MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d2d9ed0083fdee88c8883f42b90e5b5476d2fe2fc35ee6daa247e2e86385bc80. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuasarRAT


Vendor detections: 10


Intelligence 10 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d2d9ed0083fdee88c8883f42b90e5b5476d2fe2fc35ee6daa247e2e86385bc80
SHA3-384 hash: d464663f97d21ab97456d5b213d375fdcf5ea0c7f8c4d199782b407a322fddecda0863b25269a6918cc4847dc3a6ea09
SHA1 hash: 27dccbf8e4ae9e965957238ef4dbdb1f17a700ac
MD5 hash: eaa4a26d537fc2a3f41252bb13f7875e
humanhash: zebra-maryland-steak-double
File name:JVTypehaplPrfAyvmTowiOuFULGZDYrR.bat
Download: download sample
Signature QuasarRAT
Create hunting rule
File size:3'163'318 bytes
First seen:2026-05-04 20:49:27 UTC
Last seen:Never
File type:Batch (bat) bat
MIME type:text/x-msdos-batch
ssdeep 49152:i/+dXZzZplpV16+BiLAITX7U/9bRJBtYv:0
TLSH T19FE533229C7DAEBEC59C932C30BF1F195AB55ED64444F6C763E1B0E2340EB26050BA79
Magika batch
Reporter smica83
Tags:bat QuasarRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
78
Origin country :
HU HU
Vendor Threat Intelligence
Gathering data
Malware family:
n/a
ID:
1
File name:
JVTypehaplPrfAyvmTowiOuFULGZDYrR.bat
Verdict:
No threats detected
Analysis date:
2026-05-04 20:52:21 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/e0701a55-8aff-4f66-b3fa-70dea5841412

