Malware Analysis Report

2025-08-05 14:11

Sample ID 230816-gqjxzshh51
Target myproject.exe
SHA256 9d3b91e313cc1183cbc94c36a1aa0b50e5a2e2178293240e935d5626c4994db2
Tags
quasar clppso persistence spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9d3b91e313cc1183cbc94c36a1aa0b50e5a2e2178293240e935d5626c4994db2

Threat Level: Known bad

The file myproject.exe was found to be: Known bad.

Malicious Activity Summary

quasar clppso persistence spyware trojan

Quasar RAT

Quasar payload

Adds Run key to start application

Suspicious use of SetThreadContext

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-08-16 06:00

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-08-16 06:00

Reported

2023-08-16 06:03

Platform

win7-20230712-en

Max time kernel

147s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\myproject.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Windows\CurrentVersion\Run\winrar = "C:\\Users\\Admin\\AppData\\Roaming\\winrar.exe" C:\Users\Admin\AppData\Local\Temp\myproject.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2472 set thread context of 748 N/A C:\Users\Admin\AppData\Local\Temp\myproject.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\myproject.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\myproject.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2472 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\myproject.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2472 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\myproject.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2472 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\myproject.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2472 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\myproject.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2472 wrote to memory of 748 N/A C:\Users\Admin\AppData\Local\Temp\myproject.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2472 wrote to memory of 748 N/A C:\Users\Admin\AppData\Local\Temp\myproject.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2472 wrote to memory of 748 N/A C:\Users\Admin\AppData\Local\Temp\myproject.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2472 wrote to memory of 748 N/A C:\Users\Admin\AppData\Local\Temp\myproject.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2472 wrote to memory of 748 N/A C:\Users\Admin\AppData\Local\Temp\myproject.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2472 wrote to memory of 748 N/A C:\Users\Admin\AppData\Local\Temp\myproject.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2472 wrote to memory of 748 N/A C:\Users\Admin\AppData\Local\Temp\myproject.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2472 wrote to memory of 748 N/A C:\Users\Admin\AppData\Local\Temp\myproject.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2472 wrote to memory of 748 N/A C:\Users\Admin\AppData\Local\Temp\myproject.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Processes

C:\Users\Admin\AppData\Local\Temp\myproject.exe

"C:\Users\Admin\AppData\Local\Temp\myproject.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Network

Country Destination Domain Proto
US 5.249.163.32:4782 tcp
US 5.249.163.32:4782 tcp
US 5.249.163.32:4782 tcp
US 5.249.163.32:4782 tcp
US 5.249.163.32:4782 tcp
US 5.249.163.32:4782 tcp
US 5.249.163.32:4782 tcp
US 5.249.163.32:4782 tcp
US 5.249.163.32:4782 tcp
US 5.249.163.32:4782 tcp
US 5.249.163.32:4782 tcp
US 5.249.163.32:4782 tcp
US 5.249.163.32:4782 tcp
US 5.249.163.32:4782 tcp
US 5.249.163.32:4782 tcp
US 5.249.163.32:4782 tcp
US 5.249.163.32:4782 tcp
US 5.249.163.32:4782 tcp
US 5.249.163.32:4782 tcp
US 5.249.163.32:4782 tcp
US 5.249.163.32:4782 tcp
US 5.249.163.32:4782 tcp
US 5.249.163.32:4782 tcp
US 5.249.163.32:4782 tcp
US 5.249.163.32:4782 tcp
US 5.249.163.32:4782 tcp
US 5.249.163.32:4782 tcp
US 5.249.163.32:4782 tcp
US 5.249.163.32:4782 tcp
US 5.249.163.32:4782 tcp
US 5.249.163.32:4782 tcp
US 5.249.163.32:4782 tcp
US 5.249.163.32:4782 tcp

Files

memory/2472-54-0x0000000000C50000-0x0000000000E3E000-memory.dmp

memory/2472-53-0x00000000745F0000-0x0000000074CDE000-memory.dmp

memory/2472-55-0x0000000004D70000-0x0000000004DB0000-memory.dmp

memory/2472-56-0x0000000005160000-0x000000000533A000-memory.dmp

memory/2472-58-0x0000000005160000-0x0000000005334000-memory.dmp

memory/2472-57-0x0000000005160000-0x0000000005334000-memory.dmp

memory/2472-60-0x0000000005160000-0x0000000005334000-memory.dmp

memory/2472-62-0x0000000005160000-0x0000000005334000-memory.dmp

memory/2472-64-0x0000000005160000-0x0000000005334000-memory.dmp

memory/2472-66-0x0000000005160000-0x0000000005334000-memory.dmp

memory/2472-68-0x0000000005160000-0x0000000005334000-memory.dmp

memory/2472-70-0x0000000005160000-0x0000000005334000-memory.dmp

memory/2472-72-0x0000000005160000-0x0000000005334000-memory.dmp

memory/2472-74-0x0000000005160000-0x0000000005334000-memory.dmp

memory/2472-76-0x0000000005160000-0x0000000005334000-memory.dmp

memory/2472-78-0x0000000005160000-0x0000000005334000-memory.dmp

memory/2472-80-0x0000000005160000-0x0000000005334000-memory.dmp

memory/2472-82-0x0000000005160000-0x0000000005334000-memory.dmp

memory/2472-84-0x0000000005160000-0x0000000005334000-memory.dmp

memory/2472-86-0x0000000005160000-0x0000000005334000-memory.dmp

memory/2472-88-0x0000000005160000-0x0000000005334000-memory.dmp

memory/2472-90-0x0000000005160000-0x0000000005334000-memory.dmp

memory/2472-92-0x0000000005160000-0x0000000005334000-memory.dmp

memory/2472-94-0x0000000005160000-0x0000000005334000-memory.dmp

memory/2472-96-0x0000000005160000-0x0000000005334000-memory.dmp

memory/2472-98-0x0000000005160000-0x0000000005334000-memory.dmp

memory/2472-100-0x0000000005160000-0x0000000005334000-memory.dmp

memory/2472-102-0x0000000005160000-0x0000000005334000-memory.dmp

memory/2472-106-0x0000000005160000-0x0000000005334000-memory.dmp

memory/2472-104-0x0000000005160000-0x0000000005334000-memory.dmp

memory/2472-108-0x0000000005160000-0x0000000005334000-memory.dmp

memory/2472-110-0x0000000005160000-0x0000000005334000-memory.dmp

memory/2472-112-0x0000000005160000-0x0000000005334000-memory.dmp

memory/2472-114-0x0000000005160000-0x0000000005334000-memory.dmp

memory/2472-116-0x0000000005160000-0x0000000005334000-memory.dmp

memory/2472-118-0x0000000005160000-0x0000000005334000-memory.dmp

memory/2472-120-0x0000000005160000-0x0000000005334000-memory.dmp

memory/2472-162-0x00000000745F0000-0x0000000074CDE000-memory.dmp

memory/2472-390-0x0000000004D70000-0x0000000004DB0000-memory.dmp

memory/2472-1135-0x0000000000430000-0x0000000000431000-memory.dmp

memory/2472-1136-0x0000000005730000-0x0000000005884000-memory.dmp

memory/2472-1137-0x00000000009D0000-0x0000000000A1C000-memory.dmp

memory/2472-1146-0x00000000745F0000-0x0000000074CDE000-memory.dmp

memory/748-1150-0x0000000074570000-0x0000000074C5E000-memory.dmp

memory/748-1151-0x0000000000400000-0x0000000000724000-memory.dmp

memory/748-1152-0x0000000004BE0000-0x0000000004C20000-memory.dmp

memory/748-1153-0x0000000074570000-0x0000000074C5E000-memory.dmp

memory/748-1154-0x0000000004BE0000-0x0000000004C20000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-08-16 06:00

Reported

2023-08-16 06:03

Platform

win10v2004-20230703-en

Max time kernel

123s

Max time network

131s

Command Line

"C:\Users\Admin\AppData\Local\Temp\myproject.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winrar = "C:\\Users\\Admin\\AppData\\Roaming\\winrar.exe" C:\Users\Admin\AppData\Local\Temp\myproject.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3080 set thread context of 1208 N/A C:\Users\Admin\AppData\Local\Temp\myproject.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\myproject.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\myproject.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\myproject.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3080 wrote to memory of 3344 N/A C:\Users\Admin\AppData\Local\Temp\myproject.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 3080 wrote to memory of 3344 N/A C:\Users\Admin\AppData\Local\Temp\myproject.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 3080 wrote to memory of 3344 N/A C:\Users\Admin\AppData\Local\Temp\myproject.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 3080 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\myproject.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 3080 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\myproject.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 3080 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\myproject.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 3080 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\myproject.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 3080 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\myproject.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 3080 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\myproject.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 3080 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\myproject.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 3080 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\myproject.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Processes

C:\Users\Admin\AppData\Local\Temp\myproject.exe

"C:\Users\Admin\AppData\Local\Temp\myproject.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp
US 5.249.163.32:4782 tcp
US 8.8.8.8:53 ipwho.is udp
CA 108.181.98.179:443 ipwho.is tcp
US 8.8.8.8:53 32.163.249.5.in-addr.arpa udp
US 8.8.8.8:53 179.98.181.108.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 2.36.159.162.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 1.208.79.178.in-addr.arpa udp
US 8.8.8.8:53 86.8.109.52.in-addr.arpa udp
US 8.8.8.8:53 8.179.89.13.in-addr.arpa udp

