quasar | 854fc659414fc88605337694eb6b6f4f177389c9cbb69ca0b0e705f555ebbb09

Analysis

max time kernel
144s
max time network
149s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
16-12-2024 12:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

854fc659414fc88605337694eb6b6f4f177389c9cbb69ca0b0e705f555ebbb09.exe
Size

3.1MB
MD5

051bfba0c640694d241f6b3621e241b6
SHA1

a5269b7485203914af50cb932d952c10440878c9
SHA256

854fc659414fc88605337694eb6b6f4f177389c9cbb69ca0b0e705f555ebbb09
SHA512

bdfea5dfca423c4d66de1c9f435a1c0403b8615a0b7627fff665876fa2da48e8914cc2961ca9e66b7d32d2bc4004354e5e932297a479fcc90d495327d14577dc
SSDEEP

49152:AvKgo2QSaNpzyPllgamb0CZof/JDj5RbR4jRoGdMOAuTHHB72eh2NT:Avjo2QSaNpzyPllgamYCZof/JDj5wFc

Score

10^/10

quasar sgvp discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

SGVP

192.168.1.9:4782

150.129.206.176:4782

Ai-Sgvp-33452.portmap.host:33452

Mutex

2464c7bf-a165-4397-85fe-def5290750b0

Attributes

encryption_key
09BBDA8FF0524296F02F8F81158F33C0AA74D487
install_name
User Application Data.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Windowns Client Startup
subdirectory
Quasar

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral1/memory/2160-1-0x0000000000C10000-0x0000000000F34000-memory.dmp	family_quasar
behavioral1/memory/1760-24-0x0000000000CE0000-0x0000000001004000-memory.dmp	family_quasar

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1052	PING.EXE
2376	PING.EXE

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
1052	PING.EXE
2376	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2612	schtasks.exe
1340	schtasks.exe
2500	schtasks.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2160	854fc659414fc88605337694eb6b6f4f177389c9cbb69ca0b0e705f555ebbb09.exe
Token: SeDebugPrivilege	888	854fc659414fc88605337694eb6b6f4f177389c9cbb69ca0b0e705f555ebbb09.exe
Token: SeDebugPrivilege	1760	854fc659414fc88605337694eb6b6f4f177389c9cbb69ca0b0e705f555ebbb09.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2160	854fc659414fc88605337694eb6b6f4f177389c9cbb69ca0b0e705f555ebbb09.exe
888	854fc659414fc88605337694eb6b6f4f177389c9cbb69ca0b0e705f555ebbb09.exe
1760	854fc659414fc88605337694eb6b6f4f177389c9cbb69ca0b0e705f555ebbb09.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 2160 wrote to memory of 2612	2160	854fc659414fc88605337694eb6b6f4f177389c9cbb69ca0b0e705f555ebbb09.exe	30
PID 2160 wrote to memory of 2612	2160	854fc659414fc88605337694eb6b6f4f177389c9cbb69ca0b0e705f555ebbb09.exe	30
PID 2160 wrote to memory of 2612	2160	854fc659414fc88605337694eb6b6f4f177389c9cbb69ca0b0e705f555ebbb09.exe	30
PID 2160 wrote to memory of 2708	2160	854fc659414fc88605337694eb6b6f4f177389c9cbb69ca0b0e705f555ebbb09.exe	33
PID 2160 wrote to memory of 2708	2160	854fc659414fc88605337694eb6b6f4f177389c9cbb69ca0b0e705f555ebbb09.exe	33
PID 2160 wrote to memory of 2708	2160	854fc659414fc88605337694eb6b6f4f177389c9cbb69ca0b0e705f555ebbb09.exe	33
PID 2708 wrote to memory of 2344	2708	cmd.exe	35
PID 2708 wrote to memory of 2344	2708	cmd.exe	35
PID 2708 wrote to memory of 2344	2708	cmd.exe	35
PID 2708 wrote to memory of 1052	2708	cmd.exe	36
PID 2708 wrote to memory of 1052	2708	cmd.exe	36
PID 2708 wrote to memory of 1052	2708	cmd.exe	36
PID 2708 wrote to memory of 888	2708	cmd.exe	37
PID 2708 wrote to memory of 888	2708	cmd.exe	37
PID 2708 wrote to memory of 888	2708	cmd.exe	37
PID 888 wrote to memory of 1340	888	854fc659414fc88605337694eb6b6f4f177389c9cbb69ca0b0e705f555ebbb09.exe	38
PID 888 wrote to memory of 1340	888	854fc659414fc88605337694eb6b6f4f177389c9cbb69ca0b0e705f555ebbb09.exe	38
PID 888 wrote to memory of 1340	888	854fc659414fc88605337694eb6b6f4f177389c9cbb69ca0b0e705f555ebbb09.exe	38
PID 888 wrote to memory of 1884	888	854fc659414fc88605337694eb6b6f4f177389c9cbb69ca0b0e705f555ebbb09.exe	40
PID 888 wrote to memory of 1884	888	854fc659414fc88605337694eb6b6f4f177389c9cbb69ca0b0e705f555ebbb09.exe	40
PID 888 wrote to memory of 1884	888	854fc659414fc88605337694eb6b6f4f177389c9cbb69ca0b0e705f555ebbb09.exe	40
PID 1884 wrote to memory of 2212	1884	cmd.exe	42
PID 1884 wrote to memory of 2212	1884	cmd.exe	42
PID 1884 wrote to memory of 2212	1884	cmd.exe	42
PID 1884 wrote to memory of 2376	1884	cmd.exe	43
PID 1884 wrote to memory of 2376	1884	cmd.exe	43
PID 1884 wrote to memory of 2376	1884	cmd.exe	43
PID 1884 wrote to memory of 1760	1884	cmd.exe	44
PID 1884 wrote to memory of 1760	1884	cmd.exe	44
PID 1884 wrote to memory of 1760	1884	cmd.exe	44
PID 1760 wrote to memory of 2500	1760	854fc659414fc88605337694eb6b6f4f177389c9cbb69ca0b0e705f555ebbb09.exe	45
PID 1760 wrote to memory of 2500	1760	854fc659414fc88605337694eb6b6f4f177389c9cbb69ca0b0e705f555ebbb09.exe	45
PID 1760 wrote to memory of 2500	1760	854fc659414fc88605337694eb6b6f4f177389c9cbb69ca0b0e705f555ebbb09.exe	45

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\854fc659414fc88605337694eb6b6f4f177389c9cbb69ca0b0e705f555ebbb09.exe
"C:\Users\Admin\AppData\Local\Temp\854fc659414fc88605337694eb6b6f4f177389c9cbb69ca0b0e705f555ebbb09.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2160
- C:\Windows\system32\schtasks.exe
  "schtasks" /create /tn "Windowns Client Startup" /sc ONLOGON /tr "C:\Windows\system32\Quasar\User Application Data.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2612
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\bm98KahXWxhT.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2708
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2344
- - C:\Windows\system32\PING.EXE
    ping -n 10 localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:1052
- - C:\Users\Admin\AppData\Local\Temp\854fc659414fc88605337694eb6b6f4f177389c9cbb69ca0b0e705f555ebbb09.exe
    "C:\Users\Admin\AppData\Local\Temp\854fc659414fc88605337694eb6b6f4f177389c9cbb69ca0b0e705f555ebbb09.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:888
  - - C:\Windows\system32\schtasks.exe
      "schtasks" /create /tn "Windowns Client Startup" /sc ONLOGON /tr "C:\Windows\system32\Quasar\User Application Data.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1340
  - - C:\Windows\system32\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\s3OEJs7Dovm2.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1884
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:2212
    - - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2376
    - - C:\Users\Admin\AppData\Local\Temp\854fc659414fc88605337694eb6b6f4f177389c9cbb69ca0b0e705f555ebbb09.exe
        
        "C:\Users\Admin\AppData\Local\Temp\854fc659414fc88605337694eb6b6f4f177389c9cbb69ca0b0e705f555ebbb09.exe"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1760
      - C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windowns Client Startup" /sc ONLOGON /tr "C:\Windows\system32\Quasar\User Application Data.exe" /rl HIGHEST /f
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bm98KahXWxhT.bat

Filesize
261B

MD5
893494ee6651dc30fd9a6d80b3bde3b0

SHA1
4223e878b98fa0b592947ef861897d7cfd54b700

SHA256
5892ee64f6c9254d3cdd0c5a63803e081b5263c93f486631d527c8a6793e025d

SHA512
8d53377bd050dba2f851ef812ffaf64395e642ee3ee5176129b40c771622a59f8ad1d747a4938649b68c51fd98e106409467d0a0e1361db050c95d3601136d53

Download Submit
C:\Users\Admin\AppData\Local\Temp\s3OEJs7Dovm2.bat

Filesize
261B

MD5
db3709cb7f0ef5152a0d7454ff8587fe

SHA1
43dd01640091892986c83fad529acc81007208c4

SHA256
eb01d7555dc29c1286dd391d1d97e9c99006c53c3c51a463e902c6041620dc7f

SHA512
d6f4f9a6ebfe2e399055a887c7c2f7c8171d6bc7e7ec21a678393f62d64e67bd9665f8e4da0ee298e1ea874736241d3d56186a1c98cd984d30416ffc6df2c26d

Download Submit
memory/1760-24-0x0000000000CE0000-0x0000000001004000-memory.dmp

Filesize
3.1MB

Download
memory/2160-0-0x000007FEF6343000-0x000007FEF6344000-memory.dmp

Filesize
4KB

Download
memory/2160-1-0x0000000000C10000-0x0000000000F34000-memory.dmp

Filesize
3.1MB

Download
memory/2160-2-0x000007FEF6340000-0x000007FEF6D2C000-memory.dmp

Filesize
9.9MB

Download
memory/2160-3-0x000007FEF6343000-0x000007FEF6344000-memory.dmp

Filesize
4KB

Download
memory/2160-4-0x000007FEF6340000-0x000007FEF6D2C000-memory.dmp

Filesize
9.9MB

Download
memory/2160-13-0x000007FEF6340000-0x000007FEF6D2C000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads