Malware Analysis Report

2025-04-14 05:07

Sample ID 230119-vn4q9sgf67
Target ss.ps1
SHA256 6c1e62385d660ca43e024d461154fbb4805e429cdf7850d19510d7f69533739e
Tags
quasar office04 spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6c1e62385d660ca43e024d461154fbb4805e429cdf7850d19510d7f69533739e

Threat Level: Known bad

The file ss.ps1 was found to be: Known bad.

Malicious Activity Summary

quasar office04 spyware stealer trojan

Quasar payload

Quasar RAT

Reads user/profile data of web browsers

Looks up external IP address via web service

Suspicious use of SetThreadContext

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-01-19 17:09

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-01-19 17:09

Reported

2023-01-19 17:11

Platform

win10v2004-20221111-en

Max time kernel

117s

Max time network

145s

Command Line

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\ss.ps1

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1300 set thread context of 364 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1300 wrote to memory of 364 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1300 wrote to memory of 364 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1300 wrote to memory of 364 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1300 wrote to memory of 364 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1300 wrote to memory of 364 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1300 wrote to memory of 364 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1300 wrote to memory of 364 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1300 wrote to memory of 364 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 364 wrote to memory of 3384 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\SysWOW64\schtasks.exe
PID 364 wrote to memory of 3384 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\SysWOW64\schtasks.exe
PID 364 wrote to memory of 3384 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\ss.ps1

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Update" /sc ONLOGON /tr "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" /rl HIGHEST /f

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 ghcc.duckdns.org udp
N/A 95.216.102.32:4782 ghcc.duckdns.org tcp
N/A 8.8.8.8:53 tools.keycdn.com udp
N/A 185.172.148.96:443 tools.keycdn.com tcp
N/A 8.8.8.8:53 api.ipify.org udp
N/A 64.185.227.155:443 api.ipify.org tcp
N/A 20.189.173.15:443 tcp
N/A 93.184.221.240:80 tcp

Files

memory/1300-132-0x000002C6E8BD0000-0x000002C6E8BF2000-memory.dmp

memory/1300-133-0x00007FF99F040000-0x00007FF99FB01000-memory.dmp

memory/364-135-0x000000000047E74E-mapping.dmp

memory/1300-136-0x00007FF99F040000-0x00007FF99FB01000-memory.dmp

memory/364-137-0x0000000000710000-0x0000000000794000-memory.dmp

memory/364-138-0x0000000005220000-0x00000000057C4000-memory.dmp

memory/364-139-0x0000000004C70000-0x0000000004D02000-memory.dmp

memory/364-140-0x0000000004C50000-0x0000000004C5A000-memory.dmp

memory/3384-141-0x0000000000000000-mapping.dmp

memory/364-142-0x00000000060F0000-0x0000000006708000-memory.dmp

memory/364-143-0x0000000005B20000-0x0000000005B70000-memory.dmp

memory/364-144-0x0000000005D90000-0x0000000005E42000-memory.dmp

memory/364-145-0x0000000007040000-0x00000000070A6000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2023-01-19 17:09

Reported

2023-01-19 17:11

Platform

win7-20221111-en

Max time kernel

30s

Max time network

33s

Command Line

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\ss.ps1

Signatures

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\ss.ps1

Network

N/A

Files

memory/1936-54-0x000007FEFC461000-0x000007FEFC463000-memory.dmp

memory/1936-55-0x000007FEF4120000-0x000007FEF4B43000-memory.dmp

memory/1936-56-0x000007FEF35C0000-0x000007FEF411D000-memory.dmp

memory/1936-57-0x0000000002054000-0x0000000002057000-memory.dmp

memory/1936-58-0x000000001B6F0000-0x000000001B9EF000-memory.dmp

memory/1936-59-0x000000000205B000-0x000000000207A000-memory.dmp

memory/1936-60-0x0000000002054000-0x0000000002057000-memory.dmp

memory/1936-61-0x000000000205B000-0x000000000207A000-memory.dmp