quasar | 854fc659414fc88605337694eb6b6f4f177389c9cbb69ca0b0e705f555ebbb09

Analysis

max time kernel
148s
max time network
143s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
16-12-2024 12:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

854fc659414fc88605337694eb6b6f4f177389c9cbb69ca0b0e705f555ebbb09.exe
Size

3.1MB
MD5

051bfba0c640694d241f6b3621e241b6
SHA1

a5269b7485203914af50cb932d952c10440878c9
SHA256

854fc659414fc88605337694eb6b6f4f177389c9cbb69ca0b0e705f555ebbb09
SHA512

bdfea5dfca423c4d66de1c9f435a1c0403b8615a0b7627fff665876fa2da48e8914cc2961ca9e66b7d32d2bc4004354e5e932297a479fcc90d495327d14577dc
SSDEEP

49152:AvKgo2QSaNpzyPllgamb0CZof/JDj5RbR4jRoGdMOAuTHHB72eh2NT:Avjo2QSaNpzyPllgamYCZof/JDj5wFc

Score

10^/10

quasar sgvp discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

SGVP

192.168.1.9:4782

150.129.206.176:4782

Ai-Sgvp-33452.portmap.host:33452

Mutex

2464c7bf-a165-4397-85fe-def5290750b0

Attributes

encryption_key
09BBDA8FF0524296F02F8F81158F33C0AA74D487
install_name
User Application Data.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Windowns Client Startup
subdirectory
Quasar

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 3 IoCs

resource	yara_rule
behavioral1/memory/2256-1-0x00000000011D0000-0x00000000014F4000-memory.dmp	family_quasar
behavioral1/memory/2200-15-0x00000000013C0000-0x00000000016E4000-memory.dmp	family_quasar
behavioral1/memory/2220-25-0x0000000000070000-0x0000000000394000-memory.dmp	family_quasar

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2596	PING.EXE
2420	PING.EXE

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
2596	PING.EXE
2420	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2716	schtasks.exe
1576	schtasks.exe
2580	schtasks.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2256	854fc659414fc88605337694eb6b6f4f177389c9cbb69ca0b0e705f555ebbb09.exe
Token: SeDebugPrivilege	2200	854fc659414fc88605337694eb6b6f4f177389c9cbb69ca0b0e705f555ebbb09.exe
Token: SeDebugPrivilege	2220	854fc659414fc88605337694eb6b6f4f177389c9cbb69ca0b0e705f555ebbb09.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2256	854fc659414fc88605337694eb6b6f4f177389c9cbb69ca0b0e705f555ebbb09.exe
2200	854fc659414fc88605337694eb6b6f4f177389c9cbb69ca0b0e705f555ebbb09.exe
2220	854fc659414fc88605337694eb6b6f4f177389c9cbb69ca0b0e705f555ebbb09.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 2256 wrote to memory of 2716	2256	854fc659414fc88605337694eb6b6f4f177389c9cbb69ca0b0e705f555ebbb09.exe	30
PID 2256 wrote to memory of 2716	2256	854fc659414fc88605337694eb6b6f4f177389c9cbb69ca0b0e705f555ebbb09.exe	30
PID 2256 wrote to memory of 2716	2256	854fc659414fc88605337694eb6b6f4f177389c9cbb69ca0b0e705f555ebbb09.exe	30
PID 2256 wrote to memory of 2796	2256	854fc659414fc88605337694eb6b6f4f177389c9cbb69ca0b0e705f555ebbb09.exe	32
PID 2256 wrote to memory of 2796	2256	854fc659414fc88605337694eb6b6f4f177389c9cbb69ca0b0e705f555ebbb09.exe	32
PID 2256 wrote to memory of 2796	2256	854fc659414fc88605337694eb6b6f4f177389c9cbb69ca0b0e705f555ebbb09.exe	32
PID 2796 wrote to memory of 2900	2796	cmd.exe	34
PID 2796 wrote to memory of 2900	2796	cmd.exe	34
PID 2796 wrote to memory of 2900	2796	cmd.exe	34
PID 2796 wrote to memory of 2596	2796	cmd.exe	35
PID 2796 wrote to memory of 2596	2796	cmd.exe	35
PID 2796 wrote to memory of 2596	2796	cmd.exe	35
PID 2796 wrote to memory of 2200	2796	cmd.exe	36
PID 2796 wrote to memory of 2200	2796	cmd.exe	36
PID 2796 wrote to memory of 2200	2796	cmd.exe	36
PID 2200 wrote to memory of 1576	2200	854fc659414fc88605337694eb6b6f4f177389c9cbb69ca0b0e705f555ebbb09.exe	37
PID 2200 wrote to memory of 1576	2200	854fc659414fc88605337694eb6b6f4f177389c9cbb69ca0b0e705f555ebbb09.exe	37
PID 2200 wrote to memory of 1576	2200	854fc659414fc88605337694eb6b6f4f177389c9cbb69ca0b0e705f555ebbb09.exe	37
PID 2200 wrote to memory of 1168	2200	854fc659414fc88605337694eb6b6f4f177389c9cbb69ca0b0e705f555ebbb09.exe	39
PID 2200 wrote to memory of 1168	2200	854fc659414fc88605337694eb6b6f4f177389c9cbb69ca0b0e705f555ebbb09.exe	39
PID 2200 wrote to memory of 1168	2200	854fc659414fc88605337694eb6b6f4f177389c9cbb69ca0b0e705f555ebbb09.exe	39
PID 1168 wrote to memory of 2208	1168	cmd.exe	41
PID 1168 wrote to memory of 2208	1168	cmd.exe	41
PID 1168 wrote to memory of 2208	1168	cmd.exe	41
PID 1168 wrote to memory of 2420	1168	cmd.exe	42
PID 1168 wrote to memory of 2420	1168	cmd.exe	42
PID 1168 wrote to memory of 2420	1168	cmd.exe	42
PID 1168 wrote to memory of 2220	1168	cmd.exe	43
PID 1168 wrote to memory of 2220	1168	cmd.exe	43
PID 1168 wrote to memory of 2220	1168	cmd.exe	43
PID 2220 wrote to memory of 2580	2220	854fc659414fc88605337694eb6b6f4f177389c9cbb69ca0b0e705f555ebbb09.exe	44
PID 2220 wrote to memory of 2580	2220	854fc659414fc88605337694eb6b6f4f177389c9cbb69ca0b0e705f555ebbb09.exe	44
PID 2220 wrote to memory of 2580	2220	854fc659414fc88605337694eb6b6f4f177389c9cbb69ca0b0e705f555ebbb09.exe	44