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/64514/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Running batch commands
Launching a process
Creating a file
Sending a custom TCP request
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Creating a window
Сreating synchronization primitives
Connection attempt
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Using obfuscated Powershell scripts
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
fltmc lolbin obfuscated powershell
Link:
https://www.filescan.io/uploads/69f906a02fcb905ec27e87b5/reports/c4741b68-f42d-45bf-a417-8d7c59d5e480/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/d2d9ed0083fdee88c8883f42b90e5b5476d2fe2fc35ee6daa247e2e86385bc80
Verdict:
Malicious
File Type:
unix shell
First seen:
2026-05-04T18:03:00Z UTC
Last seen:
2026-05-04T18:37:00Z UTC
Hits:
~10
Detections:
Trojan-PSW.MSIL.Agent.sb Trojan-Dropper.MSIL.Agent Backdoor.MSIL.PulsarRAT.sb PDM:Trojan.Win32.Generic HEUR:Trojan.BAT.Alien.gen Trojan.Win32.Vimditator.sb
Link:
https://opentip.kaspersky.com/d2d9ed0083fdee88c8883f42b90e5b5476d2fe2fc35ee6daa247e2e86385bc80/results?tab=lookup
Result
Threat name:
n/a
Detection:
malicious
Classification:
expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1908361
Signature
Bypasses PowerShell execution policy
Creates an autostart registry key pointing to binary in C:\Windows
Disable UAC(promptonsecuredesktop)
Found large BAT file
Hides that the sample has been downloaded from the Internet (zone.identifier)
Joe Sandbox ML detected suspicious sample
Obfuscated command line found
Sets debug register (to hijack the execution of another thread)
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: Potential Startup Shortcut Persistence Via PowerShell.EXE
Sigma detected: Powerup Write Hijack DLL
Sigma detected: Suspicious PowerShell Parameter Substring
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript called in batch mode (surpress errors)
WScript reads language and country specific registry keys (likely country aware script)
Wscript starts Powershell (via cmd or directly)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1908361 Sample: JVTypehaplPrfAyvmTowiOuFULG... Startdate: 04/05/2026 Architecture: WINDOWS Score: 100 112 Found large BAT file 2->112 114 Sigma detected: Potential Startup Shortcut Persistence Via PowerShell.EXE 2->114 116 Sigma detected: WScript or CScript Dropper 2->116 118 5 other signatures 2->118 10 cmd.exe 1 2->10         started        13 wscript.exe 1 2->13         started        15 wscript.exe 1 2->15         started        17 wscript.exe 2->17         started        process3 signatures4 132 Suspicious powershell command line found 10->132 134 Wscript starts Powershell (via cmd or directly) 10->134 136 Obfuscated command line found 10->136 138 Bypasses PowerShell execution policy 10->138 19 cmd.exe 1 10->19         started        22 conhost.exe 10->22         started        140 Windows Scripting host queries suspicious COM object (likely to drop second stage) 13->140 142 Suspicious execution chain found 13->142 144 WScript reads language and country specific registry keys (likely country aware script) 13->144 24 cmd.exe 1 13->24         started        26 cmd.exe 15->26         started        28 cmd.exe 1 17->28         started        process5 signatures6 120 Suspicious powershell command line found 19->120 122 Wscript starts Powershell (via cmd or directly) 19->122 124 Obfuscated command line found 19->124 30 powershell.exe 1 25 19->30         started        35 conhost.exe 19->35         started        37 fltMC.exe 1 19->37         started        39 cmd.exe 1 24->39         started        41 conhost.exe 24->41         started        43 cmd.exe 26->43         started        45 conhost.exe 26->45         started        47 cmd.exe 28->47         started        49 conhost.exe 28->49         started        process7 dnsIp8 100 163.61.38.229, 8080 KDDIKDDICORPORATIONJP unknown 30->100 94 C:\Users\user\AppData\Roaming\OHcwfcSs.vbs, ASCII 30->94 dropped 96 C:\Users\user\AppData\Roaming\OHcwfcSs.bat, DOS 30->96 dropped 98 C:\Users\user\AppData\...\OHcwfcSs.lnk, MS 30->98 dropped 102 Creates an autostart registry key pointing to binary in C:\Windows 30->102 104 Sets debug register (to hijack the execution of another thread) 30->104 106 Hides that the sample has been downloaded from the Internet (zone.identifier) 30->106 108 Disable UAC(promptonsecuredesktop) 30->108 110 Wscript starts Powershell (via cmd or directly) 39->110 51 powershell.exe 3 10 39->51         started        53 conhost.exe 39->53         started        55 fltMC.exe 1 39->55         started        57 powershell.exe 43->57         started        59 conhost.exe 43->59         started        61 fltMC.exe 1 43->61         started        63 powershell.exe 47->63         started        65 conhost.exe 47->65         started        67 fltMC.exe 1 47->67         started        file9 signatures10 process11 process12 69 cmd.exe 1 51->69         started        72 cmd.exe 57->72         started        74 cmd.exe 63->74         started        signatures13 126 Suspicious powershell command line found 69->126 128 Wscript starts Powershell (via cmd or directly) 69->128 130 Obfuscated command line found 69->130 76 conhost.exe 69->76         started        78 fltMC.exe 1 69->78         started        80 powershell.exe 69->80         started        82 conhost.exe 72->82         started        84 fltMC.exe 1 72->84         started        86 powershell.exe 72->86         started        88 conhost.exe 74->88         started        90 fltMC.exe 1 74->90         started        92 powershell.exe 74->92         started        process14
Score:
99%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/d2d9ed0083fdee88c8883f42b90e5b5476d2fe2fc35ee6daa247e2e86385bc80
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d2d9ed0083fdee88c8883f42b90e5b5476d2fe2fc35ee6daa247e2e86385bc80/
Verdict:
Malicious
Threat:
Family.CUSTOMERLOADER
Link:
https://tip.neiki.dev/file/d2d9ed0083fdee88c8883f42b90e5b5476d2fe2fc35ee6daa247e2e86385bc80
Threat name:
Text.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2026-05-03 01:11:53 UTC
File Type:
Text (Batch)
AV detection:
6 of 24 (25.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2lm62aed7xxirseih5blsds3kr3nf7rpynponwvci7roqy4fxsaa._file
Result
Malware family:
quasar
Create hunting rule
Score:
  10/10
Tags:
family:customerloader family:quasar botnet:vps-28 defense_evasion downloader loader persistence spyware trojan
Link:
https://tria.ge/reports/260504-zl9xqacw2t/
Behaviour
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Adds Run key to start application
Checks computer location settings
Drops startup file
Badlisted process makes network request
Family: Customer Loader
Family: Quasar RAT
Quasar payload
UAC bypass
Malware Config
C2 Extraction:
163.61.38.229:8080
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:telebot_framework
Create hunting rule
Author:vietdx.mb
Rule name:Warp
Create hunting rule
Author:Seth Hardy
Description:Warp
Rule name:WarpStrings
Create hunting rule
Author:Seth Hardy
Description:Warp Identifying Strings
Rule name:WIN_FileFix_Detection
Create hunting rule
Author:dogsafetyforeverone
Description:Detects FileFix social engineering technique that launches chained PowerShell and PHP commands from file explorer typed paths
Reference:FileFix social engineering with PowerShell and PHP commands

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/64514/

Comments