Malware Analysis Report

2025-04-14 05:07

Sample ID 230117-crlqraha42
Target nvz0g1.ps1
SHA256 c90652e3d658848ea93fc3b70bec8122366ea3a9cc79a11cd47d7b5c418b9b2a
Tags
quasar office04 spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c90652e3d658848ea93fc3b70bec8122366ea3a9cc79a11cd47d7b5c418b9b2a

Threat Level: Known bad

The file nvz0g1.ps1 was found to be: Known bad.

Malicious Activity Summary

quasar office04 spyware trojan

Quasar RAT

Quasar payload

Suspicious use of SetThreadContext

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2023-01-17 02:18

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-01-17 02:18

Reported

2023-01-17 02:21

Platform

win7-20220812-en

Max time kernel

42s

Max time network

46s

Command Line

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\nvz0g1.ps1

Signatures

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\nvz0g1.ps1

Network

N/A

Files

memory/1172-54-0x000007FEFB5C1000-0x000007FEFB5C3000-memory.dmp

memory/1172-55-0x000007FEF43B0000-0x000007FEF4DD3000-memory.dmp

memory/1172-56-0x000007FEF3850000-0x000007FEF43AD000-memory.dmp

memory/1172-57-0x0000000002574000-0x0000000002577000-memory.dmp

memory/1172-58-0x000000001B730000-0x000000001BA2F000-memory.dmp

memory/1172-59-0x0000000002574000-0x0000000002577000-memory.dmp

memory/1172-60-0x000000000257B000-0x000000000259A000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-01-17 02:18

Reported

2023-01-17 02:21

Platform

win10v2004-20220901-en

Max time kernel

148s

Max time network

153s

Command Line

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\nvz0g1.ps1

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1652 set thread context of 1332 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\nvz0g1.ps1

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 ghcc.duckdns.org udp
N/A 95.216.102.32:4782 ghcc.duckdns.org tcp
N/A 95.216.102.32:4782 ghcc.duckdns.org tcp
N/A 95.216.102.32:4782 ghcc.duckdns.org tcp
N/A 8.238.110.126:80 tcp
N/A 95.216.102.32:4782 ghcc.duckdns.org tcp
N/A 95.216.102.32:4782 ghcc.duckdns.org tcp
N/A 95.216.102.32:4782 ghcc.duckdns.org tcp
N/A 13.89.179.10:443 tcp
N/A 95.216.102.32:4782 ghcc.duckdns.org tcp
N/A 95.216.102.32:4782 ghcc.duckdns.org tcp
N/A 8.238.110.126:80 tcp
N/A 8.238.110.126:80 tcp
N/A 8.238.110.126:80 tcp
N/A 95.216.102.32:4782 ghcc.duckdns.org tcp
N/A 95.216.102.32:4782 ghcc.duckdns.org tcp
N/A 95.216.102.32:4782 ghcc.duckdns.org tcp
N/A 8.8.8.8:53 ghcc.duckdns.org udp
N/A 95.216.102.32:4782 ghcc.duckdns.org tcp
N/A 95.216.102.32:4782 ghcc.duckdns.org tcp
N/A 95.216.102.32:4782 ghcc.duckdns.org tcp
N/A 95.216.102.32:4782 ghcc.duckdns.org tcp
N/A 95.216.102.32:4782 ghcc.duckdns.org tcp
N/A 95.216.102.32:4782 ghcc.duckdns.org tcp
N/A 95.216.102.32:4782 ghcc.duckdns.org tcp
N/A 95.216.102.32:4782 ghcc.duckdns.org tcp
N/A 95.216.102.32:4782 ghcc.duckdns.org tcp
N/A 95.216.102.32:4782 ghcc.duckdns.org tcp
N/A 95.216.102.32:4782 ghcc.duckdns.org tcp
N/A 8.8.8.8:53 ghcc.duckdns.org udp
N/A 95.216.102.32:4782 ghcc.duckdns.org tcp
N/A 95.216.102.32:4782 ghcc.duckdns.org tcp
N/A 95.216.102.32:4782 ghcc.duckdns.org tcp

Files

memory/1652-132-0x000002565F710000-0x000002565F732000-memory.dmp

memory/1652-133-0x00007FFDB69A0000-0x00007FFDB7461000-memory.dmp

memory/1332-134-0x0000000000400000-0x0000000000484000-memory.dmp

memory/1332-135-0x000000000047E7AE-mapping.dmp

memory/1652-136-0x00007FFDB69A0000-0x00007FFDB7461000-memory.dmp

memory/1332-137-0x00000000058D0000-0x0000000005E74000-memory.dmp

memory/1332-138-0x0000000005320000-0x00000000053B2000-memory.dmp

memory/1332-139-0x0000000005250000-0x000000000525A000-memory.dmp

memory/1332-140-0x00000000064A0000-0x0000000006AB8000-memory.dmp

memory/1332-141-0x00000000057A0000-0x00000000057F0000-memory.dmp

memory/1332-142-0x0000000005FC0000-0x0000000006072000-memory.dmp