Files

memory/3080-134-0x0000000074900000-0x00000000750B0000-memory.dmp

memory/3080-135-0x0000000000F50000-0x000000000113E000-memory.dmp

memory/3080-136-0x0000000006150000-0x00000000066F4000-memory.dmp

memory/3080-137-0x0000000005BA0000-0x0000000005C32000-memory.dmp

memory/3080-138-0x0000000005B60000-0x0000000005B70000-memory.dmp

memory/3080-139-0x0000000005B20000-0x0000000005B2A000-memory.dmp

memory/3080-141-0x0000000007190000-0x0000000007364000-memory.dmp

memory/3080-140-0x0000000007190000-0x0000000007364000-memory.dmp

memory/3080-143-0x0000000007190000-0x0000000007364000-memory.dmp

memory/3080-145-0x0000000007190000-0x0000000007364000-memory.dmp

memory/3080-147-0x0000000007190000-0x0000000007364000-memory.dmp

memory/3080-149-0x0000000007190000-0x0000000007364000-memory.dmp

memory/3080-151-0x0000000007190000-0x0000000007364000-memory.dmp

memory/3080-153-0x0000000007190000-0x0000000007364000-memory.dmp

memory/3080-155-0x0000000007190000-0x0000000007364000-memory.dmp

memory/3080-157-0x0000000007190000-0x0000000007364000-memory.dmp

memory/3080-159-0x0000000007190000-0x0000000007364000-memory.dmp

memory/3080-161-0x0000000007190000-0x0000000007364000-memory.dmp

memory/3080-163-0x0000000007190000-0x0000000007364000-memory.dmp

memory/3080-165-0x0000000007190000-0x0000000007364000-memory.dmp

memory/3080-167-0x0000000007190000-0x0000000007364000-memory.dmp

memory/3080-169-0x0000000007190000-0x0000000007364000-memory.dmp

memory/3080-171-0x0000000007190000-0x0000000007364000-memory.dmp

memory/3080-173-0x0000000007190000-0x0000000007364000-memory.dmp

memory/3080-175-0x0000000007190000-0x0000000007364000-memory.dmp

memory/3080-177-0x0000000007190000-0x0000000007364000-memory.dmp

memory/3080-179-0x0000000007190000-0x0000000007364000-memory.dmp

memory/3080-181-0x0000000007190000-0x0000000007364000-memory.dmp

memory/3080-183-0x0000000007190000-0x0000000007364000-memory.dmp

memory/3080-185-0x0000000007190000-0x0000000007364000-memory.dmp

memory/3080-187-0x0000000007190000-0x0000000007364000-memory.dmp

memory/3080-189-0x0000000007190000-0x0000000007364000-memory.dmp

memory/3080-191-0x0000000007190000-0x0000000007364000-memory.dmp

memory/3080-193-0x0000000007190000-0x0000000007364000-memory.dmp

memory/3080-195-0x0000000007190000-0x0000000007364000-memory.dmp

memory/3080-197-0x0000000007190000-0x0000000007364000-memory.dmp

memory/3080-199-0x0000000007190000-0x0000000007364000-memory.dmp

memory/3080-201-0x0000000007190000-0x0000000007364000-memory.dmp

memory/3080-203-0x0000000007190000-0x0000000007364000-memory.dmp

memory/3080-722-0x0000000074900000-0x00000000750B0000-memory.dmp

memory/3080-800-0x0000000005B60000-0x0000000005B70000-memory.dmp

memory/3080-1218-0x0000000005F40000-0x0000000005F41000-memory.dmp

memory/1208-1223-0x0000000074900000-0x00000000750B0000-memory.dmp

memory/1208-1222-0x0000000000400000-0x0000000000724000-memory.dmp

memory/3080-1224-0x0000000074900000-0x00000000750B0000-memory.dmp

memory/1208-1225-0x0000000004FF0000-0x0000000005000000-memory.dmp

memory/1208-1226-0x00000000069D0000-0x0000000006FE8000-memory.dmp

memory/1208-1227-0x0000000006560000-0x00000000065B0000-memory.dmp

memory/1208-1228-0x00000000067C0000-0x0000000006872000-memory.dmp

memory/1208-1231-0x0000000007790000-0x00000000077A2000-memory.dmp

memory/1208-1232-0x00000000077F0000-0x000000000782C000-memory.dmp

memory/1208-1233-0x00000000078A0000-0x0000000007906000-memory.dmp

memory/1208-1234-0x0000000074900000-0x00000000750B0000-memory.dmp

memory/1208-1235-0x0000000004FF0000-0x0000000005000000-memory.dmp