MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9382df4bc0f53192bd444266bac725b836d3633942fbbf617648536e449cf39e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

QuasarRAT

Vendor detections: 18

Intelligence 18 IOCs YARA 3 File information Comments

SHA256 hash:	9382df4bc0f53192bd444266bac725b836d3633942fbbf617648536e449cf39e
SHA3-384 hash:	24f2d2a2d4168626398237710a41d8e828a0996a8981d5554bf4ec8386a63144212525302f7cdeacbfa2587013b8de95
SHA1 hash:	fb457795bdc6e2b6b23666e026edeb97eb5d940f
MD5 hash:	37a43b6b81e933fc6e19a93c443dfd84
humanhash:	beer-eleven-table-queen
File name:	PradaNonvirus.exe
Download:	download sample
Signature	QuasarRAT Create hunting rule
File size:	9'612'288 bytes
First seen:	2026-03-05 07:01:47 UTC
Last seen:	2026-03-05 07:24:18 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'843 x AgentTesla, 19'774 x Formbook, 12'297 x SnakeKeylogger)
ssdeep	196608:WloFGZcr71flVCTgJpF2DFAKsmZUGKsSFLTUz8MecAdUodUT6ln1ep:Wlo427VCs2mKsmWGlQ48iAdp1
TLSH	T15CA622EB64BE675C8B4B5C74BCE031CEAF874B37883E92D20693625C14385CB59129B7
TrID	73.9% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 6.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 6.6% (.EXE) Win64 Executable (generic) (6522/11/2) 4.5% (.EXE) Win32 Executable (generic) (4504/4/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika	pebin
Reporter	abuse_ch
Tags:	exe QuasarRAT

Intelligence

File Origin

# of uploads :

# of downloads :

138

Origin country :

Vendor Threat Intelligence

Malware configuration found for:

EvilCoder

Details

EvilCoder

a mutex and AES-ECB decrypted component(s)

Link:

https://research.acce.ciphertechsolutions.com/results/80a9e225-ae65-4345-b133-5edaef2471d9/

Malware family:

n/a

ID:

File name:

PradaNonvirus.exe

Verdict:

Malicious activity

Analysis date:

2026-03-05 05:29:46 UTC

Tags:

api-base64 crypto-regex pulsar rat

Link:

https://app.any.run/tasks/dc355561-9773-47f3-b333-aaf9f4a34a92

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/55617/

Detection(s):

SecuriteInfo.com.Trojan.MulDrop23.44572.7068.32586.UNOFFICIAL

Verdict:

Malicious

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=69a914d9e1f958bf6683ca17

Tags:

vmdetect quasar proxy

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

asyncrat obfuscated obfuscated packed unsafe vbnet

Link:

https://www.filescan.io/uploads/69a92a7997feb4afd66b5dc4/reports/da5c68b9-c91e-4337-88eb-fd2fca5fdca8/overview

Verdict:

Malicious

Labled as:

Jalapeno.Generic

Link:

https://www.hybrid-analysis.com/sample/9382df4bc0f53192bd444266bac725b836d3633942fbbf617648536e449cf39e

Verdict:

Malicious

File Type:

exe x32

Detections:

HEUR:Trojan.Win32.Generic HEUR:Trojan-Dropper.MSIL.Dapato.gen HEUR:Trojan-Banker.MSIL.ClipBanker.gen HEUR:Trojan.MSIL.R77.gen HEUR:HackTool.Win64.Disabler.pefng HEUR:HackTool.Win64.Disabler.gen HEUR:Exploit.MSIL.BypassUAC.gen HEUR:Exploit.MSIL.BypassUAC.c Backdoor.MSIL.PulsarRAT.sb PDM:Trojan.Win32.Generic Trojan-PSW.MSIL.Agent.sb HEUR:Trojan-Dropper.MSIL.Agent.gen NetTool.Ngrok.UDP.C&C

Link:

https://opentip.kaspersky.com/9382df4bc0f53192bd444266bac725b836d3633942fbbf617648536e449cf39e/results?tab=lookup

Malware family:

ModernLoader

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/e378e6c9-c2be-4de4-8942-b8407360c9bd

Result

Threat name:

Quasar

Detection:

malicious

Classification:

troj.spyw.expl.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1878617

Signature

.NET source code contains potential unpacker

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Installs a global keyboard hook

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sample uses string decryption to hide its real strings

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected AntiVM3

Yara detected Costura Assembly Loader

Yara detected EXE embedded in BAT file

Yara detected Quasar RAT

Yara detected UAC Bypass using CMSTP

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/9382df4bc0f53192bd444266bac725b836d3633942fbbf617648536e449cf39e

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/9382df4bc0f53192bd444266bac725b836d3633942fbbf617648536e449cf39e/

Verdict:

Malicious

Threat:

Family.CUSTOMERLOADER

Link:

https://tip.neiki.dev/file/9382df4bc0f53192bd444266bac725b836d3633942fbbf617648536e449cf39e

Threat name:

ByteCode-MSIL.Spyware.AsyncRAT

Status:

Malicious

First seen:

2026-03-05 05:29:50 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

20 of 24 (83.33%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=sobn6s6a6uyzfpkeijtlvrzfxa3ngyzzil536ylwjbjw4re46opa._file

Verdict:

malicious

Label(s):

quasarrat

Similar samples:

error

QuasarRAT

Result

Malware family:

quasar

Score:

10/10

Tags:

family:customerloader family:quasar botnet:office04 downloader loader spyware trojan

Link:

https://tria.ge/reports/260305-htxhxsdw8n/

Behaviour

Suspicious behavior: AddClipboardFormatListener

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Contacts third-party web service commonly abused for C2

Checks computer location settings

Executes dropped EXE

Customer Loader

Customerloader family

Quasar RAT

Quasar family

Quasar payload

Malware Config

C2 Extraction:

0.tcp.in.ngrok.io:19799

Unpacked files

SH256 hash:

9382df4bc0f53192bd444266bac725b836d3633942fbbf617648536e449cf39e

MD5 hash:

37a43b6b81e933fc6e19a93c443dfd84

SHA1 hash:

fb457795bdc6e2b6b23666e026edeb97eb5d940f

Link:

https://www.unpac.me/results/1504801a-10c4-4535-b4d1-8833405bff78/

SH256 hash:

d5235265564f0bfd23b7279d7bdccc9ea6383ed07c5d0bfdf6c99029af9a2c0c

MD5 hash:

1d3dd9fcc077e6b4f88c05b9aef53ee6

SHA1 hash:

12b33858bc84f54b8aa8dbcb5a0ec2da043a6f66

Link:

https://www.unpac.me/results/1504801a-10c4-4535-b4d1-8833405bff78/

SH256 hash:

9a7b0a6dfa3c15f4002b4df9de5af87e51d37341d89b90073a60d582136b7e64

MD5 hash:

8476cae480367299eec384dc9c7b8916

SHA1 hash:

2641cd9dc1acb6d27ade0bcf68f1c1b37f40915c

Link:

https://www.unpac.me/results/1504801a-10c4-4535-b4d1-8833405bff78/

SH256 hash:

4c9615496970ea84320e2a6e99f8fb828e3c7790384df5585d93fc368885d94e

MD5 hash:

50e6524b7ee9c2c93f5210b63cb1ca54

SHA1 hash:

3e296ec3bb24750833ea80515e6fb4c73874c91a

Link:

https://www.unpac.me/results/1504801a-10c4-4535-b4d1-8833405bff78/

SH256 hash:

c9736bed57d137a0bd4a454a70436020312db5a365bdd243037e766695c18ccd

MD5 hash:

41b34eab1585d5381c56730b93dd1310

SHA1 hash:

510b640517342dbcc40c81b63db23fa1444a71ed

Link:

https://www.unpac.me/results/1504801a-10c4-4535-b4d1-8833405bff78/

SH256 hash:

5f64ff9d7c4927b991a0446ecf5147b67ebd4c8f049e8e1f3b90a707c8943e48

MD5 hash:

480c8ff188cfc5e01acb7251f40a3261

SHA1 hash:

868421770e0955a121a857e80621313ecbe6c5bc

Link:

https://www.unpac.me/results/1504801a-10c4-4535-b4d1-8833405bff78/

SH256 hash:

1c1a49dc957ade033bd60dca58db3cc2221bd71bab7a20ab4f5009e98f13ff29

MD5 hash:

a70c5dc135347dde470f1e5b7edb4411

SHA1 hash:

e85c560a6aa24e2c64ad2a74b995a7316e8e8958

Detections:

SUSP_NET_Large_Static_Array_In_Small_File_Jan24

HKTL_NET_GUID_Quasar

Link:

https://www.unpac.me/results/1504801a-10c4-4535-b4d1-8833405bff78/

Malware family:

QuasarRAT

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/9382df4bc0f5/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

iSpy Keylogger

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/9382df4bc0f53192bd444266bac725b836d3633942fbbf617648536e449cf39e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/55617/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample