Overview

overview

10

Static

static

1

RUN_ME.bat

windows11-21h2-x64

10

RUN_ME.bat

ubuntu-24.04-amd64

Analysis

  • max time kernel
    148s
  • max time network
    143s
  • platform
    windows11-21h2_x64
  • resource
    win11-20250410-en
  • resource tags

    arch:x64arch:x86image:win11-20250410-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    19/04/2025, 21:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    RUN_ME.bat

  • Size

    5KB

  • MD5

    d0fb2b898127e72c285d6478c0989d69

  • SHA1

    021ed2c902029ed393052e42351086db991c3ebd

  • SHA256

    2e1e9dc2fa7ba5b2c74933c6d6d7a1ba9c131e8ac53bddf816ab45a24b30f2c9

  • SHA512

    e8dfcf4dd115d187a2c2e3e8b59865d51bcbfb53f1de9906ae893ceb7d3bd2576f43f16ac974d7af371e4cd525f80038c1f7cdd0206f9cc0c17e73dba9c535f4

  • SSDEEP

    96:/XqD95VsQtOJQR1a+MKTADqW7ymLElrbefZ0NdSD4+q0:/XqD/V0QR1a+MYADqW2mLcbef6S8K

Score
10/10
quasarexecutionspywaretrojan

Malware Config

Extracted

Family

quasar

Attributes
  • reconnect_delay

    5000

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar family
    quasar
  • Quasar payload 1 IoCs
  • Blocklisted process makes network request 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\RUN_ME.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3720
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -c "iex ((Get-Content 'C:\Users\Admin\AppData\Local\Temp\RUN_ME.bat') -join [Environment]::Newline); iex 'main '"
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2860
      • C:\Users\Admin\AppData\Roaming\Pulsar\Pulsar.exe
        "C:\Users\Admin\AppData\Roaming\Pulsar\Pulsar.exe"
        3⤵
        • Executes dropped EXE
        • Modifies registry class
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3740
        • C:\Windows\explorer.exe
          "C:\Windows\explorer.exe" /select, "C:\Users\Admin\AppData\Roaming\Pulsar\Pulsar.p12"
          4⤵
            PID:4080
    • C:\Windows\explorer.exe
      C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:2192
      • C:\Users\Admin\Downloads\Client-built.exe
        "C:\Users\Admin\Downloads\Client-built.exe"
        2⤵
          PID:2492
      • C:\Windows\System32\rundll32.exe
        C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
        1⤵
          PID:4884

        Network

        MITRE ATT&CK Enterprise v16

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_p0hhy1uh.qde.ps1
          Filesize

          60B

          MD5

          d17fe0a3f47be24a6453e9ef58c94641

          SHA1

          6ab83620379fc69f80c0242105ddffd7d98d5d9d

          SHA256

          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

          SHA512

          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Pulsar\Pulsar.exe
          Filesize

          5.2MB

          MD5

          0274629d862fb065ecc7d90b48ec4259

          SHA1

          273513efef0806e045df3ed1f07f3ace880f9162

          SHA256

          84dd1924dbbcd76bccceb5c7c1315ee881db60444e0bfacc4fa56fab90f8bbe2

          SHA512

          10f60061739738563b49373a3d1faa7e157891e76227e8ce01ea3abbea11b848acfb543f21702d94bfa0f8a3a949a5df841fb3b8f21f18794d629c2dc20b91ce

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Pulsar\Pulsar.p12
          Filesize

          4KB

          MD5

          51e6faca66b6261e4c9f0bf659cc1981

          SHA1

          3e54e9d0564c10bbb7c051b084de2940c711d314

          SHA256

          89d042c1609a1edb1901fe4ecd724277bff481be0b2afc818600126d6861a802

          SHA512

          0e5c15fd2a9fcdcf880fc0d77c91bb3dad316a4a1c625acbe120d46d57dd7a030ffef480c696edbec9b065859c062c44fdc33ee130284f543fa87b35f8c35dff

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Pulsar\client.bin
          Filesize

          1.5MB

          MD5

          015667f5caa51910369a642ca49d6387

          SHA1

          19904811cc3d746ccdea0d055f4fe4d0c9b24182

          SHA256

          93a0ae9059cad5f06258e1f22f1aed4d827c9504886ac7a971860f6c91724c16

          SHA512

          9d22a54f8d621f5d4446c8524ed007dd6df5a3ca6c2dddc4102fc1ed5875f88fde8e81c1b1e0d2643c439ed891123e4bb758854d723cd78bed513c595075d24a

          Download Submit

        • C:\Users\Admin\Downloads\Client-built.exe
          Filesize

          1.9MB

          MD5

          4b04acb074fc179947a6eeab9603a4e8

          SHA1

          5f76885ead4dbfaf83c65c391a6a0ca1086ec67a

          SHA256

          72d2545e03fed8624ff098eb2c55f8879741172d58eff9125baf9ef552ead627

          SHA512

          4fea2a7cd6da96e0182222a94de18ab1c987a274db61c1c8d1bd42ab154b4ea2d0e9b144b6e0555ddfb5532d2856a35b0821a285f7c2939e18e236163a7a397c

          Download Submit

        • memory/2860-32-0x00007FF87B903000-0x00007FF87B905000-memory.dmp

          Filesize

          8KB

          Download

        • memory/2860-9-0x0000017D55920000-0x0000017D55942000-memory.dmp

          Filesize

          136KB

          Download

        • memory/2860-10-0x00007FF87B900000-0x00007FF87C3C2000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/2860-11-0x00007FF87B900000-0x00007FF87C3C2000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/2860-12-0x00007FF87B900000-0x00007FF87C3C2000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/2860-0-0x00007FF87B903000-0x00007FF87B905000-memory.dmp

          Filesize

          8KB

          Download

        • memory/2860-33-0x00007FF87B900000-0x00007FF87C3C2000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/3740-34-0x000001ECBE040000-0x000001ECBE36E000-memory.dmp

          Filesize

          3.2MB

          Download

        • memory/3740-59-0x000001ECBDA20000-0x000001ECBDA38000-memory.dmp

          Filesize

          96KB

          Download

        • memory/3740-30-0x00007FF87B900000-0x00007FF87C3C2000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/3740-38-0x00007FF87B900000-0x00007FF87C3C2000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/3740-39-0x00007FF87B900000-0x00007FF87C3C2000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/3740-29-0x000001ECA17C0000-0x000001ECA17DA000-memory.dmp

          Filesize

          104KB

          Download

        • memory/3740-60-0x000001ECBF980000-0x000001ECBFAA6000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/3740-31-0x000001ECBDDE0000-0x000001ECBDDFA000-memory.dmp

          Filesize

          104KB

          Download

        • memory/3740-61-0x000001ECBDFA0000-0x000001ECBDFF0000-memory.dmp

          Filesize

          320KB

          Download

        • memory/3740-62-0x000001ECBFB60000-0x000001ECBFC12000-memory.dmp

          Filesize

          712KB

          Download

        • memory/3740-63-0x000001ECBFAA0000-0x000001ECBFB50000-memory.dmp

          Filesize

          704KB

          Download

        • memory/3740-64-0x000001ECBDF50000-0x000001ECBDF9E000-memory.dmp

          Filesize

          312KB

          Download

        • memory/3740-67-0x000001ECC1F70000-0x000001ECC1FD0000-memory.dmp

          Filesize

          384KB

          Download

        • memory/3740-28-0x00007FF87B900000-0x00007FF87C3C2000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/3740-68-0x000001ECBAEE0000-0x000001ECBAEFA000-memory.dmp

          Filesize

          104KB

          Download

        • memory/3740-27-0x000001EC9F590000-0x000001EC9FAC8000-memory.dmp

          Filesize

          5.2MB

          Download