quasar | 854fc659414fc88605337694eb6b6f4f177389c9cbb69ca0b0e705f555ebbb09

General

Target

854fc659414fc88605337694eb6b6f4f177389c9cbb69ca0b0e705f555ebbb09.exe
Size

3.1MB
MD5

051bfba0c640694d241f6b3621e241b6
SHA1

a5269b7485203914af50cb932d952c10440878c9
SHA256

854fc659414fc88605337694eb6b6f4f177389c9cbb69ca0b0e705f555ebbb09
SHA512

bdfea5dfca423c4d66de1c9f435a1c0403b8615a0b7627fff665876fa2da48e8914cc2961ca9e66b7d32d2bc4004354e5e932297a479fcc90d495327d14577dc
SSDEEP

49152:AvKgo2QSaNpzyPllgamb0CZof/JDj5RbR4jRoGdMOAuTHHB72eh2NT:Avjo2QSaNpzyPllgamYCZof/JDj5wFc

Score

10^/10

quasar sgvp discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

SGVP

C2

192.168.1.9:4782

150.129.206.176:4782

Ai-Sgvp-33452.portmap.host:33452

Mutex

2464c7bf-a165-4397-85fe-def5290750b0

Attributes

encryption_key
09BBDA8FF0524296F02F8F81158F33C0AA74D487
install_name
User Application Data.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Windowns Client Startup
subdirectory
Quasar

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 1 IoCs

resource	yara_rule
behavioral2/memory/344-1-0x00000000005D0000-0x00000000008F4000-memory.dmp	family_quasar

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	854fc659414fc88605337694eb6b6f4f177389c9cbb69ca0b0e705f555ebbb09.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	854fc659414fc88605337694eb6b6f4f177389c9cbb69ca0b0e705f555ebbb09.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4540	PING.EXE
4368	PING.EXE

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
4540	PING.EXE
4368	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1868	schtasks.exe
2916	schtasks.exe
2340	schtasks.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	344	854fc659414fc88605337694eb6b6f4f177389c9cbb69ca0b0e705f555ebbb09.exe
Token: SeDebugPrivilege	3256	854fc659414fc88605337694eb6b6f4f177389c9cbb69ca0b0e705f555ebbb09.exe
Token: SeDebugPrivilege	4272	854fc659414fc88605337694eb6b6f4f177389c9cbb69ca0b0e705f555ebbb09.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
344	854fc659414fc88605337694eb6b6f4f177389c9cbb69ca0b0e705f555ebbb09.exe
3256	854fc659414fc88605337694eb6b6f4f177389c9cbb69ca0b0e705f555ebbb09.exe
4272	854fc659414fc88605337694eb6b6f4f177389c9cbb69ca0b0e705f555ebbb09.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 344 wrote to memory of 1868	344	854fc659414fc88605337694eb6b6f4f177389c9cbb69ca0b0e705f555ebbb09.exe	82
PID 344 wrote to memory of 1868	344	854fc659414fc88605337694eb6b6f4f177389c9cbb69ca0b0e705f555ebbb09.exe	82
PID 344 wrote to memory of 2080	344	854fc659414fc88605337694eb6b6f4f177389c9cbb69ca0b0e705f555ebbb09.exe	93
PID 344 wrote to memory of 2080	344	854fc659414fc88605337694eb6b6f4f177389c9cbb69ca0b0e705f555ebbb09.exe	93
PID 2080 wrote to memory of 2964	2080	cmd.exe	95
PID 2080 wrote to memory of 2964	2080	cmd.exe	95
PID 2080 wrote to memory of 4540	2080	cmd.exe	96
PID 2080 wrote to memory of 4540	2080	cmd.exe	96
PID 2080 wrote to memory of 3256	2080	cmd.exe	97
PID 2080 wrote to memory of 3256	2080	cmd.exe	97
PID 3256 wrote to memory of 2916	3256	854fc659414fc88605337694eb6b6f4f177389c9cbb69ca0b0e705f555ebbb09.exe	98
PID 3256 wrote to memory of 2916	3256	854fc659414fc88605337694eb6b6f4f177389c9cbb69ca0b0e705f555ebbb09.exe	98
PID 3256 wrote to memory of 3704	3256	854fc659414fc88605337694eb6b6f4f177389c9cbb69ca0b0e705f555ebbb09.exe	100
PID 3256 wrote to memory of 3704	3256	854fc659414fc88605337694eb6b6f4f177389c9cbb69ca0b0e705f555ebbb09.exe	100
PID 3704 wrote to memory of 4496	3704	cmd.exe	102
PID 3704 wrote to memory of 4496	3704	cmd.exe	102
PID 3704 wrote to memory of 4368	3704	cmd.exe	103
PID 3704 wrote to memory of 4368	3704	cmd.exe	103
PID 3704 wrote to memory of 4272	3704	cmd.exe	104
PID 3704 wrote to memory of 4272	3704	cmd.exe	104
PID 4272 wrote to memory of 2340	4272	854fc659414fc88605337694eb6b6f4f177389c9cbb69ca0b0e705f555ebbb09.exe	105
PID 4272 wrote to memory of 2340	4272	854fc659414fc88605337694eb6b6f4f177389c9cbb69ca0b0e705f555ebbb09.exe	105

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\854fc659414fc88605337694eb6b6f4f177389c9cbb69ca0b0e705f555ebbb09.exe
"C:\Users\Admin\AppData\Local\Temp\854fc659414fc88605337694eb6b6f4f177389c9cbb69ca0b0e705f555ebbb09.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:344
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "Windowns Client Startup" /sc ONLOGON /tr "C:\Windows\system32\Quasar\User Application Data.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:1868
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2m5hotXUC0ep.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2080
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2964
- - C:\Windows\system32\PING.EXE
    ping -n 10 localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:4540
- - C:\Users\Admin\AppData\Local\Temp\854fc659414fc88605337694eb6b6f4f177389c9cbb69ca0b0e705f555ebbb09.exe
    "C:\Users\Admin\AppData\Local\Temp\854fc659414fc88605337694eb6b6f4f177389c9cbb69ca0b0e705f555ebbb09.exe"
    3⤵
    - Checks computer location settings
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3256
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "Windowns Client Startup" /sc ONLOGON /tr "C:\Windows\system32\Quasar\User Application Data.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2916
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\C1DF27rk34Kn.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3704
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:4496
    - - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4368
    - - C:\Users\Admin\AppData\Local\Temp\854fc659414fc88605337694eb6b6f4f177389c9cbb69ca0b0e705f555ebbb09.exe
        
        "C:\Users\Admin\AppData\Local\Temp\854fc659414fc88605337694eb6b6f4f177389c9cbb69ca0b0e705f555ebbb09.exe"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4272
      - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windowns Client Startup" /sc ONLOGON /tr "C:\Windows\system32\Quasar\User Application Data.exe" /rl HIGHEST /f
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\854fc659414fc88605337694eb6b6f4f177389c9cbb69ca0b0e705f555ebbb09.exe.log

Filesize
2KB

MD5
8f0271a63446aef01cf2bfc7b7c7976b

SHA1
b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

SHA256
da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

SHA512
78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\2m5hotXUC0ep.bat

Filesize
261B

MD5
d631caf98cb6961828d11e3b0b9d3391

SHA1
89e3727503359644b16d3686d2c0c82fd0462b6b

SHA256
0a79ab522e5b68a1064e7897acc4cde1f2b2500a57c2eabeb14fb532f085afee

SHA512
670346f6625b5338bd3485b0b3d193b2297a2f4dee38540772c786bf2f471da6a5de0035b7ed51926c549198b01f4836a6ede2c04406ef7400999ba65e3980b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\C1DF27rk34Kn.bat

Filesize
261B

MD5
1f4412731e3daa6f6fd2d545c535305a

SHA1
6e96a0bd70fed2c22b26fba2d888a8a153ab2446

SHA256
54c984654129fa6976bd33267a15d0722fa0f4cb9bc70b9d340a05991f8aac69

SHA512
05965f83e990021ffbfe1e477468fd1ee9c3d5f722ea5ff8971c46b1eb39f3f5a74d7c364d3a58bd5f14b371e5e5137b976c1c20e54e36762ef34a73582f4dca

Download Submit
memory/344-0-0x00007FFBA8E03000-0x00007FFBA8E05000-memory.dmp

Filesize
8KB

Download
memory/344-1-0x00000000005D0000-0x00000000008F4000-memory.dmp

Filesize
3.1MB

Download
memory/344-2-0x00007FFBA8E00000-0x00007FFBA98C1000-memory.dmp

Filesize
10.8MB

Download
memory/344-3-0x000000001D4D0000-0x000000001D520000-memory.dmp

Filesize
320KB

Download
memory/344-4-0x000000001D5E0000-0x000000001D692000-memory.dmp

Filesize
712KB

Download
memory/344-5-0x00007FFBA8E03000-0x00007FFBA8E05000-memory.dmp

Filesize
8KB

Download
memory/344-6-0x00007FFBA8E00000-0x00007FFBA98C1000-memory.dmp

Filesize
10.8MB

Download
memory/344-12-0x00007FFBA8E00000-0x00007FFBA98C1000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads