quasar | 616bbced150df4c538374a032a176e88165f5e95f3fffaeae28ffa68cda552a1

Analysis

max time kernel
141s
max time network
142s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
30-01-2025 03:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

616bbced150df4c538374a032a176e88165f5e95f3fffaeae28ffa68cda552a1.exe
Size

2.6MB
MD5

6416961fe33e1461e8f5c455c2cf0ec9
SHA1

190754691dffb4d873bd32f48722d150d338f51d
SHA256

616bbced150df4c538374a032a176e88165f5e95f3fffaeae28ffa68cda552a1
SHA512

8fe2fa84a62cf92d1136110e0b39bfb7f07646816ff9d9944a0d8523d26d2f2d46653ec2a9f1153fac6b3c585e0f742753959d496cab1f5a62c761dd0db1fc18
SSDEEP

49152:Ux8Gt7KDrJd8spKaFxZWVAItl6dXg84Hk6BOUjbqmQnN/DAP8khk2d4zV:C974P57k6dQ8bIO2uN/DAP8khkj

Score

10^/10

quasar 1 discovery execution spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

87.228.57.81:4782

Mutex

f832b3aa-9229-4dd0-81ec-c101146b1831

Attributes

encryption_key
19A0FAF8459F69650B5965C225752D425C429EEC
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 1 IoCs

resource	yara_rule
behavioral1/memory/2972-72-0x000000001BA00000-0x000000001BD24000-memory.dmp	family_quasar

Executes dropped EXE 2 IoCs

pid	Process
1256	616bbced150df4c538374a032a176e88165f5e95f3fffaeae28ffa68cda552a1.tmp
2544	616bbced150df4c538374a032a176e88165f5e95f3fffaeae28ffa68cda552a1.tmp

Loads dropped DLL 10 IoCs

pid	Process
2124	616bbced150df4c538374a032a176e88165f5e95f3fffaeae28ffa68cda552a1.exe
1256	616bbced150df4c538374a032a176e88165f5e95f3fffaeae28ffa68cda552a1.tmp
1256	616bbced150df4c538374a032a176e88165f5e95f3fffaeae28ffa68cda552a1.tmp
1256	616bbced150df4c538374a032a176e88165f5e95f3fffaeae28ffa68cda552a1.tmp
2020	616bbced150df4c538374a032a176e88165f5e95f3fffaeae28ffa68cda552a1.exe
2544	616bbced150df4c538374a032a176e88165f5e95f3fffaeae28ffa68cda552a1.tmp
2544	616bbced150df4c538374a032a176e88165f5e95f3fffaeae28ffa68cda552a1.tmp
2544	616bbced150df4c538374a032a176e88165f5e95f3fffaeae28ffa68cda552a1.tmp
2936	regsvr32.exe
2972	regsvr32.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell to execute payload.

execution

PowerShell

T1059.001

pid	Process
2824	powershell.exe
2740	powershell.exe
2740	powershell.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	616bbced150df4c538374a032a176e88165f5e95f3fffaeae28ffa68cda552a1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	616bbced150df4c538374a032a176e88165f5e95f3fffaeae28ffa68cda552a1.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	616bbced150df4c538374a032a176e88165f5e95f3fffaeae28ffa68cda552a1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	616bbced150df4c538374a032a176e88165f5e95f3fffaeae28ffa68cda552a1.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2544	616bbced150df4c538374a032a176e88165f5e95f3fffaeae28ffa68cda552a1.tmp
2544	616bbced150df4c538374a032a176e88165f5e95f3fffaeae28ffa68cda552a1.tmp
2972	regsvr32.exe
2824	powershell.exe
2740	powershell.exe
2972	regsvr32.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2824	powershell.exe
Token: SeDebugPrivilege	2740	powershell.exe
Token: SeDebugPrivilege	2972	regsvr32.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2544	616bbced150df4c538374a032a176e88165f5e95f3fffaeae28ffa68cda552a1.tmp
2972	regsvr32.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2972	regsvr32.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2972	regsvr32.exe