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\854fc659414fc88605337694eb6b6f4f177389c9cbb69ca0b0e705f555ebbb09.exe
"C:\Users\Admin\AppData\Local\Temp\854fc659414fc88605337694eb6b6f4f177389c9cbb69ca0b0e705f555ebbb09.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2256
- C:\Windows\system32\schtasks.exe
  "schtasks" /create /tn "Windowns Client Startup" /sc ONLOGON /tr "C:\Windows\system32\Quasar\User Application Data.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2716
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5cZRDXu19SdL.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2796
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2900
- - C:\Windows\system32\PING.EXE
    ping -n 10 localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2596
- - C:\Users\Admin\AppData\Local\Temp\854fc659414fc88605337694eb6b6f4f177389c9cbb69ca0b0e705f555ebbb09.exe
    "C:\Users\Admin\AppData\Local\Temp\854fc659414fc88605337694eb6b6f4f177389c9cbb69ca0b0e705f555ebbb09.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2200
  - - C:\Windows\system32\schtasks.exe
      "schtasks" /create /tn "Windowns Client Startup" /sc ONLOGON /tr "C:\Windows\system32\Quasar\User Application Data.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1576
  - - C:\Windows\system32\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\zXfoeIBMb8ak.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1168
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:2208
    - - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2420
    - - C:\Users\Admin\AppData\Local\Temp\854fc659414fc88605337694eb6b6f4f177389c9cbb69ca0b0e705f555ebbb09.exe
        
        "C:\Users\Admin\AppData\Local\Temp\854fc659414fc88605337694eb6b6f4f177389c9cbb69ca0b0e705f555ebbb09.exe"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2220
      - C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windowns Client Startup" /sc ONLOGON /tr "C:\Windows\system32\Quasar\User Application Data.exe" /rl HIGHEST /f
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5cZRDXu19SdL.bat

Filesize
261B

MD5
4e1a3c2f475c53259fea181dfcf96464

SHA1
8d25f31f9e78d30b114a74ec04d87dc65a07999c

SHA256
2d7da8cc1f84e607b97934662a481ea579449cd25c809b0e83a726d06a651bcf

SHA512
e9b71bca8abd0c7fd4a83aa58038065e3fda31535d702245ea376886562abfcc021fba89684d30c4afbb22e86aa395d60089cd8f58a4c9820be337046d4cad61

Download Submit
C:\Users\Admin\AppData\Local\Temp\zXfoeIBMb8ak.bat

Filesize
261B

MD5
87673a8f968fbe56dbbb0a532ca4cd03

SHA1
fd31db082480da904a5177337445f464758b0ae3

SHA256
c4df8b92a8db8972f8490aea91e423031f259ebc11c8763dea355e2796e0215f

SHA512
0a099bc57ec446fa1d397d136360d0bc3fa49ee9eaa6275dac8f73b4b7d4f33ae1e0ce39cbf4cd9beada9397b7eeaa71da9327885e95be88c4e5ef27e0a87031

Download Submit
memory/2200-15-0x00000000013C0000-0x00000000016E4000-memory.dmp

Filesize
3.1MB

Download
memory/2220-25-0x0000000000070000-0x0000000000394000-memory.dmp

Filesize
3.1MB

Download
memory/2256-0-0x000007FEF5163000-0x000007FEF5164000-memory.dmp

Filesize
4KB

Download
memory/2256-1-0x00000000011D0000-0x00000000014F4000-memory.dmp

Filesize
3.1MB

Download
memory/2256-2-0x000007FEF5160000-0x000007FEF5B4C000-memory.dmp

Filesize
9.9MB

Download
memory/2256-3-0x000007FEF5163000-0x000007FEF5164000-memory.dmp

Filesize
4KB

Download
memory/2256-4-0x000007FEF5160000-0x000007FEF5B4C000-memory.dmp

Filesize
9.9MB

Download
memory/2256-14-0x000007FEF5160000-0x000007FEF5B4C000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads