hxxps://github[.]com/quasar/Quasar[.]git

Resubmissions

21/03/2025, 22:07

250321-11tpqavnz6 10

21/03/2025, 22:06

250321-1z4tasvnw8 6

21/03/2025, 22:02

250321-1x5b2s1vcx 10

Analysis

max time kernel
29s
max time network
24s
platform
windows11-21h2_x64
resource
win11-20250314-en
resource tags

arch:x64arch:x86image:win11-20250314-enlocale:en-usos:windows11-21h2-x64system
submitted
21/03/2025, 22:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/quasar/Quasar.git

Score

6^/10

discovery

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
2	raw.githubusercontent.com
13	camo.githubusercontent.com

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133870684009553377"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1608	chrome.exe
1608	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
1608	chrome.exe
1608	chrome.exe
1608	chrome.exe

Suspicious use of AdjustPrivilegeToken 58 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1608	chrome.exe
Token: SeCreatePagefilePrivilege	1608	chrome.exe
Token: SeShutdownPrivilege	1608	chrome.exe
Token: SeCreatePagefilePrivilege	1608	chrome.exe
Token: SeShutdownPrivilege	1608	chrome.exe
Token: SeCreatePagefilePrivilege	1608	chrome.exe
Token: SeShutdownPrivilege	1608	chrome.exe
Token: SeCreatePagefilePrivilege	1608	chrome.exe
Token: SeShutdownPrivilege	1608	chrome.exe
Token: SeCreatePagefilePrivilege	1608	chrome.exe
Token: SeShutdownPrivilege	1608	chrome.exe
Token: SeCreatePagefilePrivilege	1608	chrome.exe
Token: SeShutdownPrivilege	1608	chrome.exe
Token: SeCreatePagefilePrivilege	1608	chrome.exe
Token: SeShutdownPrivilege	1608	chrome.exe
Token: SeCreatePagefilePrivilege	1608	chrome.exe
Token: SeShutdownPrivilege	1608	chrome.exe
Token: SeCreatePagefilePrivilege	1608	chrome.exe
Token: SeShutdownPrivilege	1608	chrome.exe
Token: SeCreatePagefilePrivilege	1608	chrome.exe
Token: SeShutdownPrivilege	1608	chrome.exe
Token: SeCreatePagefilePrivilege	1608	chrome.exe
Token: SeShutdownPrivilege	1608	chrome.exe
Token: SeCreatePagefilePrivilege	1608	chrome.exe
Token: SeShutdownPrivilege	1608	chrome.exe
Token: SeCreatePagefilePrivilege	1608	chrome.exe
Token: SeShutdownPrivilege	1608	chrome.exe
Token: SeCreatePagefilePrivilege	1608	chrome.exe
Token: SeShutdownPrivilege	1608	chrome.exe
Token: SeCreatePagefilePrivilege	1608	chrome.exe
Token: SeShutdownPrivilege	1608	chrome.exe
Token: SeCreatePagefilePrivilege	1608	chrome.exe
Token: SeShutdownPrivilege	1608	chrome.exe
Token: SeCreatePagefilePrivilege	1608	chrome.exe
Token: SeShutdownPrivilege	1608	chrome.exe
Token: SeCreatePagefilePrivilege	1608	chrome.exe
Token: SeShutdownPrivilege	1608	chrome.exe
Token: SeCreatePagefilePrivilege	1608	chrome.exe
Token: SeShutdownPrivilege	1608	chrome.exe
Token: SeCreatePagefilePrivilege	1608	chrome.exe
Token: SeShutdownPrivilege	1608	chrome.exe
Token: SeCreatePagefilePrivilege	1608	chrome.exe
Token: SeShutdownPrivilege	1608	chrome.exe
Token: SeCreatePagefilePrivilege	1608	chrome.exe
Token: SeShutdownPrivilege	1608	chrome.exe
Token: SeCreatePagefilePrivilege	1608	chrome.exe
Token: SeShutdownPrivilege	1608	chrome.exe
Token: SeCreatePagefilePrivilege	1608	chrome.exe
Token: SeShutdownPrivilege	1608	chrome.exe
Token: SeCreatePagefilePrivilege	1608	chrome.exe
Token: SeShutdownPrivilege	1608	chrome.exe
Token: SeCreatePagefilePrivilege	1608	chrome.exe
Token: SeShutdownPrivilege	1608	chrome.exe
Token: SeCreatePagefilePrivilege	1608	chrome.exe
Token: SeShutdownPrivilege	1608	chrome.exe
Token: SeCreatePagefilePrivilege	1608	chrome.exe
Token: SeShutdownPrivilege	1608	chrome.exe
Token: SeCreatePagefilePrivilege	1608	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
1608	chrome.exe
1608	chrome.exe
1608	chrome.exe
1608	chrome.exe
1608	chrome.exe
1608	chrome.exe
1608	chrome.exe
1608	chrome.exe
1608	chrome.exe
1608	chrome.exe
1608	chrome.exe
1608	chrome.exe
1608	chrome.exe
1608	chrome.exe
1608	chrome.exe
1608	chrome.exe
1608	chrome.exe
1608	chrome.exe
1608	chrome.exe
1608	chrome.exe
1608	chrome.exe
1608	chrome.exe
1608	chrome.exe
1608	chrome.exe
1608	chrome.exe
1608	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
1608	chrome.exe
1608	chrome.exe
1608	chrome.exe
1608	chrome.exe
1608	chrome.exe
1608	chrome.exe
1608	chrome.exe
1608	chrome.exe
1608	chrome.exe
1608	chrome.exe
1608	chrome.exe
1608	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1608 wrote to memory of 5176	1608	chrome.exe	82
PID 1608 wrote to memory of 5176	1608	chrome.exe	82
PID 1608 wrote to memory of 4916	1608	chrome.exe	84
PID 1608 wrote to memory of 4916	1608	chrome.exe	84
PID 1608 wrote to memory of 4916	1608	chrome.exe	84
PID 1608 wrote to memory of 4916	1608	chrome.exe	84
PID 1608 wrote to memory of 4916	1608	chrome.exe	84
PID 1608 wrote to memory of 4916	1608	chrome.exe	84
PID 1608 wrote to memory of 4916	1608	chrome.exe	84
PID 1608 wrote to memory of 4916	1608	chrome.exe	84
PID 1608 wrote to memory of 4916	1608	chrome.exe	84
PID 1608 wrote to memory of 4916	1608	chrome.exe	84
PID 1608 wrote to memory of 4916	1608	chrome.exe	84
PID 1608 wrote to memory of 4916	1608	chrome.exe	84
PID 1608 wrote to memory of 4916	1608	chrome.exe	84
PID 1608 wrote to memory of 4916	1608	chrome.exe	84
PID 1608 wrote to memory of 4916	1608	chrome.exe	84
PID 1608 wrote to memory of 4916	1608	chrome.exe	84
PID 1608 wrote to memory of 4916	1608	chrome.exe	84
PID 1608 wrote to memory of 4916	1608	chrome.exe	84
PID 1608 wrote to memory of 4916	1608	chrome.exe	84
PID 1608 wrote to memory of 4916	1608	chrome.exe	84
PID 1608 wrote to memory of 4916	1608	chrome.exe	84
PID 1608 wrote to memory of 4916	1608	chrome.exe	84
PID 1608 wrote to memory of 4916	1608	chrome.exe	84
PID 1608 wrote to memory of 4916	1608	chrome.exe	84
PID 1608 wrote to memory of 4916	1608	chrome.exe	84
PID 1608 wrote to memory of 4916	1608	chrome.exe	84
PID 1608 wrote to memory of 4916	1608	chrome.exe	84
PID 1608 wrote to memory of 4916	1608	chrome.exe	84
PID 1608 wrote to memory of 4916	1608	chrome.exe	84
PID 1608 wrote to memory of 4916	1608	chrome.exe	84
PID 1608 wrote to memory of 5044	1608	chrome.exe	85
PID 1608 wrote to memory of 5044	1608	chrome.exe	85
PID 1608 wrote to memory of 5064	1608	chrome.exe	86
PID 1608 wrote to memory of 5064	1608	chrome.exe	86
PID 1608 wrote to memory of 5064	1608	chrome.exe	86
PID 1608 wrote to memory of 5064	1608	chrome.exe	86
PID 1608 wrote to memory of 5064	1608	chrome.exe	86
PID 1608 wrote to memory of 5064	1608	chrome.exe	86
PID 1608 wrote to memory of 5064	1608	chrome.exe	86
PID 1608 wrote to memory of 5064	1608	chrome.exe	86
PID 1608 wrote to memory of 5064	1608	chrome.exe	86
PID 1608 wrote to memory of 5064	1608	chrome.exe	86
PID 1608 wrote to memory of 5064	1608	chrome.exe	86
PID 1608 wrote to memory of 5064	1608	chrome.exe	86
PID 1608 wrote to memory of 5064	1608	chrome.exe	86
PID 1608 wrote to memory of 5064	1608	chrome.exe	86
PID 1608 wrote to memory of 5064	1608	chrome.exe	86
PID 1608 wrote to memory of 5064	1608	chrome.exe	86
PID 1608 wrote to memory of 5064	1608	chrome.exe	86
PID 1608 wrote to memory of 5064	1608	chrome.exe	86
PID 1608 wrote to memory of 5064	1608	chrome.exe	86
PID 1608 wrote to memory of 5064	1608	chrome.exe	86
PID 1608 wrote to memory of 5064	1608	chrome.exe	86
PID 1608 wrote to memory of 5064	1608	chrome.exe	86
PID 1608 wrote to memory of 5064	1608	chrome.exe	86
PID 1608 wrote to memory of 5064	1608	chrome.exe	86
PID 1608 wrote to memory of 5064	1608	chrome.exe	86
PID 1608 wrote to memory of 5064	1608	chrome.exe	86
PID 1608 wrote to memory of 5064	1608	chrome.exe	86
PID 1608 wrote to memory of 5064	1608	chrome.exe	86
PID 1608 wrote to memory of 5064	1608	chrome.exe	86
PID 1608 wrote to memory of 5064	1608	chrome.exe	86

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/quasar/Quasar.git
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1608
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffabd30dcf8,0x7ffabd30dd04,0x7ffabd30dd10
  2⤵
  PID:5176
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1908,i,11140992342054132298,18210980692518353602,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=1904 /prefetch:2
  2⤵
  PID:4916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1452,i,11140992342054132298,18210980692518353602,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=2276 /prefetch:11
  2⤵
  PID:5044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2352,i,11140992342054132298,18210980692518353602,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=2324 /prefetch:13
  2⤵
  PID:5064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3164,i,11140992342054132298,18210980692518353602,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=3184 /prefetch:1
  2⤵
  PID:4368
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3172,i,11140992342054132298,18210980692518353602,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=3204 /prefetch:1
  2⤵
  PID:3904
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4244,i,11140992342054132298,18210980692518353602,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=4260 /prefetch:9
  2⤵
  PID:1016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5116,i,11140992342054132298,18210980692518353602,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5140 /prefetch:14
  2⤵
  PID:2264

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:3372

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:5356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\51789701-c904-445c-9bc3-d413cb7601e7.tmp

Filesize
11KB

MD5
2ab59a1f93d64d3ce2f6aa81e3b73ea5

SHA1
0556a4bd72ff3645226bee11b402a70663e339a3

SHA256
852ac7c4b2aa0fd2dc0163b4719ddbc261e463761270a6db3011dc7a9ea125ed

SHA512
5dfb0ea4ae858ba3f1f125c556c9da80c0d4be1020dd7f9f2f8c55aabfe00e5b8d9df87dbe4bdbcb310b808799edc0ce43d89350a50ed979a71ebd4e77fea220

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
46365b4228dfe626c56732be7a4f57b9

SHA1
aca5781ed3949f5c6277f3e0c7b8c060d283153e

SHA256
5bfdd080e88eb62d329c965ad669891d6d0a9bb84f8e594dc1edd3651779a1db

SHA512
7e4fcb2fbe7bc9f5c520e638ed3d7f3d6578330970769fddbbaaa8f924f4b42502ad384419941e4ed66975dd207832c7e57352ff613e815c9b0bd257cde193ce

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
a953cb4beace6263b790855d354b0834

SHA1
16c27ed83e4bea58fc5dcc243f66aa6307abbf02

SHA256
bea7db5e65d250d9635dab9b7228bffac69b6aee077b0487a08e2f150d1f570b

SHA512
22a5357491a12936fed414425cd5ba32cab1812928eb927958bad80f9f8613cb2c722eb0b411d9cfd7fe5f8ba1b22934daa95d9c129e89702321d9bd3c285e61

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
0c4ee74392bcb9c2651fb89da5d6ea38

SHA1
3b0c059f0763113bc1f02ff5dcbc7ab421b9bb30

SHA256
271186f51c93e49b8e397d63570f77ed64355ad873c825457f56c4be696da869

SHA512
0c69717b1882b08f112a904faf5b582497a6ba83dceeb00e15c8522c1557dc55e25ee27713984c27e49a24c9d84606c6cb4edd41168ee16587e07a3402257080

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
a44efe8f612bb038896fa02c0b2ffd27

SHA1
de1ca1fafc1f66ef9bc85191aa6370d2cc6bb4e9

SHA256
27a6b48ead0074ed9a63a3b7b6ee4d2d4c401ff74bb0034782a2fbba306dc377

SHA512
c2c27d8c54a8ffa2492dd1bc0165719adfd76039146cd91304050517e375b9243ae2473993a3bcbb88373a053c5462c989479637764c7e93fa5d44d427fe4f38

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57b0e1.TMP

Filesize
48B

MD5
0aa92a5c05b63ad7aefa0722cb6fe668

SHA1
c4284e8ae73fc450eb8ca164a7adac5cee8bbcaf

SHA256
75210d1d698116e54e07cc1cbcf76958829c4f286eb5f200ba6d7a6003486c58

SHA512
fc32361929941e9332908f09fbbb852ae136f116e3601e0dfd245ff403a8b8d4aa38484baf087bded573696194e972ac456d790b4a521aa030f02bc1ee397ccc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
81KB

MD5
9dcc4aa75c4017958d52373a98f819d8

SHA1
0d9289230c68d6d876d680321e2ae2d6b47c1480

SHA256
db0cda610f2cb4e622bd7e174ae6baff774130c604b252266d47fa023453bd92

SHA512
780419b56df207a81b781e49bead2f0bcb2ef3d7a7487c22b5c0a148a28079cb7dcab54553d774769a273debdcef9702927f2da6e81015be764e5e19494aa3d2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
80KB

MD5
81aaca956d003d8fd2d908cdac8ac906

SHA1
15c13f50dacbeffba30fb833aeaa2c3d8d077b28

SHA256
957b178838f494fde4c40e9fd56359a7bbadf676c282aa67c9227d396a612429

SHA512
386f603d356e46db98646f02b63f28d741144c53590c3859cea76c43a628d47725483eca4f47f1669c4358af6ac554537047c1fc135f0b376f2ccb588e4861ad

Download Submit