Suspicious use of WriteProcessMemory 41 IoCs

description	pid	Process	procid_target
PID 2124 wrote to memory of 1256	2124	616bbced150df4c538374a032a176e88165f5e95f3fffaeae28ffa68cda552a1.exe	30
PID 2124 wrote to memory of 1256	2124	616bbced150df4c538374a032a176e88165f5e95f3fffaeae28ffa68cda552a1.exe	30
PID 2124 wrote to memory of 1256	2124	616bbced150df4c538374a032a176e88165f5e95f3fffaeae28ffa68cda552a1.exe	30
PID 2124 wrote to memory of 1256	2124	616bbced150df4c538374a032a176e88165f5e95f3fffaeae28ffa68cda552a1.exe	30
PID 2124 wrote to memory of 1256	2124	616bbced150df4c538374a032a176e88165f5e95f3fffaeae28ffa68cda552a1.exe	30
PID 2124 wrote to memory of 1256	2124	616bbced150df4c538374a032a176e88165f5e95f3fffaeae28ffa68cda552a1.exe	30
PID 2124 wrote to memory of 1256	2124	616bbced150df4c538374a032a176e88165f5e95f3fffaeae28ffa68cda552a1.exe	30
PID 1256 wrote to memory of 2020	1256	616bbced150df4c538374a032a176e88165f5e95f3fffaeae28ffa68cda552a1.tmp	31
PID 1256 wrote to memory of 2020	1256	616bbced150df4c538374a032a176e88165f5e95f3fffaeae28ffa68cda552a1.tmp	31
PID 1256 wrote to memory of 2020	1256	616bbced150df4c538374a032a176e88165f5e95f3fffaeae28ffa68cda552a1.tmp	31
PID 1256 wrote to memory of 2020	1256	616bbced150df4c538374a032a176e88165f5e95f3fffaeae28ffa68cda552a1.tmp	31
PID 1256 wrote to memory of 2020	1256	616bbced150df4c538374a032a176e88165f5e95f3fffaeae28ffa68cda552a1.tmp	31
PID 1256 wrote to memory of 2020	1256	616bbced150df4c538374a032a176e88165f5e95f3fffaeae28ffa68cda552a1.tmp	31
PID 1256 wrote to memory of 2020	1256	616bbced150df4c538374a032a176e88165f5e95f3fffaeae28ffa68cda552a1.tmp	31
PID 2020 wrote to memory of 2544	2020	616bbced150df4c538374a032a176e88165f5e95f3fffaeae28ffa68cda552a1.exe	32
PID 2020 wrote to memory of 2544	2020	616bbced150df4c538374a032a176e88165f5e95f3fffaeae28ffa68cda552a1.exe	32
PID 2020 wrote to memory of 2544	2020	616bbced150df4c538374a032a176e88165f5e95f3fffaeae28ffa68cda552a1.exe	32
PID 2020 wrote to memory of 2544	2020	616bbced150df4c538374a032a176e88165f5e95f3fffaeae28ffa68cda552a1.exe	32
PID 2020 wrote to memory of 2544	2020	616bbced150df4c538374a032a176e88165f5e95f3fffaeae28ffa68cda552a1.exe	32
PID 2020 wrote to memory of 2544	2020	616bbced150df4c538374a032a176e88165f5e95f3fffaeae28ffa68cda552a1.exe	32
PID 2020 wrote to memory of 2544	2020	616bbced150df4c538374a032a176e88165f5e95f3fffaeae28ffa68cda552a1.exe	32
PID 2544 wrote to memory of 2936	2544	616bbced150df4c538374a032a176e88165f5e95f3fffaeae28ffa68cda552a1.tmp	33
PID 2544 wrote to memory of 2936	2544	616bbced150df4c538374a032a176e88165f5e95f3fffaeae28ffa68cda552a1.tmp	33
PID 2544 wrote to memory of 2936	2544	616bbced150df4c538374a032a176e88165f5e95f3fffaeae28ffa68cda552a1.tmp	33
PID 2544 wrote to memory of 2936	2544	616bbced150df4c538374a032a176e88165f5e95f3fffaeae28ffa68cda552a1.tmp	33
PID 2544 wrote to memory of 2936	2544	616bbced150df4c538374a032a176e88165f5e95f3fffaeae28ffa68cda552a1.tmp	33
PID 2544 wrote to memory of 2936	2544	616bbced150df4c538374a032a176e88165f5e95f3fffaeae28ffa68cda552a1.tmp	33
PID 2544 wrote to memory of 2936	2544	616bbced150df4c538374a032a176e88165f5e95f3fffaeae28ffa68cda552a1.tmp	33
PID 2936 wrote to memory of 2972	2936	regsvr32.exe	34
PID 2936 wrote to memory of 2972	2936	regsvr32.exe	34
PID 2936 wrote to memory of 2972	2936	regsvr32.exe	34
PID 2936 wrote to memory of 2972	2936	regsvr32.exe	34
PID 2936 wrote to memory of 2972	2936	regsvr32.exe	34
PID 2936 wrote to memory of 2972	2936	regsvr32.exe	34
PID 2936 wrote to memory of 2972	2936	regsvr32.exe	34
PID 2972 wrote to memory of 2824	2972	regsvr32.exe	35
PID 2972 wrote to memory of 2824	2972	regsvr32.exe	35
PID 2972 wrote to memory of 2824	2972	regsvr32.exe	35
PID 2972 wrote to memory of 2740	2972	regsvr32.exe	38
PID 2972 wrote to memory of 2740	2972	regsvr32.exe	38
PID 2972 wrote to memory of 2740	2972	regsvr32.exe	38

C:\Users\Admin\AppData\Local\Temp\616bbced150df4c538374a032a176e88165f5e95f3fffaeae28ffa68cda552a1.exe
"C:\Users\Admin\AppData\Local\Temp\616bbced150df4c538374a032a176e88165f5e95f3fffaeae28ffa68cda552a1.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2124
- C:\Users\Admin\AppData\Local\Temp\is-RU98B.tmp\616bbced150df4c538374a032a176e88165f5e95f3fffaeae28ffa68cda552a1.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-RU98B.tmp\616bbced150df4c538374a032a176e88165f5e95f3fffaeae28ffa68cda552a1.tmp" /SL5="$400CC,2299112,208384,C:\Users\Admin\AppData\Local\Temp\616bbced150df4c538374a032a176e88165f5e95f3fffaeae28ffa68cda552a1.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1256
- - C:\Users\Admin\AppData\Local\Temp\616bbced150df4c538374a032a176e88165f5e95f3fffaeae28ffa68cda552a1.exe
    "C:\Users\Admin\AppData\Local\Temp\616bbced150df4c538374a032a176e88165f5e95f3fffaeae28ffa68cda552a1.exe" /VERYSILENT
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2020
  - - C:\Users\Admin\AppData\Local\Temp\is-2CRQT.tmp\616bbced150df4c538374a032a176e88165f5e95f3fffaeae28ffa68cda552a1.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-2CRQT.tmp\616bbced150df4c538374a032a176e88165f5e95f3fffaeae28ffa68cda552a1.tmp" /SL5="$40232,2299112,208384,C:\Users\Admin\AppData\Local\Temp\616bbced150df4c538374a032a176e88165f5e95f3fffaeae28ffa68cda552a1.exe" /VERYSILENT
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:2544
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        "regsvr32.exe" /s /i:SYNC "C:\Users\Admin\AppData\Roaming\\8dnsapi_5.drv"
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2936
      - C:\Windows\system32\regsvr32.exe
        
        /s /i:SYNC "C:\Users\Admin\AppData\Roaming\\8dnsapi_5.drv"
        6⤵
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2972
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:SYNC C:\Users\Admin\AppData\Roaming\8dnsapi_5.drv' }) { exit 0 } else { exit 1 }"
        7⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2824
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"regsvr32\" -Argument \"/S /i:SYNC C:\Users\Admin\AppData\Roaming\8dnsapi_5.drv\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{8A3D0808-AF60-4749-E6C5-A8C2A64F8029}' -Description 'MicrosoftEdgeUpdateTaskMachineUA' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -ExecutionTimeLimit 0) -RunLevel Highest"
        7⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\8dnsapi_5.drv

Filesize
4.1MB

MD5
6fb91b9f96c8a0f6e20e75377152363a

SHA1
be3ed35dee6b517b9e846bc431197c2d6239f8e1

SHA256
be67966b82dcb5e838095d0ebcccbc854b6eae9d6ac30329457019f2d7d119ae

SHA512
da994e4ee32aee52d98d21ab69887d94efe186d9e0a34b2cc09e0da949fb25a10de464136c305a66c332457d876e5e6ce2acaf6c4f1ba00f7e6345cdda030996

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
c1a8044baac50e9b5d6d4c3536de8d6a

SHA1
cabf91cbffeac7fb94ed669b74320489f109483e

SHA256
e8585bc6d37536d71377048f588e5a3d667a7f13b0ee0f85301c5b83d79f8e76

SHA512
c09dbc7af1665378c69dfffa1610f39d0fa2f1b07f028c150ba5fddda77080ce96f2f9ecb33872b67042272fa2ef5a7bae34a6f323c9c258438c6a118aecb998

Download Submit
\Users\Admin\AppData\Local\Temp\is-4NFSH.tmp\_isetup\_isdecmp.dll

Filesize
13KB

MD5
a813d18268affd4763dde940246dc7e5

SHA1
c7366e1fd925c17cc6068001bd38eaef5b42852f

SHA256
e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64

SHA512
b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

Download Submit
\Users\Admin\AppData\Local\Temp\is-4NFSH.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-RU98B.tmp\616bbced150df4c538374a032a176e88165f5e95f3fffaeae28ffa68cda552a1.tmp

Filesize
1.2MB

MD5
1db83d1bc949e72509f0e752316ec5d0

SHA1
154d7bd59581ea106d8a02586feaf5c38f806d39

SHA256
57c68e06bd351b2fde4f25f04c89fc265c0c3ce3184fb0caca3410b6eac04a49

SHA512
ff0eba3e3a9407107d2e5875d4369be68c1f1f43144aea8c9b530824f3b9c837705ecd0c7d94bbaadfa59bb273b7e59392bef3d9aaf643353e4b935f8745d4b2

Download Submit
memory/1256-8-0x0000000000400000-0x0000000000538000-memory.dmp

Filesize
1.2MB

Download
memory/1256-24-0x0000000000400000-0x0000000000538000-memory.dmp

Filesize
1.2MB

Download
memory/2020-53-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2020-21-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2020-25-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2124-28-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2124-2-0x0000000000401000-0x0000000000417000-memory.dmp

Filesize
88KB

Download
memory/2124-0-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2544-51-0x0000000000400000-0x0000000000538000-memory.dmp

Filesize
1.2MB

Download
memory/2740-69-0x000000001B510000-0x000000001B7F2000-memory.dmp

Filesize
2.9MB

Download
memory/2740-70-0x0000000002070000-0x0000000002078000-memory.dmp

Filesize
32KB

Download
memory/2824-61-0x000000001B640000-0x000000001B922000-memory.dmp

Filesize
2.9MB

Download
memory/2824-62-0x00000000029F0000-0x00000000029F8000-memory.dmp

Filesize
32KB

Download
memory/2972-72-0x000000001BA00000-0x000000001BD24000-memory.dmp

Filesize
3.1MB

Download
memory/2972-73-0x000007FEF6080000-0x000007FEF6481000-memory.dmp

Filesize
4.0MB

Download