891f6cc0bff69929c87259a24380b2cfbd893330d68174140aab3a1

Verdict:

Malicious

File Type:

exe x32

First seen:

2026-04-06T15:07:00Z UTC

Last seen:

2026-04-09T13:20:00Z UTC

Hits:

~10

Detections:

HEUR:HackTool.Win64.Disabler.pefng HEUR:HackTool.Win64.Disabler.gen Trojan-PSW.Win32.Stealer.sb HEUR:Trojan.Win32.Convagent.gen HEUR:Trojan-Banker.MSIL.ClipBanker.gen HEUR:Exploit.MSIL.BypassUAC.c Trojan-PSW.MSIL.Agent.sb HEUR:Trojan-Dropper.MSIL.Agent.gen HEUR:Exploit.MSIL.BypassUAC.gen Backdoor.MSIL.PulsarRAT.sb Trojan.MSIL.Agent.sb PDM:Trojan.Win32.Generic HEUR:Trojan.Win32.Generic Trojan-PSW.Win32.Greedy.sb HEUR:Trojan.MSIL.R77.gen HEUR:Trojan.MSIL.Agent.gen NetTool.TunnelLocaltonet.UDP.C&C VHO:Trojan-PSW.MSIL.Agent.gen VHO:Backdoor.MSIL.Quasar.gen VHO:Trojan.Win32.Agent.gen

Link:

https://opentip.kaspersky.com/7e076c82e891f6cc0bff69929c87259a24380b2cfbd893330d68174140aab3a1/results?tab=lookup

Malware family:

Mimikatz

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/feaff602-cf8e-454a-a671-9e0f7da61266

Result

Threat name:

Quasar

Detection:

malicious

Classification:

troj.expl.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1894780

Signature

.NET source code contains process injector

.NET source code references suspicious native API functions

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sample uses string decryption to hide its real strings

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected AntiVM3

Yara detected EXE embedded in BAT file

Yara detected Quasar RAT

Yara detected UAC Bypass using CMSTP

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/7e076c82e891f6cc0bff69929c87259a24380b2cfbd893330d68174140aab3a1

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/7e076c82e891f6cc0bff69929c87259a24380b2cfbd893330d68174140aab3a1/

Verdict:

Malicious

Threat:

Family.PULSAR

Link:

https://tip.neiki.dev/file/7e076c82e891f6cc0bff69929c87259a24380b2cfbd893330d68174140aab3a1

Threat name:

Win32.Dropper.Dapato

Status:

Malicious

First seen:

2026-04-06 17:58:05 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

27 of 36 (75.00%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=pydwzaxish3myc77ngjjzbzftisdqczm7pmjgmynnalucqfkwoqq._file

Verdict:

malicious

Label(s):

quasarrat

QuasarRAT

1c021645e4b0340f968f6909823b642e01b577fdb878b76368d55e7895c3e96e

QuasarRAT

4077650d26e922bd7751ad46759b96612bde298e66fbb6235dd08da9280d2370

QuasarRAT

7e076c82e891f6cc0bff69929c87259a24380b2cfbd893330d68174140aab3a1

QuasarRAT

9382df4bc0f53192bd444266bac725b836d3633942fbbf617648536e449cf39e

QuasarRAT

error

QuasarRAT

+ 15 additional samples on MalwareBazaar

Result

Malware family:

quasar

Score:

10/10

Tags:

family:customerloader family:quasar botnet:office04 discovery downloader loader spyware trojan

Link:

https://tria.ge/reports/260407-tmmwpabt7w/

Behaviour

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Checks computer location settings

Executes dropped EXE

Customer Loader

Customerloader family

Quasar RAT

Quasar family

Quasar payload

Malware Config

C2 Extraction:

fvqro5kllu.localto.net:8791

Unpacked files

SH256 hash:

7e076c82e891f6cc0bff69929c87259a24380b2cfbd893330d68174140aab3a1

MD5 hash:

52dcc6391bc14b475d61125a9c767821

SHA1 hash:

fce018cc7779ee24e45a835de553c455d729cc6c

Link:

https://www.unpac.me/results/45458c3b-6553-440f-a0ee-e7e1227c1f16/

SH256 hash:

2dcaeab757191d4e223d1f81afcc1e6cd19cb3e7110579f4c4863f52d8514b19

MD5 hash:

81f47e54583afd43418608e0b325a888

SHA1 hash:

136bc54d079041e3561de5b0d4a64bc1deaa0319

Detections:

QuasarRAT

cn_utf8_windows_terminal

malware_windows_xrat_quasarrat

MAL_QuasarRAT_May19_1

Gen_Base64_EXE

INDICATOR_EXE_Packed_Fody

INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL

INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCMD

INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA

Link:

https://www.unpac.me/results/45458c3b-6553-440f-a0ee-e7e1227c1f16/

SH256 hash:

32ddcc8ec426baf56816514447c6cef2ef81b20b145946e7533401d3eb0ca929

MD5 hash:

ff508c605092d6aaf88651c4406162fb

SHA1 hash:

6986dd0dc239754ae457da779f065d70335190a5

Link:

https://www.unpac.me/results/45458c3b-6553-440f-a0ee-e7e1227c1f16/

SH256 hash:

3d0dc614ae384f4b6999566eba45d2840b0258a438616ae1c911a2058dcc0172

MD5 hash:

dd0571eb68f175ac820ddc7da7db91da

SHA1 hash:

7a3a6ffffb20555595d2732a79eb18cf83ef3ed3

Detections:

INDICATOR_EXE_Packed_Fody

INDICATOR_SUSPICIOUS_EXE_TelegramChatBot

INDICATOR_SUSPICIOUS_EXE_DiscordURL

Link:

https://www.unpac.me/results/45458c3b-6553-440f-a0ee-e7e1227c1f16/

SH256 hash:

d5235265564f0bfd23b7279d7bdccc9ea6383ed07c5d0bfdf6c99029af9a2c0c

MD5 hash:

1d3dd9fcc077e6b4f88c05b9aef53ee6

SHA1 hash:

12b33858bc84f54b8aa8dbcb5a0ec2da043a6f66

Link:

https://www.unpac.me/results/45458c3b-6553-440f-a0ee-e7e1227c1f16/

SH256 hash:

4c9615496970ea84320e2a6e99f8fb828e3c7790384df5585d93fc368885d94e

MD5 hash:

50e6524b7ee9c2c93f5210b63cb1ca54

SHA1 hash:

3e296ec3bb24750833ea80515e6fb4c73874c91a

Link:

https://www.unpac.me/results/45458c3b-6553-440f-a0ee-e7e1227c1f16/

SH256 hash:

835f3fa2e9a7d11d0c18dbc3413260728db593d33ac3e5e1351607b5aeba83a7

MD5 hash:

16525e12f237625bbbe12534ca2bc978

SHA1 hash:

415c455c2f67dc23b4ea8145aca7058ae2c9803b

Link:

https://www.unpac.me/results/45458c3b-6553-440f-a0ee-e7e1227c1f16/

SH256 hash:

ceed689891874eed41295189b2db3c187aabcfc90add5a1d2af96f078bcb4811

MD5 hash:

026a5bafe4ac686c01e9d56e00a87ab1

SHA1 hash:

a6ff2228e8114a2b4040d0ca137c4b544ff034f4

Link:

https://www.unpac.me/results/45458c3b-6553-440f-a0ee-e7e1227c1f16/

SH256 hash:

1c1a49dc957ade033bd60dca58db3cc2221bd71bab7a20ab4f5009e98f13ff29

MD5 hash:

a70c5dc135347dde470f1e5b7edb4411

SHA1 hash:

e85c560a6aa24e2c64ad2a74b995a7316e8e8958

Detections:

SUSP_NET_Large_Static_Array_In_Small_File_Jan24

HKTL_NET_GUID_Quasar

Link:

https://www.unpac.me/results/45458c3b-6553-440f-a0ee-e7e1227c1f16/

Parent samples :

9382df4bc0f53192bd444266bac725b836d3633942fbbf617648536e449cf39e
acf4e409f279deff4fde7ea4457d2a3a126d7602d32058188727c60318a8086d
93ae860b34d78429fd3f4140cb2ca139bed29fa0f81d99cd35dce8f8024b0f0a
7e076c82e891f6cc0bff69929c87259a24380b2cfbd893330d68174140aab3a1
ee099bf393e389aa3bee9310c2d8b3dfd9b66df71a22a40574583555ad7261dc

SH256 hash:

1e02248fc226f1813f9a473aaf8dc9bd264101a6e371ddb73e145c0949834d47

MD5 hash:

4b874a3043d5e3c133f4c35863159638

SHA1 hash:

3a7d21700497d81c41193544b7ea913032d0aa82

Link:

https://www.unpac.me/results/45458c3b-6553-440f-a0ee-e7e1227c1f16/

SH256 hash:

a8110236200ee11643a5b1826e8df07c2c6eaef229f13a06cba8e1bd435c885a

MD5 hash:

3e7c634db3537d8e78edc7a84d42b946

SHA1 hash:

85390d4af85ea503df94e0d1c6ee864ec2a6adf7

Link:

https://www.unpac.me/results/45458c3b-6553-440f-a0ee-e7e1227c1f16/

SH256 hash:

e8a51876ded18dc38bf18565f8f07d654927bd30d6a382c1cc54f03793e20ecd

MD5 hash:

6300d55259fa920aa92533d98a639d60

SHA1 hash:

bc6a1fdb40949d7ab7cbac2a280812b572660fcf

Link:

https://www.unpac.me/results/45458c3b-6553-440f-a0ee-e7e1227c1f16/

Malware family:

QuasarRAT

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/7e076c82e891/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

iSpy Keylogger

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/7e076c82e891f6cc0bff69929c87259a24380b2cfbd893330d68174140aab3a1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	FreddyBearDropper Create hunting rule
Author:	Dwarozh Hoshiar
Description:	Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/60740/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample